In recent months there have been a growing number of concerns regarding a software package called Genieo, which in some cases seems to have mysteriously appeared on people’s Macs.
When installed, the software results in a number of headaches, stemming from the inability to change browser search engines, to advertisements and warnings popping up when people use their systems.
What is Genieo?
Genieo is a “content recommendation engine,” which is installed on a local system to allow custom searches and targeted advertising to be presented on a homepage, managed through a browser extension. In essence, it tracks what you do and guides your searches and activity to relevant commercial sites and deals.
This is somewhat similar to home pages like Google, Bing, Yahoo, or Facebook that offer their own recommendations, offers, ads, and other details based on your internet activity; however, while these do so from you logging into an online account, Genieo does so from being installed on your computer.
The Genieo engine and installer are openly available at the Genieo Website, and while the intention behind Genieo may have started as a legitimate effort, the engine has been used in a number of ways and has a couple of behaviors associated with it that have been suspicious:
- Genieo has been found in fake Flash Player installers and other disguised packages, which is a tell-tale sign of malicious distribution of the software.
- Genieo has not been easy to remove. While the program comes with an uninstaller, using this has proven to be ineffective for clearing the system of installed files.
- Genieo uses unconventional modifications to the operating system to tag its services onto existing applications.
One of the major problems that Genieo faces, is it promises developers a distribution and monetization platform through its sister effort called “InstallMac.” While intended to be somewhat like the Mac App Store in ways, any developer can package their software with InstallMac and get paid for each installation. Therefore, simply by downloading and installing a relatively unknown and un-vetted application, you could have installed the Genieo framework, plug-ins, and applications on your Mac.
This type of activity has been part of many software downloads in the past, where you might have a Web toolbar such as those for Ask.com or Bing.com packaged with programs. One well-known instances of this is Oracle’s popular Java runtime being packaged with the Ask.com toolbar, with this offer being checked for installation by default, causing many to have this toolbar burden their Web experiences.
If you are uncertain whether or not you have Geneio installed on your Mac, then you can check for some of the following behaviors and installed files on your Mac, which if present will indicate its presence:
- “Genieo.app” application in your Applicaitons folder
- Files beginning with “com.genieo…” located in the Macintosh HD > Library > LaunchAgents folder
- A folder called “Genieo” located in the “your home folder” > Library > Application Support folder (to get to this library, hold the Option key and choose Library from the Go menu in the Finder).
- Inability to change your default search engine
- Inability to change your browser’s home page
- The presence of a small house icon in your status menu bar
While some of these symptoms by themselves do not necessarily indicate the presence of Genieo, together they do show the software as being installed.
If you suspect the software is installed, then to remove it you should log into an administrative account on your computer and perform the following steps:
- Go to the Applications folder and remove the items “Genieo.app,” “Uninstall Genieo.app,” and “Uninstall UM Completer.app”
- Go to the Macintosh HD > Library > LaunchAgents folder and remove any file beginning with the name “com.genieo…,” which may include the following:
- Go to the Macintosh HD > Library > LaunchDaemons folder and again remove any file beginning with the name “com.genieo…” The one in this folder may be called “com.genieoinnovation.macextension.client.plist”
- Go to the Macintosh HD > Library > PrivelegedHelperTools folder and again remove any file beginning with the name “com.genieo…”, which in this case may be “com.genieoinnovation.macextension.client.”
- Go to the Macintosh HD > Library > Frameworks folder and remove the file called “GenieoExtra.framework”
When this is finished, you now have to remove some deeper files and changes made to the system. One of the changes Genieo makes is to modify some of the system launcher’s parameters to allow the appending of dynamic libraries (in essence, executable extensions for a program) to applications you launch on your system. This is done by creating a system launcher configuration file with an custom setting that is read when the system launcher is loaded by the OS X kernel, and which allows for the loading of dynamic libraries along with programs that are launched.
Since a standard OS X installation does not come with any launcher configuration files configured, then unless you have purposefully made one, you can remove any that are present without affecting your Mac:
- In the Finder choose “Go To Folder” from the “Go” menu
- Enter “/etc” in the field that pops up
- Locate the file called “launchd.conf” that is located in the folder that pops up, and move it to the trash
You can optionally save a copy of this file to the desktop, just in case (in rare circumstances) it contains a legitimate modification implemented by another software package you use. The file is just a text file so opening it will not affect the system in any way, so if you open it in TextEdit and only see a single line that reads “setenv DYLD_INSERT_LIBRARIES”, then this can be removed. If there are other lines in the file, then make note of them as they might be related to other software packages you have installed, but keep in mind that the creation of this file and modifications to it are almost never done by legitimate software packages in OS X.
With this configuration file removed, again select “Go To Folder” from the Go menu, and this time enter “/usr/lib” in the field to open this hidden folder. In here, locate and remove the following files (only these), if present:
When done, finally you will need to remove any of the modifications made by Genieo to each user’s home folder on the system. Therefore, log into each user account separately, and then perform the following actions:
- Hold the Option key down and choose “Library” from the Go menu in the Finder
- Go to the Application Support folder and remove the directories called “Genieo” and “com.genieoinnovation.Installer”
- Go to the “LaunchAgents” folder and remove any files that begin with “com.genieo…” in their name.
The final step is to undo any changes made to your Web browsers, which primarily include the addition of extensions and changes to the default search engine. These can be done in Safari by going to the Extensions section of the Safari preferences and removing any extension you did not purposefully install (remove them all if you are in doubt), and then changing the default search engine in the General section of the program’s preferences. Similar changes can be applied to Chrome, Firefox, Opera, and other popular browsers using their respective preference settings.
/user/lib — typo?
Yikes! Thanks! Fixed. 🙂
This worked great. I didn’t find launched.conf, PrivelegedHelperTools folder, or Frameworks folder. I have mtn. lion.
Great directions!! I ran into this issue a month or 2 ago after installing a software program that I got for “free” (yeah, right). I was able to get rid of all of the files you mentioned by using 2 programs. When I was first suspicious that I’d downloaded something that shouldn’t be there (I think it was Safari that started acting strangely, then something popped up on my screen asking me about Genieo) I used a program called Tembo which is vastly superior to Apple’s searchlight program – it seems to ferret out things that searchlight cannot — Tembo presented me with a long list of all the components that had “genieo” as part of its name. I then used a program called Appcleaner – I dragged the genieo.app to Appcleaner which then went out and found all extensions etc. related to the .app and it removed all but about 5% of the files. I then used Tembo again and found a list that had just “gen” as part of their names – those I manually dragged to the trash. Since then I’ve checked with Tembo several times and it seems I was able to eradicate all of the parts of Genieo. I just thought you might be interested in those 2 programs. Just to be sure, though, I’m going to follow your step by step and make sure I’ve eliminated all of that nasty program!!
thanks for your great support for us Mac users.
Thanks! Tembo really helped, for some reason spotlight couldn’t find the files but then i searched them on tembo and found them immediately. great tool. i recommend everyone to use it first thing when suffering from this adware
From wiki (en.wikipedia.org/wiki/Genieo): In May 2013, a malicious installer, distributed by Genieo partner Softonic, was found by security software company Intego. Dynamic libraries are added to the Safari browser.
Since Appcleaner is distributed by Softonic, I wouldn’t go near this app.
The Tembo tip is the best, thanks for that. Already had AppCleaner but it took Tembo to find something to put into it. thanks again
glad it worked for you — I use Tembo all the time – works just as well on external drives and is good at finding partial names as well.
Don’t forget to delete MacKeeper, which is almost as bad as Genieo..
I searched for Genieo using Spotlight but didn’t find anything. Is that sufficient enough?
I haven’t noticed anything mentioned in the article.
You should be all right. Genieo would pop up in Spotlight if you had it installed. I almost installed Genieo myself, when I pushed the wrong download button on some obscure website 🙂
it did not show up in Spotlight for me.
I searched with spotlight as well and it found nothing — it wasn’t until I used the program called Tembo (which was free for a limited time) that I found probably 30 items that were part of the Genieo code– so I suggest trying that. Also I ran Sophos Anti-virus and Clamax (not spelled right) both of which showed that my computer was infected with it…..then as I wrote above, I used AppCleaner to get rid of most of it, then hand-trashed the rest.
The genieo.app should be located in the application folder, so spotlight should find it there. Please dont advise useless anti-virus software to people.
I apologize if you think my answer was useless, I was just trying to let people know what worked for me. as for the anti-virus software, I have found both programs useful and they have both found malware on my computer.
While ‘Scareware’ like Sophos/Clamxav/MacKeeper might solve some malware problems, they might also cause more problems than they solve. Apple’s security updates (and a bit of common sense) are far more reliable security measures. Granted, Apple is sometimes late with new updates, but there’s no guarantee those 3rd-party companies will do any better.
MacErgerjNiet, ClamAVX and Sophos AntiVirus are NOT “useless” or “scareware” (as you allege below) – both are respected anti-virus applications. Whether or not you actually need them much on the Mac is another discussion entirely. Both are free and will not cause any problems if you want to run them now and again. MacKeeper, on the other hand, is practically a virus itself. Do not confuse the two. Lynne, you don’t owe anyone an apology. <_<
thank you Paddy!! and I do know about MacKeeper. I’m not a tech neophyte and I have seen Both Sophos and CalmAVX solve issues!
macergerjeniet: Speak for yourself. While the necessity for and effectiveness of various security software products may be debatable, most have been tested by independent third parties and found to be useful to varying degrees against know threats. This includes ClamXav – not so good, and Sophos – among the best, both of them free. Ignorant prejudice like yours, evidenced by your use of the pejorative “Scareware,” is what does more harm than good. Relying on “a bit of common sense” for computer security is very thin gruel indeed, perhaps the most over-hyped and least reliable source of protection available. One man’s common sense is another man’s foolishness or paranoia.
I am speaking for myself; I solve Mac problems for a living, and countless times I’ve found AV-software to be either the cause of the problem or not helping in any way. And I do believe scareware is the proper term; Sophos claims to protect against virusses, making people think that’s a serious threat for Mac users.
thanks for the name of that app – I’ll look for it and download it. Tembo is good but it never hurts to have more than one!
I use Find Any File to search for files where Spotlight is insufficient, as it is for many of the files Topher mentions, in hidden and system folders. I have used app cleaners from time to time, but a good search tool is essential to grab those the cleaners miss. It’s easy to remove files found by Find Any File – no dragging required – just select them in the results window and hit Command-Delete. They are moved immediately to the Trash – from where you can restore them if you think you’ve made a mistake – as we all do from time to time.
I guess I should feel fortunate that I found no trace of this pernicious app, given how widely it strews files around the system. By the way, I found a file with “launchd.conf” in the name, but it was a compressed gz file, buried way down in the invisible/usr/share/man/man5 folder. Given that location, I surmise it is a resource for the system’s Man technical definitions app. It’s been almost three years since the file was used – which is probably more information than anyone cares to know. I mention it just in case anyone else comes across it in their own scavenger hunt.
thanks. Great directions! it worked
Thanks for the helpful post. But when I try to delete the file “libimckitsa.dylib” I receive the message “This user doesn’t have permission to perform this task.” I *am* the only administrator of this computer. Do you have any advice?
You can try typing “sudo rm” in the Terminal utility (in the Applications > Utilities folder), followed by a single space. Then drag that file to the Terminal window to fill out the full path to it, followed by pressing Enter to execute the command. This will run the “rm” command on the file in administrative mode, which should unlink and remove it.
I tried this but get the message “-bash: /Volumes/Installer 1/Installer.app/Contents/Resources/libimckitsa.dylib.png: cannot execute binary file”
I don’t think my computer is under that much threat but after running Bitdefender today it found 9 of these adware genio files and none of them can be deleted or even have their permissions changed. Any ideas?
Maybe you will find useful this free tool: http://www.bitdefender.com/solutions/adware-removal-tool.html.
This version currently detects and removes Genieo for Mac. The removal tool for Macs quickly scans a user’s system for adware and its elements and, if detected asks for permission to remove it. It then removes all traces of the software and resets browser settings that were changed by the adware, eliminating unwanted ads and modified default search results.
Mirabela, Social Media Manager at Bitdefender
Just tried this and it worked, although I am now a little wary of downloading random things!
Thank you so much
I just used Cleanmymac 2 before running into these instructions. I couldn’t find any of the files described here so I guess the software has deleted them proparly. I only had to change the browser settings and I was good to go again. Can I trust that it is removed now since I can’t locate the files?
If you cannot locate any of these files, or any trace of files containing “Genieo” in their name, then the program is likely removed from your system.
For Mac Users we have tried the tool http://www.thesafemac.com/art and it work very fine, it is free but power tool.
I’ve performed all of your steps but when I restart my computer, I receive a window that says “To install Geneio, you need Java se6…..”. Does this mean that there is still remnant of Geneio on my mac??
Sorry here is the exact info:
A “Software Update” window opens immediately upon startup, saying:
“To open “Genieo,” you need a Java SE 6 runtime. Would you like to install one now?”
I followed your instructions to the tee, but this comes up. Am I still infected??
Any advice would be appreciated!!
I have the same problem too! I can’t find advice anywhere…any information will be much appreciated. Thank you
I used Sophos and ClamXAV – both free on their websites – they each found one instance of Geneio — I later ran BitDefender (the free version) and it couldn’t find any more. I use a “finder” app called Tembo which I think does a better job than spotlight – before I used Sophos and ClamXAV, it found several files with genieo in the name of the file. Afterwards it didn’t. I’ve run the 3 programs several times since and it has never reappeared. Then when I installed Yosemite, I did a clean install. Hope that helps.
On a Mac go to: [link removed] and scroll toward the bottom of the page you will see “Remove Genieo, also known as InstallMac” and “How to Remove the files related to Genieo.” These are the official instructions from Apple Support; follow both very carefully. Removal does NOT require 3rd party software or paying an Apple Technician, but it takes a little patience and persistence, following directions, and – it works! The Genieo ad-injected software is an insidious, horrible little third-party bug or “adware” as it is benignly called. It literally takes over your browsing and browser settings. You can install it and not even know it. You can try to uninstall it and it will remain deeply embedded. Google this horrible little company. They will defend this piece of s*** software despite its intentionally designed maliciousness. I’m not sure why companies like this are even allowed to legally exist. I would ask that all anti-virus companies consider Genieo to be at least a PUA (Potentially Unwanted Application), if not actually malware. Hope this helps.
[link removed — please only use links as citations for complete content/instructions re-posted here]
I accidentally downloaded this Genio malware and at first I noticed no changes. It wasn’t until I restarted my computer that all the changes took effect. I experience all of the effects mentioned in this article but in addition I was signed out of my iCloud accounts the date and time on my computer were wrong and needed to be adjusted, my iCal was not synced, and I was singed out of FaceTime. The calendar fixed its self but i have not singed back on to iCloud because I don’t know if by doing so I might inadvertently be giving Genio or other third parties my password and/or access to my account.
Please advise if any of you have also experienced this and what you did to fix it. I have followed the steps outlined above but I just want to make sure not to make another avoidable mistake.
Thank you so much!! that helped a lot. my safari wouldn’t open because of that.
I downloaded sergeon simulator and Genio downloaded with it. so it shut down my safari
i couldn’t even see Genio in my launch pad so I got scared.
Thank you so much. and i fixed it before my parents found out.
I suddenly have this pop up window with a completer message and an installer on the desktop every time I turn my iMac on.
I followed an looked for the files mention in here but i can’t see to find anything. I just want to get rid of it.
what can i do?
and I don’t want any other 3ed party software
Thank you so much for this! I quit the Installer once it asked for access to my keychain, and after that my Safari kept crashing on opening. Much appreciated.
Oh, one more thing. I used this to uninstall the InstallMac mess. I didn’t have all the files you mention, but many of them.
However, in my Applications folder, although I didn’t have any Genieo app, I did have an Install Mac folder that I also had to delete. I think it just had an app in it that reset the browser home page.
Anyhow, thanks again.
I would love some help with this…
I don’t have the launchd.conf anywhere. I do have a launchd.con.5 in a hidden usr/share/man/man5 folder.
problems i see related to genieo are an Installer.app in my activity monitor just sitting there whose Open Files and Ports are com.genieoinnovation.Installer/completion.app/contents/macos/installer
i dont have a genieo app and ive never seen the house icon.
can i go ahead and delete everything related to genieo? because my launchd.conf is nowhere, not even in the /etc folder?
should i quit this Installer in activity monitor?
i dont know, trying to start somewhere.
thanks to anyone
Hello! I have a question, when I updated my laptop to Yosemite OS X, it told me the genieo files were incompatible? (i’ve never tried to delete genieo off of my laptop before because the actual app wasn’t installed). The only files of genieo I could find are one in PrivilegedHelperTools, the framework, and some genieo .plist files. However, the only one my computer declared as “incompatible” are the .plist files and the framework – not the one in PrivilegedHelperTools. Do you think it would be safe to just delete all of these files or might it cause harm to my computer?