AdWare.OSX.Geonei.b (Kaspersky)


Mac OS


  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes


This adware may be manually installed by a user.


File Size:

495,439 bytes

File Type:


Memory Resident:


Initial Samples Received Date:

16 Sep 2014

Arrival Details

This adware may be manually installed by a user.


This adware drops the following component file(s):

  • /private/etc/launchd.conf - detected as OSX_GEONCONF.SM or OSX_GEONCONF.SMA
  • /Volumes/Installer/Installer.app
  • /Volumes/InstallGenieo
  • /Applications/Genieo.app
  • /Applications/Uninstall Genieo.app
  • /Applications/InstallMac/Reset Search.app
  • /users/{user}/Library/Caches/com.genieoinnovation.Installer/Cache.db
  • /users/{user}/Library/Preferences/com.genieo.settings.plist
  • /users/{user}/Library/Application Support/com.genieoinnovation.Installer/Completer.app
  • /Library/LaunchAgents/com.genieo.competer.update.plist
  • /Library/LaunchAgents/com.genieo.competer.download.plist
  • /private/tmp/tmpinstallmc.dmg
  • /private/tmp/GenieoInstall.dmg

Other Details

This adware does the following:

  • It loads installation components from the following URLs:
    • {BLOCKED}nstaller.appspot.com/appScreen/css/installmac_default.css
    • {BLOCKED}nstaller.appspot.com /appScreen/js/utilities.js
    • {BLOCKED}nstaller.appspot.com /appScreen/dialog.png
    • {BLOCKED}nstaller.appspot.com /appScreen/recomended.png
    • {BLOCKED}nstaller.appspot.com /appScreen/installer_logo.png
    • {BLOCKED}nstaller.appspot.com /appScreen/progress_bg.png
    • {BLOCKED}nstaller.appspot.com /install/first_time?session_id={session ID}&app_id={id}&offer_id={value}&os_version={Mac OS X Version} &install_version={value}&r={value}&disable_dynamic_update={value}&keyboard_lang={available keyboard language}&chosen_lang={default language}
    • {BLOCKED}nstaller.appspot.com/monetize?session_id={session id}&emid={value}&os_version={Mac OS X Version} &predefined_app_id={value}&predefined_offer_id={value}&event_show_install={value}&is_set_hp_approved={true| false}&is_set_sp_approved=false&is_install_accepted=true&install_id={value}&event_show_offer1={value}&is_offer1_accepted={true|false}&offer1_id={value}&install_download_start={true|false}&install_download_success={true|false}&install_exe_start={true|false}&install_exe_done_status={value}&download_url={value}&download_browser={value}&active_browser={active browser} &default_browser={default browser}& keyboard_lang={available keyboard language}&chosen_lang={default language}&language={language}
  • It reports the following information:
    • default browser
    • active browser
    • keyboard language
    • default language
    • MAC OS X version
  • It connects to the following URLs to report its installation status:
    • {BLOCKED}installer.appspot.com /report?session_id={session id}&emid={value}&os_version={Mac OS X Version}&predefined_app_id={value}&predefined_offer_id={value}&event_show_install={value}&is_set_hp_approved={true | false}&is_set_sp_approved={true|false}&is_install_accepted={true|false}&install_id={value}&event_show_offer1={value}&install_download_start={true | false}}


It displays the following interface upon installation:
{window1.png} {window2.png} {window3.png}

  1. Scan using Trend Micro product and take note of the detected path.
  2. If the detected files are mounted, EJECT the corresponding volumes:
      In the Finder’s menu bar, click Go > Computer.
      In the opened window, right click on volumes where detection is seen.
      Select Eject
  3. Identify and terminate the grayware process using the noted path in the previous step.
      Open the Terminal:
      Applications>Utilities>Terminal or type ‘Terminal’ in Spotlight.
    • Type the following in the terminal:
      ps –A
    • Look for the detected files and take note of their PIDs. If the detected files are not found to be running, please proceed to the next step.
    • In the same terminal, enter the following commands for each grayware PIDs:
      kill {PID}
  4. Uninstall the application.
    In the Finder’s menu bar, click Go > Applications
    Double click “Uninstall Genieo” application and click ok {apps.png}

    The following message is opened in default browser upon successful uninstallation:

  5. Delete the grayware directories and files. In the same Terminal, type the following commands:

    sudo rm -R "{grayware path and filename}.dmg"
    sudo rm -R "/Applications/Genieo.app"
    sudo rm -R "/Applications/Uninstall Genieo.app"
    sudo rm -R "/Applications/InstallMac/Reset Search.app"
    sudo rm -R "/users/{user}/Library/Caches/com.genieoinnovation.Installer "
    sudo rm -R "/users/{user}/Library/Preferences/com.genieo.settings.plist"
    sudo rm -R "/users/{user}/Library/Application Support/com.genieoinnovation.Installer”
    sudo rm -R "/Library/LaunchAgents/com.genieo.competer.update.plist"
    sudo rm -R "/Library/LaunchAgents/com.genieo.competer.download.plist"
    sudo rm -R "/private/tmp/tmpinstallmc.dmg"
    sudo rm -R "/private/tmp/GenieoInstall.dmg"

    If the directories and files are not found, please proceed to the next step.

  6. Scan your computer with your Trend Micro product to delete files detected as OSX_GEONEI.LQ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files.