Get up to date on the removal of Genieo virus from Mac, learn a complete profile of this malware, and find out how to identify and avoid such infections.
Update: September 2018
The infamous Download Valley continues to make itself felt in the Mac malware ecosystem. In case you are unfamiliar with the term, it designates a prolific syndicate of dubious software vendors based in Israel that won’t stop pushing their existing adware contrivances, such as Genieo, while also coining new ones. This type of a questionable business model brings up a bunch of serious concerns and, once again, underscores the software-borne dilemma of what’s legit, what’s illicit and what’s lost somewhere in between.
The controversy about some apps these days, even ostensibly useful ones, is that they might be too persistent to get along with the normal user experience and satisfaction. The above-mentioned Genieo, for instance, is marketed as a sort of targeted content aggregate tool that presents relevant information on the user’s personal newspaper-styled Homepage based on their prior search history and other browsing markers reflecting their interests and lifestyle. As commendable as it all might appear, this objective gets achieved through a process that drives people nuts.
Part of the problem is that Genieo does not always get installed as itself, meaning that its payload is often bundled with other programs that you may even download from entirely trustworthy online resources. The scope of these mediator applications is vast, ranging from rogue Adobe Flash Player updates, all the way to multimedia format converters, video playback tools, and professional programmer’s text editors like jEdit. Unless opted out of, the adware setup takes place automatically alongside the kernel install without clearly notifying the would-be victim. Early instances of such a shady distribution tactic by Genieo were reported around 2013, but now in 2018 this malvertising continues to be an issue.
Besides the purported feature of delivering personalized online content to users, Genieo does a few bad things. It adds an extension, also known as Omnibar, to Safari, Firefox or Chrome running on the affected Mac, which twists the victim’s web surfing preferences without their awareness and consent. Instead of the desired homepage that the user chose, Genieo.com will start getting resolved every time the browser is opened. Also, the search engine configured as the default one will suddenly change to Search.genieo.com.
The malware’s true objective underlying this interference is to display ads on the above pages and employ additional traffic monetization techniques. These sponsored items get generated in a targeted fashion, corresponding to the user interests previously harvested by this infection. Unfortunately, this whole routine takes place at the expense of the victim’s Mac usage experience, which doesn’t appear to be an issue for Genieo authors, given the fact that they have been doing it for many years and still stick with the nefarious tactic despite massive negative feedback.
The Genieo virus appears to be undergoing transformations over time. Its latest flavor started manifesting itself on a large scale in summer 2018. The new talk of the town has to do with an entity named MRT.app, which is being reported by numerous Mac users as a file appearing in alerts from their antimalware suites. Some security tools categorize it as malware codenamed MacOS:Genieo-FM, while others flag it as MacOS:BitCoinMiner-AS Trojan. The suspicious object’s path in the system is as follows: /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT, and the affected process is /usr/libexec/xpcproxy.
This outbreak has spawned a few theories. One of them comes down to the speculation that Genieo now injects itself into Apple’s proprietary Malware Removal Tool (MRT.app) for macOS platform in order to establish the highest level of persistence on target hosts. Another assumption is that this malware has acquired a cryptocurrency mining feature as part of the crooks’ income diversification strategy. There is an additional theory that seems somewhat more plausible, and it’s rather prosaic – false positives. Security solutions may be detecting MRT.app as a malicious item due to an error in their virus identification logic that came to the fore after another macOS update. Some experts state that Apple didn’t sign their native removal solution properly. Others believe AVs are wrongfully flagging MRT.app’s signature for Genieo rather than Genieo itself. One way or another, this topic is still hot and it’s causing inconveniences to numerous Mac users.
Unfortunately, Genieo is tailored to persist when the plagued user makes standard removal attempts. Deleting the respective browser extension alone will not help to the desired extent, and launching the Uninstaller file that can be downloaded from the vendor’s website has been reported to possibly cause overall system malfunctions. Therefore, sticking to a specially crafted procedure (see sections below) is what’s required to clean up your Mac from the annoying Genieo malady.
Genieo manual removal from Mac
According to in-depth research of this issue, simply resetting the infected web browsers is to no avail as long as you’re using a Mac computer, although this works wonders for Windows. In this part of the guide we will therefore focus on the technique for locating and manually deleting the files associated with Genieo malware. Please follow these steps:
1. Make sure you are logged in to the administrator account.
2. Quit the Genieo application by clicking the house icon as shown below. In the event this icon is not there, this step can be skipped.
3. Move the file named launchd.conf to trash. The location path for this file is as follows: /private/etc/launchd.conf. If you succeeded in finding and deleting this file, make sure you do NOT empty the trash at this point. In case you couldn’t find it, restrain from deleting any of the .dylib files listed in step 4.
4. Look for the files listed below and move the ones found to trash. Again, this process will require that you are logged in as administrator. Also, be advised that not all of these may be there. Importantly, make sure you don’t empty the trash at this stage.
5. Reboot your Mac by selecting Restart from the menu. When the computer is back up and running, make sure you log in to the admin account.
6. Move /Library/Frameworks/GenieoExtra.framework object to trash. When done, empty the trash.
7. Uninstall the troublemaking extension (Omnibar). Depending on which web browser is affected, do the following:
• For Firefox: go to Tools –> Add-ons –> Extensions. Click the Remove option next to Omnibar
• For Chrome: go to Chrome menu –> Tools –> Extensions. Click the trash bin icon next to the Omnibar entry.
• For Safari: access the Preferences interface and select Extensions. Remove Omnibar from there.
8. Restore the right homepage for the web browser that’s acting up. You should now be done fixing the Genieo problem.
Fix Mac browsers affected by the Genieo virus
Settings for the web browser that got hit by Genieo should be restored to their default values. The overview of steps for this procedure in different browsers is as follows:
9. Reset Safari
• Open the browser and go to Safari menu. Select Preferences in the drop-down list
• Once the Preferences screen appears, hit the Privacy tab at the top. Find the option that says Remove All Website Data and click on it
• The system will display a confirmation dialog that also includes a brief description of what the reset does. Specifically, you may be logged out of some services and encounter other changes of website behavior after the procedure. If you’re okay with that, go ahead and click the Remove Now button
• In order to selectively clear data generated by certain websites only, not all of them, hit the Details button under the Privacy section of Safari Preferences
• This feature will list all websites that have stored potentially sensitive data, including cache and cookies. Select the one, or ones, that might be causing trouble and click the appropriate button at the bottom (Remove or Remove All). Click the Done button to exit.
10. Reset Google Chrome
• Open Chrome and click the Customize and Control Google Chrome menu icon
• Select Options for a new window to appear
• Select Under the Hood tab, then click Reset to defaults button
11. Reset Mozilla Firefox
• Open Firefox and select Help – Troubleshooting Information
• On the page that opened, click the Reset Firefox button
Get rid of Genieo malware using Freshmac automatic removal tool
When confronted with malicious code like Genieo on Mac, you can neutralize its toxic impact by leveraging a specially crafted system utility. The Freshmac application (read review) is a perfect match for this purpose as it delivers essential security features along with must-have modules for Mac optimization.
This tool cleans unneeded applications and persistent malware in one click. It also protects your privacy by eliminating tracking cookies, frees up disk space, and manages startup apps to decrease boot time. On top of that, it boasts 24/7 tech support. The following steps will walk you through automatic removal of the Genieo infection.
1. Download Freshmac installer onto your machine. Double-click the Freshmac.pkg file to trigger the installer window, select the destination disk and click Continue. The system will display a dialog asking for your password to authorize the setup. Type the password and click Install Software.
2. Once the installation has been completed, Freshmac will automatically start a scan consisting of 5 steps. It scans cache, logs, unused languages, trash, and checks the Mac for privacy issues.
3. The scan report will then display your current system health status and the number of issues detected for each of the above categories. Click the Fix Safely button to remove junk files and address privacy issues spotted during the scan.
4. Check whether the Genieo adware has been fixed. If the lock screen is still there, go to the Uninstaller option on Freshmac GUI. Locate an entry that appears suspicious, select it and click Fix Safely button to force-uninstall the unwanted application.
5. Go to Temp and Startup Apps panes on the interface and have all redundant or suspicious items eliminated as well. The Genieo fraud shouldn’t be causing any further trouble.