completer.app popup?
|
|
OP
Joined: Aug 2009
|
Coming back to the computer after lunch, there was an authorisation box open asking for the Admin password to instal something called completer.app.
An unknown-to-me disk had mounted itself on the desktop. (Sorry I don't remember the name of that, I dismounted it. I did not provide any password - I'm not that stupid.)
If it helps, my default browser is Firefox, search engine Google. OS is 10.6.8. I never download applications unless I am absolutely sure that they are valid and safe, and had not requested or attempted another one while I was away from the keyboard.
Last edited by Bensheim; 12/15/14 03:48 PM.
|
|
Re: completer.app popup?
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: completer.app popup?
|
Joined: Aug 2009
Likes: 5
Moderator
|
Moderator
Joined: Aug 2009
Likes: 5 |
Sounds like you somehow got a downloaded .dmg file with the Installer.app set to be loaded onto your computer.....how that transpired is something you'll need to find out on your end, however, since you didn't allow it to complete, the offending adware should NOT be installed on your machine. There is a fairly good list of previous threads across the internet to be found using a Google search on "Installer.app on Mac", but This Link should give you enough info to work with. I'm guessing that you will find the guilty .dmg file in your Downloads folder and can safely delete it. Let us know....
Last edited by MacManiac; 12/15/14 04:18 PM. Reason: simo response with Artie
Freedom is never free....thank a Service member today.
|
|
Re: completer.app popup?
|
|
OP
Joined: Aug 2009
|
Firefox downloads, download to desktop, here.
That is the scariest list of instructions I have EVER SEEN!
I cannot deal with this until Wednesday at the earliest: working on deadlines here. Since nothing was installed I am assuming that I can proceed with work as usual until then.
?
What is this thing supposed to do anyway?
|
|
Re: completer.app popup?
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
Firefox downloads, download to desktop, here. That is the scariest list of instructions I have EVER SEEN! Is there supposed to be a link here?!
|
|
Re: completer.app popup?
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
You might give the donationware application AdwareMedic a shot. I did not have a Genieo infections, but it turned up and removed two Firefox (Mozilla) adware apps left over from a previous Firefox install. (I removed Firefox a few months ago as I was not using it or keeping it up to date, but apparently the adware was still hanging around.)
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: completer.app popup?
|
|
OP
Joined: Aug 2009
|
Firefox downloads, download to desktop, here. That is the scariest list of instructions I have EVER SEEN! Is there supposed to be a link here?! The link is in the post I replied to, from MacManiac.
|
|
Re: completer.app popup?
|
|
OP
Joined: Aug 2009
|
You might give the donationware application AdwareMedic a shot. I did not have a Genieo infections, but it turned up and removed two Firefox (Mozilla) adware apps left over from a previous Firefox install. (I removed Firefox a few months ago as I was not using it or keeping it up to date, but apparently the adware was still hanging around.) From that link: AdwareMedic requires a Mac running Mac OS X 10.7 (Lion) or later.
Adware often comes packaged in installers for other software. Most often, this is because something was downloaded illegally from a torrent or piracy site. Sometimes it is because it has been added to a legit piece of software by an unscrupulous download site.OK. What I've downloaded lately are: Skype and Open Office. I had to download Open Office to open a legitimate data file from a government website who (expletive deleted) put their data files up in open office format which these Macs could not open/read/use. They were downloaded on Dec 2nd and Nov 24th respectively. So why did this thing pop up on Dec 15th?
|
|
Re: completer.app popup?
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
AdwareMedic requires a Mac running Mac OS X 10.7 (Lion) or later. AdwareMedic was a response to the growing sophistication of the adware developers that went beyond the capabilities of the author's previous script. Unfortunately his previous script no longer works with today's generation of adware. Since you are using an out of date version of OS X your only option would be to go through all the steps you say are so complex or erase your HD and start over from scratch. Adware of DNSChanger Trojan ten comes packaged in installers for other software. Most often, this is because something was downloaded illegally from a torrent or piracy site. Sometimes it is because it has been added to a legit piece of software by an unscrupulous download site. OK. What I've downloaded lately are: Skype and Open Office. I had to download Open Office to open a legitimate data file from a government website who (expletive deleted) put their data files up in open office format which these Macs could not open/read/use. They were downloaded on Dec 2nd and Nov 24th respectively. So why did this thing pop up on Dec 15th? Note the initial sentence, " Adware often [emphasis added] comes packaged in installers for other software." It does not say. "Adware always comes packaged in installers for other software." Adware distributors can and do learn lessons from virus distributors and it is not too surprising that they pick up some of their techniques. There is money to be made after all. For example look at how carefully the more recent versions of Genieo hide from detection and make themselves difficult to remove. Assuming you got Skype from the publisher (Microsoft) at www.skype.com and OpenOffice from www.openoffice.org, both are reputable organizations and highly unlikely to be the source of your mystery download. It is far more likely the download originated from some link you clicked on while browsing the internet on a knowingly or unknowingly infected web site. More recent versions of OS X have more protection against this sort of thing, but that is not going to be available in an no longer supported version of OS X like 10.6.8. By-the-way the file formats used by OpenOffice, NeoOffice, and LibreOffice on the Mac and PC are based on internationally accepted open standards unlike Microsoft's proprietary document standards. In fact Microsoft's .docx etc. formats are intentional corruptions of the the .odf standards used in the OpenOffice variants. More and more EU countries are moving toward open standards to get away from proprietary technologies.
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: completer.app popup?
|
|
OP
Joined: Aug 2009
|
Using one of those links I found 5 or 6 of these files on my Mac.
Library/Applications Support >> com.genioinnovation.installer on Nov 24th at 15:06 hours was one of them. In the Applications folder I found a Instal Mac same date.
I've moved them all to trash.
Reading around, should I instal/run Tembo, Sophos?
I also think it wasn't either of the downloads I previously posted about on that date (Nov 24th) but another version of Stuffit Expander (I was trying to open that legitimate file on a government website) which seems to have been obtained from a place called smithmicro dot com.
I have not dared to reboot yet. Today is the very worst day to have something go wrong.
|
|
Re: completer.app popup?
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
... but another version of Stuffit Expander [...] which seems to have been obtained from a place called smithmicro dot com.
Today is the very worst day to have something go wrong. Smithmicro dot com is the current publisher of StuffIt, which they purchased about 9 years ago. It seems quite unlikely that companies like this provide their software with a Genieo-based installer (the hue and cry would be deafening), even though it cannot be excluded entirely. That applies to most software downloaded through official channnels. But regardless how you acquired it, that day—by definition—is the worst. Whatever you do, make sure you follow the instructions to remove it to the letter.
alternaut ◉ moderator
|
|
Re: completer.app popup?
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
Smith micro is a reputable software publisher and offers many applications through the Apple App Store including Stuffit Expander. Stuffit and Stuffit Expander have been standby file compression utility since at least OS 7 and probably earlier. It is unlikely they would be a source of adware. Sophos or any other anti-virus software is unlikely to detect Genieo since adware is technically not malware, rather it is a user installed utility intended to help direct internet browsing and searching not unlike how the major search sites such as Google and Bing work. Unfortunately Genieo can be and has been abused by malefactors to their own benefit similar to how the DNSChanger trojan of a few years back was used. Genieo operates on your computer while Google, Bing, et. al. operate on their servers and they take great precautions to prevent mal-redirection. The only effective protection against adware and trojans is user vigilance. As to Sophos and other anti-malware utilities goes the current thinking is… - anti-virus software generally slows everything down and too frequently causes operational problems
- anti-virus software can only detect known viruses and as there are no known viruses for the Mac the only thing they detect is Windows virii that cannot infect the Mac
- Most of us are running without active malware protection and having no problems
- Apple does a good job of quickly closing any OS X vulnerabilities that are detected, so the best protection is to stay current with OS X. Unfortunately since OS X 10.6.8 is no longer supported you will not benefit from these patches.
I know you have good reasons for staying with 10.6.8 but if I were in your shoes I would be working hard to find a way to move on from Snowy. You are going to find yourself more and more limited in what you can do and where you can go on the internet not to mention more and more vulnerable to malware exploits.
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: completer.app popup?
|
|
OP
Joined: Aug 2009
|
Yet another look at Firefox > Tools > Downloads, reveals this.
apache_openoffice_4.dmg 297 KB – genieo.com – November 24
THAT one was a version of Open Office which is not compliant with my OS.
The entry above (the next download) was: Apache_OpenOffice_4.0.0_MacOS_x86_install_en-US.dmg 163 MB - oldapps.com - November 24
It therefore follows that anyone downloading that version of Open Office from that site will also have been infected with this.
So, now having deleted various files as in previous post, what exactly is the threat to this Mac? I see no difference in functionality whatsoever. All my usual sites work fine. Nothing is popping up anywhere.
Thanks
|
|
Re: completer.app popup?
|
|
OP
Joined: Aug 2009
|
In the spirit of enquiry, I have gone back through Firefox history to see where it was I clicked on the link containing the download containing this geneio infection. (I don't know what else to call it.)
I've now found it. The place is mac hyphen office dot org. I've got that google result up in another window and am minded to report that link/site to Google. How does one do this? (No of course I have not clicked on it again!)
Secondly, I've just rebooted and the Mac came up fine, as I thought it would.
Thirdly, can someone please explain to me what this thing is supposed to do to one's system? (If installed, which mine wasn't.) The only manifestation of it was that popup authorisation screen.
Thanks
|
|
Re: completer.app popup?
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
I've now found it. The place is mac hyphen office dot org. I've got that google result up in another window and am minded to report that link/site to Google. How does one do this? (No of course I have not clicked on it again!) Try this link Thirdly, can someone please explain to me what this thing is supposed to do to one's system? (If installed, which mine wasn't.) The only manifestation of it was that popup authorisation screen. Genieo is supposed to be a locally hosted search organizer and optimizer similar to what Google, Bing, et.al. purport to do. It suggests advertised sites. Unfortunately it has a reputation for being abused by malefactors and used to route users to malware sites.
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: completer.app popup?
|
|
OP
Joined: Aug 2009
|
Hi Joe, I've reported that place as aforementioned.
FWIW I have, and have had, Adblockplus enabled for years. I never see pop-up or any other advertisements anywhere I roam online. I can't recommend it highly enough.
|
|
Re: completer.app popup?
|
Joined: Aug 2009
Likes: 1
|
Joined: Aug 2009
Likes: 1 |
As a side note, if you have a .dmg file (or any other file you downloaded from the Internet) and you want to see where it came from, click once on it and go to File->Get Info. In the "More Info" section will be the exact URL the file was downloaded from.
|
|
Re: completer.app popup?
|
|
Joined: Aug 2009
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict><key>download_url</key><string>http%3A%2F%2Fds.genieo.com%2Fapi%2Fdownload%2F100081759%2Fapache_openoffice_4.dmg%3Fdownload_browser%3Dsafari%26app_id%3D100081759%26campaign%3Dqhk0osxww2wc%26cargoType%3DInstallMacToken%26oname%3Dapache_openoffice_4.dmg</string><key>ver_date</key><string>020141214</string><key>ver_time</key><string>000001612</string><key>install_mc_app_id</key><string>100081759</string><key>install_mc_offer_id</key><string>000000000</string><key>install_mc_version</key><string>000016974</string><key>is_dev</key><string>000000000</string><key>disable_dynamic_update</key><string>000000000</string><key>server_version</key><string>000000000</string><key>agent_update</key><string>000000000</string>
<key>resource-fork</key>
<dict>
<key>blkx</key>
<array>
<dict>
<key>Attributes</key>
<string>0x0050</string>
<key>CFName</key>
<string>Driver Descriptor Map (DDM : 0)</string>
<key>Data</key>
<data>
bWlzaAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAA
AAII/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAIAAAAghDxSlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAACgAAABQAAAAAAAAAAAAAAAAAAAAAAAAABAAAA
AAAAAAAAAAAAAAAAFf////8AAAAAAAAAAAAAAAEAAAAA
AAAAAAAAAAAAAAAVAAAAAAAAAAA=
</data>
<key>ID</key>
<string>-1</string>
<key>Name</key>
<string>Driver Descriptor Map (DDM : 0)</string>
</dict>
<dict>
<key>Attributes</key>
<string>0x0050</string>
<key>CFName</key>
<string>Apple (Apple_partition_map : 1)</string>
<key>Data</key>
<data>
bWlzaAAAAAEAAAAAAAAAAQAAAAAAAAA/AAAAAAAAAAAA
AAIIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAIAAAAgUN3uCwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAACgAAABQAAAAAAAAAAAAAAAAAAAAAAAAA/AAAA
AAAAABUAAAAAAAAAlf////8AAAAAAAAAAAAAAD8AAAAA
AAAAAAAAAAAAAACqAAAAAAAAAAA=
</data>
<key>ID</key>
<string>0</string>
<key>Name</key>
<string>Apple (Apple_partition_map : 1)</string>
</dict>
<dict>
<key>Attributes</key>
<string>0x0050</string>
<key>CFName</key>
<string>disk image (Apple_HFS : 2)</string>
<key>Data</key>
<data>
bWlzaAAAAAEAAAAAAAAAQAAAAAAAAw1AAAAAAAAAAAAA
AAIIAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAIAAAAgmEnPkgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAWgAAABQAAAAAAAAAAAAAAAAAAAAAAAAIAAAAA
AAAAAKoAAAAAAAAl6oAAAAUAAAAAAAAAAAAAAgAAAAAA
AAACAAAAAAAAACaUAAAAAAAAF6uAAAAFAAAAAAAAAAAA
AAQAAAAAAAAAAgAAAAAAAAA+PwAAAAAAAAWggAAABQAA
AAAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAQ98AAAAAAAAB
FYAAAAUAAAAAAAAAAAAACAAAAAAAAAACAAAAAAAAAET0
AAAAAAAAARWAAAAFAAAAAAAAAAAAAAoAAAAAAAAAAgAA
AAAAAABGCQAAAAAAAAL+gAAABQAAAAAAAAAAAAAMAAAA
AAAAAAIAAAAAAAAASQcAAAAAAAABFYAAAAUAAAAAAAAA
AAAADgAAAAAAAAACAAAAAAAAAEocAAAAAAAAARWAAAAF
AAAAAAAAAAAAABAAAAAAAAAAAHAAAAAAAABLMQAAAAAA
AAVIAAAAAgAAAAAAAAAAAAAQcAAAAAAAADxwAAAAAAAA
UHkAAAAAAAAAAIAAAAUAAAAAAAAAAAAATOAAAAAAAAAC
AAAAAAAAAFB5AAAAAAAAC2eAAAAFAAAAAAAAAAAAAE7g
AAAAAAAAAgAAAAAAAABb4AAAAAAAAAEVgAAABQAAAAAA
AAAAAABQ4AAAAAAAAAIAAAAAAAAAXPUAAAAAAAABFYAA
AAUAAAAAAAAAAAAAUuAAAAAAAAAAGAAAAAAAAF4KAAAA
AAAAACMAAAACAAAAAAAAAAAAAFL4AAAAAAAAjPAAAAAA
AABeLQAAAAAAAAAAgAAABQAAAAAAAAAAAADf6AAAAAAA
AAIAAAAAAAAAXi0AAAAAAAGZGIAAAAUAAAAAAAAAAAAA
4egAAAAAAAACAAAAAAAAAfdFAAAAAAAB0C+AAAAFAAAA
AAAAAAAAAOPoAAAAAAAAALgAAAAAAAPHdAAAAAAAAMSu
AAAAAgAAAAAAAAAAAADkoAAAAAAAAiieAAAAAAAEjCIA
AAAAAAAAAIAAAAUAAAAAAAAAAAADDT4AAAAAAAAAAQAA
AAAABIwiAAAAAAAAAHQAAAACAAAAAAAAAAAAAw0/AAAA
AAAAAAEAAAAAAASMlgAAAAAAAAAA/////wAAAAAAAAAA
AAMNQAAAAAAAAAAAAAAAAAAEjJYAAAAAAAAAAA==
</data>
<key>ID</key>
<string>1</string>
<key>Name</key>
<string>disk image (Apple_HFS : 2)</string>
</dict>
</array>
<key>plst</key>
<array>
<dict>
<key>Attributes</key>
<string>0x0050</string>
<key>Data</key>
<data>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAQAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA
</data>
<key>ID</key>
<string>0</string>
<key>Name</key>
<string></string>
</dict>
</array>
</dict>
</dict>
</plist> that's at the end of the file. weird that the web server would tack that onto the end of a file. the 300k or so before that is basically garbage. maybe that's the standard trailer on a DMG file, and the dmg is 'trying' to be valid...
I work for the Department of Redundancy Department
|
|
|
|