I wrote a script which, if I made no error, does what is described by Apple in the Technical Note available at : http://support.apple.com/HT203987
May you check that everything is OK ?
set homePath to POSIX path of (path to home folder)
my deleteItem("/Library/Application Support/VSearch")
my deleteItem("/Library/LaunchAgents/com.vsearch.agent.plist")
my deleteItem("/Library/LaunchDaemons/com.vsearch.daemon.plist")
my deleteItem("/Library/LaunchDaemons/com.vsearch.helper.plist")
my deleteItem("/Library/LaunchDaemons/Jack.plist")
my deleteItem("/Library/PrivilegedHelperTools/Jack")
my deleteItem("/System/Library/Frameworks/VSearch.framework")
my deleteItem("/System/Library/Frameworks/v.framework")
my deleteItem("/Applications/SearchProtect.app")
my deleteItem("/Library/LaunchAgents/com.conduit.loader.agent.plist")
my deleteItem("/Library/LaunchDaemons/com.perion.searchprotectd.plist")
my deleteItem("/Library/Application Support/SIMBL/Plugins/CT2285220.bundle")
my deleteItem(homePath & "Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin")
my deleteItem(homePath & "Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin")
my emptyFolder("/Library/InputManagers/CTLoader/")
my emptyFolder("/Library/Application Support/Conduit/")
my emptyFolder(homePath & "Conduit/")
my emptyFolder(homePath & "Trovi/")
my killProcess("Genieo.")
my killProcess("InstallMac.")
my deleteItem("/private/etc/launchd.conf")
my deleteItem("/Applications/Genieo")
my deleteItem("/Applications/InstallMac")
my deleteItem("/Applications/Uninstall Genieo")
my deleteItem("/Applications/Uninstall IM Completer.app")
my deleteItem(homePath & "Library/LaunchAgents/com.genieo.completer.download.plist")
my deleteItem(homePath & "Library/LaunchAgents/com.genieo.completer.update.plist")
my deleteItem("/Library/LaunchAgents/com.genieoinnovation.macextension.plist")
my deleteItem("/Library/LaunchAgents/com.genieoinnovation.macextension.client.plist")
my deleteItem("/Library/LaunchAgents/com.genieo.engine.plist")
my deleteItem("/Library/LaunchAgents/com.genieo.completer.update.plist")
my deleteItem(homePath & "Library/LaunchAgents/com.genieo.completer.ltvbit.plist")
my deleteItem("/Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist")
my deleteItem("/Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client")
my deleteItem("/usr/lib/libgenkit.dylib")
my deleteItem("/usr/lib/libgenkitsa.dylib")
my deleteItem("/usr/lib/libimckit.dylib")
my deleteItem("/usr/lib/libimckitsa.dylib")
my deleteItem(homePath & "Library/Preferences/com.apple.genieo.global.settings.plist")
my deleteItem(homePath & "Library/SavedState/com.genieo.RemoveGenieoMac.savedState")
my emptyFolder(homePath & "Library/Application Support/Genieo/")
my emptyFolder(homePath & "Library/Application Support/com.genieoinnovation.Installer/")
my emptyFolder(homePath & "Library/Saved Application State/com.genieo.RemoveGenieoMac.savedState/")
my deleteItem("/Library/Frameworks/GenieoExtra.framework")
tell application "System Events"
restart
end tell
#=====
on killProcess(theProcess)
try
tell application "System Events"
unix id of process theProcess
end tell
do shell script "kill " & result
tell application "System Events"
repeat while exists process theProcess
delay 0.1
end repeat
end tell
end try
end killProcess
#=====
on emptyFolder(theFolder)
try
tell application "System Events"
every disk item of folder theFolder
repeat with theProcess in result
delete disk item (path of theProcess) # useful if theProcess is a package
end repeat
end tell
end try
end emptyFolder
#=====
on deleteItem(theItem)
try
tell application "System Events"
delete disk item theItem
end tell
end try
end deleteItem
Here it runs flawlessly but, as no adware is available on my machine in fact it does nothing.
Yvan KOENIG (VALLAURIS, France) samedi 17 janvier 2015 16:01:32
At this point I’m more concerned about quick and easy detection than removal.
Presently I use AdwareMedic to do the actual removal and recently had just cause to use it after installing the now scum-ware product uTorrent which put Conduit (if memory serves) on my system.
Just to be different and get some practice I wrote a shell script instead of an AppleScript.
I’ve written this to be run from the Terminal (which runs 24/7 on my system), so I can switch over - type ‘mal’ - and get a report.
I probably want to move the file list to its own file to make it easier to manage, but at this point I’m still experimenting.
NOTE: To be sure to get the script text verbatim use the {Open this Scriplet in your Editor} link. If you copy & paste the script will fail due to the way the MacScripter webpage displays the text.
#! /usr/bin/env bash
# Auth: Christopher Stone <scriptmeister@thestoneforge.com>
# dMod: 2015/02/07 16:57
# Task: Produce a report indicating if any of the listed adware files or directories exist.
read -r -d '' fileList <<'EOF'
/Applications/Genieo
/Applications/InstallMac
/Applications/SearchProtect.app
/Applications/Uninstall Genieo
/Applications/Uninstall IM Completer.app
/Library/Application Support/Conduit/
/Library/Frameworks/GenieoExtra.framework
/Library/InputManagers/CTLoader/
/Library/LaunchAgents/com.genieo.completer.update.plist
/Library/LaunchAgents/com.genieo.engine.plist
/Library/LaunchAgents/com.genieoinnovation.macextension.client.plist
/Library/LaunchAgents/com.genieoinnovation.macextension.plist
/Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist
/Library/LaunchDaemons/Jack.plist
/Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client
/Library/PrivilegedHelperTools/Jack
/private/etc/launchd.conf
/System/Library/Frameworks/v.framework
/System/Library/Frameworks/VSearch.framework
/usr/lib/libgenkit.dylib
/usr/lib/libgenkitsa.dylib
/usr/lib/libimckit.dylib
/usr/lib/libimckitsa.dylib
~/Conduit/
~/Library/Application Support/com.genieoinnovation.Installer/
~/Library/Application Support/Genieo/
~/Library/Caches/com.Conduit.takeOverSearchAssestsMac
~/Library/Caches/com.VSearch.bulk.installer
~/Library/Caches/com.VSearch.VSinstaller
~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
~/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin
~/Library/LaunchAgents/com.genieo.completer.download.plist
~/Library/LaunchAgents/com.genieo.completer.ltvbit.plist
~/Library/LaunchAgents/com.genieo.completer.update.plist
~/Library/Preferences/com.geneio.global.settings.plist
~/Library/Preferences/com.geneio.settings.plist.lockfile
~/Library/Preferences/com.genieo.global.settings.plist.lockfile
~/Library/Saved Application State/com.genieo.RemoveGenieoMac.savedState
~/Library/Saved Application State/com.VSearch.bulk.installer.savedstate
~/Trovi/
EOF
foundList="";
notFoundList="";
fileList=$(sed -E 's|^~|'"$HOME"'|' <<< "$fileList");
while read -r lineVar; do
if [ -d "$lineVar" ] || [ -f "$lineVar" ]; then
foundList="${foundList}File $lineVar\t¢¢¢¢ FOUND! ¢¢¢¢\n"
else
notFoundList="${notFoundList}File $lineVar\t.... not found ....\n"
fi
done <<< "$fileList"
sep="----------------------------------------------------------------------------------\t-------------------\n";
echo "";
echo -e "${sep}MALWARE FILE SEARCH\t \n$sep$foundList$sep$notFoundList" | column -t -s' ';
echo "";
Edit 2015/02/07 17:01 CST ” removed several duplicate file paths from the script.
Nice script. The formatting with cols didn’t work out. And I do have my custom written launchd.conf, users will have to open the launchd.conf, and see what is in there before they classify it as malware, and then they can edit away the malevolent parts.
I’m sure it looks good with tidy columns on your screen though.
I was able to hit the {Open this Scriplet in your Editor} link, copy the result from Script Debugger into BBEdit and run, so I hoped this would just work.
I haven’t monkeyed with launchd items (yet).
Since launchd.conf is not likely to change very often I’d probably pull it out of the file-list and make a specific test for it using a Hash value, so it will only throw a flag if the Hash changes.
If you shoot me your email address I’ll send you the script text directly, and hopefully it will run properly for you.
It’s okay, I’ll have some fun mending it. I wonder if it works that way with quote tags as well, that you’d don’t get the real characters back into the editor.
The great thing about your script, is the report it gives, and not that it does anything. And a user that has done something with his launchd.conf, probably will look into it before deleting it. Problem is if some sysadmin has written some entries in the launchd.conf, setting global variables and the like.
So, launchd conf should really be inspected before deleted. That was my point.
I was able to hit the {Open this Scriplet in your Editor} link, copy the result from Script Debugger into BBEdit and run, so I hoped this would just work.
I don’t own Script Debugger so the text was sent in Apple’s Script Editor.
I down own BBEdit but have TextWrangler so I tried to do the same with this application.
Alas, When I hit “Run”, I get :
The operation couldn’t be completed, because an error occured.
This file doesn’t appear to contain a valid ‘shebang’ line (application error code: 13304)
I got bit by Spigot recently after installing the once safe now unsafe BitTorrent client (currently in version 7.4.3), so I’ve added Spigot’s files to the file list.
I also had some piece of software install its own OSAX without telling me, so I am listing all scripting addition folders as part of the report.
Sometime soon I’ll probably add some other things like the InputManagers folders ” I recently found one I didn’t know about, although it was benign.
I name my script ‘mal’ and install it in /usr/local/bin/ ” which is in my path.
NOTE: To be sure to get the script text verbatim use the {Open this Scriplet in your Editor} link. If you copy & paste the script will fail due to the way the MacScripter webpage displays the text.
¢ The Transmission malware that came out a while back.
¢ The new malware discovered this year (January 2017).
¢ An edit switch for the command-line “ type “mal e” to edit in BBEdit, TextWrangler, or TextEdit.
if [ “$editFlag” = ‘e’ ]; then
malExe=$(which mal);
open -a BBEdit “$malExe” || open -a TextWrangler “$malExe” || open -a TextEdit “$malExe”;
exit 0;
fi
while read -r lineVar; do
if [ -d “$lineVar” ] || [ -f “$lineVar” ]; then
foundList=“${foundList}File $lineVar\t¢¢¢¢ FOUND! ¢¢¢¢\n”
else
notFoundList=“${notFoundList}File $lineVar\t… not found …\n”
fi
done <<< “$fileList”