Q: How to remove Around the Web

Please click Open with TextEdit and post the text in the window that opens, if any (not a screenshot.)

a message reads "The document “com.apple.builing.plist” could not be opened. You don’t have permission," when i try to open it with textedit

OK. The malware files are #3 in your first screenshot, and both in the third screenshot. Move those to the Trash, then restart the computer and empty the Trash, in that order. Never use any software downloaded from a torrent.

You should also get rid of "MacKeeper," which is technically not malware but is a scam.

"MacKeeper" is a scam with only one useful feature: it deletes itself.

If you have incompletely removed MacKeeper—for example, by dragging the application to the Trash and immediately emptying—then you'll have to reinstall it and start over.

Note: These instructions apply to the version of the product that I downloaded and tested in early 2012. I can't be sure that they apply to other versions.

IMPORTANT: "MacKeeper" has what the developer calls an “encryption” feature. In my tests, I didn't try to verify what this feature really does. If you used it to “encrypt” any of your files, “decrypt” them before you uninstall, or (preferably) restore the files from backups made before they were “encrypted.” As the developer is not trustworthy, you should assume that the "decrypted" files are corrupt unless proven otherwise.

Please back up all data before making any changes.

In the Finder, select

          Go ▹ Applications

from the menu bar, or press the key combination shift-command-A. The "MacKeeper" application is in the folder that opens. Quit it if it's running, then drag it to the Trash. You'll be prompted for your login password. Click the Uninstall MacKeeper button in the dialog that appears. All the other functional components of the software will be deleted. Restart the computer and empty the Trash.

☞ Quit MacKeeper before dragging it to the Trash.

☞ Let MacKeeper delete its other components before you empty the Trash.

☞ Don't try to drag MacKeeper from the Dock or the Launchpad to the Trash.

☞ Don't try to remove MacKeeper while running in safe mode.

That seems to have done it.  Thank you so much for your time and patience, this was driving me up the wall. Much appreciated.

The malware is #2, #3, and #5 in the first screenshot, and both in the second screenshot.

If you are downloading software from torrents, you'll be among the first to be infected with every new kind of malware. The consequences may be a lot worse than seeing ads in a web browser.

Thank you so much! and I understand, just trying to make it through college haha

Hello Linc,

Could you help me too ? I have tried pretty much everything but no luck. I already uninstalled all extensions on chrome, firefox and safari.

Thank you !

A

Please remove "Avira" by following the instructions on this page. If you have a different version of the product, the procedure may be different.

I recommend that you remove the equally useless "Malwarebytes" product according to its developer's instructions. Like "Avira," it failed either to prevent or to remove your malware infection.

Back up all data before making any changes. Never install any "anti-virus" or "anti-malware" product again.

B

You installed one or more variants of the "VSearch" trojan. Please inactivate them as follows. This procedure will leave a few small files behind, but they have no effect, and trying to remove them all would be a lot more trouble than it's worth.

This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

Back up all data before proceeding.

The VSearch variant that you have regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.

While running in safe mode, triple-click anywhere in the line below on this page to select it:

/Library/LaunchDaemons

Right-click or control-click the line and select

          Services ▹ Open

from the contextual menu.* A folder named "LaunchDaemons" should open.

Inside that folder there are one or more items with a name that begins like this:

          com.apple.

There are also one or more items with a three-part name of this form:

          com.something.plist

where something is a meaningless string of letters, different in every case. Typical examples:

          com.semifasciaUpd.plist

          com.ubuiling.plist

Drag all such items to the Trash. You may be prompted for your administrator login password.

Restart the computer and empty the Trash.

Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select

          Safari ▹ Preferences... ▹ General

and click

          Set to Current Page

If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Try again.

The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.

You have some new and troublesome malware installed that is using some tricks to avoid detection. Since you have Malwarebytes Anti-Malware for Mac installed, open it and choose Contact Support from the Help menu for personal help from Malwarebytes techs.

Hello Linc,

Thank you soooo much for your quick answer ! I followed all your recommendations and it looks like I am now malware free ! I uninstalled Avira and Malwarebytes, removed all these files in Library/LaunchDaemons with weird, unfamiliar names while in safe mode and it worked like a charm.

The only file I wasn't sure about deleting is : com.apple.tiavorurn.plist. Since it has the com.apple you mentioned, it seems legit but I am not sure about the second part of the name.  

Anyway if it comes back I will know I need to delete this extra file and I will be good to go.

Thanks a lot for your help !

thomas_r, thank you for your suggestion. I actually already had filed a report with the contact support of Malwarebytes Anti-Malware. I got an email from them saying they were treating tickets in the order they come in and to wait for them to contact me.

I then found this post and got help from Linc so I didn't get the chance to talk to the Malwarebytes techs.

Thank you !

The only file I wasn't sure about deleting is : com.apple.tiavorurn.plist.

It's part of the malware and should be deleted.