Friday, April 4, 2014

Removing www.mrlmedia.net Virus (Mac)

I found that my Chrome is acting weird these days. Strange Ads are popping in lots of websites, and I have no idea how to turn it off. Then, I started to figure out the solution.



Here are some steps may help in most cases, but not in this case:

  • Turn off extensions/plugins, so that there's won't be unwanted js code while loading the websites. => However, the problem remained the same; and different browsers are having the same problem (tested on Chrome and Safari)
  • Clean cookies and other personal settings  => not helping anything
  • Remove everything under "~/Library/Application\ Support/Google/" and "/Library/Application\ Support/Google/", then reinstall Chrome => not helping anything, since the problem happens on different browsers

So, I start to trace the problem on Chrome Developer Tools (Networks):


  1. The right and original request for Google Search.
  2. Chrome is trying to get www.mrlmedia.net/get-js...; however this is the problem.
  3. After getting get-js, Chrome start to run sf_main, and this is loading the Ads
  4. direct.html is the IFREAM for the Ads
The root problem is that "somebody" request the get-js while I am browsing the website. But, I don't know who's the guy.

However, it's easy to block the request by adding www.mrlmedia.net into the blacklist:
  • vim /etc/hosts
  • add 127.0.0.1 www.mrlmedia.net
Then the get-js request will be blocked:



The Ads are removed now.

Better Solution

Thanks for Niccolò Ventura and Steven Foong handing solutions in the comments of this post, and I am writing them down here for conclusion:
>> sudo rm /Library/LaunchAgents/com.vsearch.agent.plist /Library/LaunchAgents/com.vsearch.daemon.plist /Library/LaunchAgents/com.vsearch.helper.plist Library/Frameworks/VSearch.framework # so the virus won't auto-start when the system is up
>> sudo rm -fr /Library/Application\ Support/VSearch/ # remove the virus