Remove Search Marquis virus from Safari, Chrome, Firefox on Mac

0
21477

Since searchmarquis.com is a component of a wide-sweeping Bing redirect campaign targeting Mac computers, the browser hijack should be addressed immediately.

What is Search Marquis?

Virus Summary
NameSearch Marquis (searchmarquis.com)
SpeciesMac redirect virus / adware / PUA
IP Address13.224.11.6
ImpactRedirects Safari, Google Chrome, and Mozilla Firefox to Bing.com; displays “Your computer is low on memory” fake alerts
Spreading MethodsApp bundles, tech support scams
Risk LevelModerate
PersistenceHigh
Removal ToolDownload Now

Macs were a nearly malware-free territory a decade ago. There were hardly any threats potent enough to get around the user authorization barriers and the built-in protection mechanisms. Fast forward to present day, and the big picture has changed dramatically. Machines running macOS are being constantly shelled by adware, fake optimization utilities, and even relatively exotic pests such as coin miners and ransomware. The former two categories prevail over the rest in this landscape. Search Marquis is a demonstrative example of this trend, acting as a browser hijacker that intercepts and reroutes a victim’s web traffic in a forcible way. Similarly to another redirect nasty from the same lineage called Search Baron, it imposes rogue browsing preferences to fling a victim’s Internet activities to searchmarquis.com first, then through a series of URLs, including searchbaron.com and us-west.2.elb.amazonaws.com, all to the way to the final-stage landing page.

Searchmarquis.com, the starting point of the redirect

Counterintuitively, the resulting site isn’t a malicious resource with exploits or suchlike sneaky entities onboard. Instead, it’s a legitimate page whose good reputation is out of the question. Believe it or not, the Search Marquis virus redirects to bing.com custom results whenever the victim enters keyword requests in the address bar. Incidentally, the infection manifests itself in an identical way on Safari, Google Chrome, and Mozilla Firefox. The involvement of reputable services in clearly malicious traffic reorganization schemes is a long-running cybercrime tendency. Another wave of that kind is the Yahoo redirect hoax, which has also been wreaking havoc in the Apple ecosystem for years. What’s the whole point? One of the reasons why crooks add big names from the online search industry to their genre is that the attack then looks less unsettling. Another theory is that driving traffic to a hosted search service allows the malefactors to rake in some sort of an affiliate profit.

With that said, the pivot of the Search Marquis attack is all about redistributing Mac users’ web navigation vectors in a specific manner. The bulk of its operators’ interest lies in the realm of the transitional domains that are briefly displayed in the status bar of an affected browser during every single redirect instance. These pages are most likely integrated with monetization networks that reward all unique visits, especially ones emanating from Mac computers that are traditionally deemed high-end. To recap, the attack entails an annoying scenario where one’s preferred web browser is incessantly forwarded to searchmarquis.com and subsequently to bing.com via a number of interim sites.

What are additional symptoms of Search Marquis infection on Mac?

Although the browser redirect activity is the most prominent facet of the Search Marquis raid, the breadth and depth of this exploitation goes somewhat further. In order to persist inside macOS, the culprit creates what’s called a configuration profile, or device profile, under System Preferences. This random-named entry is intended to control the web surfing side of computing by ensuring that the wrong search preferences persist even if the victim tries to edit them manually.

Search Marquis attack may be accompanied by fake low memory alerts

An extra flavor of the attack is the emergence of popup alerts that say, “Your computer is low on memory. To free up some memory, please close a few applications”. This is part of a brainwashing plan aimed at cross-promoting additional malware. In particular, the dubious applications being pushed through such a guileful trick are scareware utilities – moreover, these popups could be a clue that one of such nuisances is already up and running. It might have crept into the Mac along with the Search Marquis threat. A few examples of such pseudo-optimizers are Advanced Mac Tuneup, Mac Cleanup Pro, and Mac Auto Fixer. The low memory warnings are used to create an illusion that the system performance needs a boost, and the “cure” recommended by follow-up alerts is a fake.

How did Search Marquis virus get on my Mac?

The criminals behind this browser hijacker stick with a tried-and-tested distribution technique. The most common source of the contamination is a bundle of several applications that infiltrate systems alongside legit-looking software. The accompanying parasites aren’t mentioned in the installation client’s screens, and therefore users unknowingly agree to install the whole package while thinking that the only program they’re getting is a harmless one showcased in the default setup mode.

A stratagem that dominates these dirty spreading practices is the infamous fake Adobe Flash Player update campaign. It piggybacks on the general product awareness and the tactic it is normally employing to serve regular updates – that is to say, popup dialogs offering the new version. The perpetrators have learnt to mimic such popup recommendations. They appear on websites, either compromised or specially crafted malicious ones, and spread the likes of Search Marquis under the guise of must-install Flash Player updates. The next thing you know, the potentially unwanted application (PUA) gives the browsing settings an overhaul without permission and causes the redirect frenzy.

How do I remove Search Marquis virus from my Mac?

Although this threat manifests itself in the web browser only, it actually leaves a footprint across the system to maintain persistence. The subsection below will help you find and remove all the components of searchmarquis.com virus manually. Keep in mind that some of its files are a no-brainer to spot, while a few may be hidden so that the cleanup is harder to complete than in a typical software uninstall situation.

  • Expand the Go menu in your Mac’s Finder and click the Utilities entry.
    Access the Utilities dashboard
  • Proceed to the Activity Monitor.
    Select the Activity Monitor
  • Explore the Activity Monitor for processes that appear dubious and use up a good deal of the CPU. Be advised that the malicious executable isn’t necessarily named Search Marquis, so you’ll have to follow your intuition to an extent. If you find such a suspicious object, use the Quit Process option to terminate it. Confirm the action by clicking Force Quit on a follow-up prompt.
Terminate the malicious executable
  • In the Finder bar, click the Go icon and select Go to Folder in the list. Alternatively, you can press the Command+Shift+G key combo.
  • Once the system search bar appears, type /Library/LaunchAgents in it and click Go.
    Go to Folder box
  • When the LaunchAgents folder is in front of you, look for suspicious files and drag them to the Trash. Note that the names of such malicious objects might appear to be unrelated to Search Marquis adware. Here are a few examples of known-harmful files spawned by Mac viruses: com.mcp.agent.plist, com.pcv.herlperamc.plist, com.avickupd.plist, etc. Any items that don’t fit the mold of benign Mac files should be moved to the Trash immediately.
  • Follow the same logic (Go to Folder feature) to open the directories called ~/Library/LaunchAgents, /Library/Application Support, and /Library/LaunchDaemons in turn. Look for suspicious files (see examples above) in each one of these folders and remove them.
  • Now use the Go drop-down menu in the Finder again and choose Applications.
    Go to the Applications pane
  • Inspect the list of your applications for a potentially unwanted entity whose installation time co-occurred with the Search Marquis issue.It’s most likely some random-named piece of software you don’t recollect installing recently. Once you find the unwelcome app, drag it to the Trash. Empty the Trash folder when done.
    Uninstall the malicious app
  • Use the Apple menu to navigate to your System Preferences
    Proceed to System Preferences from your Mac’s Finder
     
  • Proceed to Users & Groups and select Login Items. The system will display all the programs executed automatically whenever you turn on your computer. Use the “minus” pictogram to delete the rogue account along with the sketchy item triggered at boot time. When done, go to Profiles under System Preferences to see if the virus has created configuration profiles on your Mac. If anything dubious is there, select it and click the “minus” symbol.
    Eliminate the unwanted user account and login item

Uninstalling the harmful application is half the battle. It is a way to make sure that the symptoms won’t reappear after you implement the browser-level part of the repair. In the meanwhile, the searchmarquis.com redirect nasty continues to affect your preferred web browser and therefore you need to revert to the correct Internet surfing settings. Read the subsection below to find out how.

How do I stop searchmarquis.com redirects in a web browser?

Thankfully, you needn’t reinvent the wheel in terms of invalidating the adverse tweaks caused by the Search Marquis virus in your browser. A tried-and-true technique is to reset the affected browser to its original defaults. On a side note, Apple has removed the “Reset Safari” button since the release of the Mac native browser’s version 9 back in 2015, so the procedure is now a bit more complex than a one-click experience (see below). Anyway, here’s a simple way to purge the most popular web browsers of the malicious influence:

  1. Remove Search Marquis virus from Safari browser
    • Select Preferences in the Safari menu and as illustrated below.Go to Safari Preferences
    • Click the Advanced tab and put a checkmark next to the Show Develop menu in menu bar option.Show Develop menu in menu bar’ option
    • Click the Advanced tab and put a checkmark next to the Show Develop menu in menu bar option.Empty Caches in Safari
    • Check if the browser is still being forwarded to searchmarquis.com. If it is, go back to the Safari menu bar, expand the History menu, and select the Clear History option as shown in the screenshot below.Clear History in Safari
    • Customize the process using a follow-up dialog that allows you to define the period of time for which you want to remove cookies and other website data. It’s recommended that you select all history. Then, go ahead and click Clear History.Clear all Safari history
    • If your Safari browser is being rerouted to the rogue URL regardless, go to the Preferences pane via the Safari menu bar again and hit the tab called Privacy. Find and click the Manage Website Data button.Manage Website Data button
    • Safari will display a list of all sites that have retained your online data. Click the Remove All button without a second thought. Once the information has been deleted, click Done at the bottom right.Remove all site data in Safari
  2. Get rid of searchmarquis.com redirects on Google Chrome
    • Open Chrome, click the Customize and control Google Chrome () icon in the upper right-hand part of the window, and select Settings in the drop-down list.
    • Look for the button called Advanced and click it to access beyond the basic Chrome settings.
    • In the Reset settings area, click the button that says Restore settings to their original defaults.Reset Google Chrome on Mac
    • All that’s left to do is click Reset settings on the respective dialog in case you are okay with the resulting changes listed there. Restart Chrome to make sure the benign tweaks take effect.
  3. Delete Search Marquis in Mozilla Firefox
    • Open Firefox, click Help, and select Troubleshooting Information in the list.
    • Click the button called Refresh Firefox.Refresh Firefox on Mac computer
    • The browser will trigger an extra popup dialog where you should confirm the reset action. When finished, restart Firefox and enjoy your web surfing without Search Marquis virus messing around with it.

How do I make sure that Search Marquis virus is gone?

Symptoms isolated to the browser are the tip of the iceberg. Search Marquis redirect virus and its associated malware can gain a foothold in the Mac beyond redirect activity alone. The drawback of manual removal is that there might be hidden leftovers of the threat that will reinstall it after what seems to be a successful cleanup. This isn’t necessarily the case, but you may want to double-check if you are in the clear.

Consider scanning your Mac with Combo Cleaner, an optimization and security app with a decent track record. It’s lightweight, and it can detect all prevalent forms of Mac malware in a snap. Here’s the how-to:

  1. Download and install Combo Cleaner

    By downloading any software provided on this website you consent to the provisions listed in our Privacy Policy and Terms of Use. Be advised that Combo Cleaner scan is free, but you will have to buy its full (Premium) version to enable the virus removal feature.

  2. Open the Launchpad from your Mac’s Dock and click the Combo Cleaner icon to run the app. Wait for the tool to update its database of virus definitions and click the Start Combo Scan button.
    Click ‘Start Combo Scan’
  3. In addition to identifying malware and privacy issues, the app will inspect your Mac for junk files, duplicates, and large files you might no longer need. Deleting these redundant objects can release a good deal of disk space.
    Combo Cleaner scan in progress
  4. Scrutinize the scan report. Hopefully, its results by the antivirus and privacy categories are blank and the verdict is “No Threats”, which means you are safe. If there are infections listed in the report, though, use the Remove Selected Items option to get rid of them.

LEAVE A REPLY

Please enter your comment!
Please enter your name here