Remove Search Marquis virus from Safari/Chrome/Firefox on your Mac

macgeek Tutorials
0 Comments

Find out what kind of a Mac threat Search Marquis is, what distribution methods it uses, and how to remove it so that the web browser is no longer redirected.

Search Marquis Mac
Searchmarquis.com, the pivot point of a massive Mac browser hijacking scheme

Apple’s macOS isn’t only a territory of incredible apps and awesome features. Over the years, it has also become an oasis for malicious code of different severity. Murky programs that are focused on skewing their victims’ web surfing patterns without permission are at the top of the cybercrime “food chain” at this point. The Search Marquis virus fits the mold of such peril. Having debuted in the fall of 2019, it has since generated massive volumes of fraudulent Internet traffic and is still very active now in 2021. Unlike many counterparts that start dwindling after the original outbreaks, this campaign exhibits unprecedented longevity.

In the aftermath of this attack, one’s browser is pulled into a vicious circle of redirects via searchmarquis.com URL. Serving as a starting point of browser activity reorganization, it triggers a series of additional rerouting instances that momentarily resolve auxiliary domains, such as searchbaron.com, api.lisumanagerine.club, m.nearbyme.io, and r.a9g.io. The exact list and order of these addresses may vary depending on the user’s geolocation. After all these annoying hops, the victim hits the landing page – believe it or not, that’s Bing.com.

Search Marquis virus promotes Bing

At first sight, the fact that Microsoft’s search engine is the resulting site in such a nasty scheme appears to have opaque reasoning behind it. Crooks are most likely parasitizing its reputation to intertwine their misdemeanor with some shades of legitimacy. That being said, it’s not Bing that plays the bad role here. It’s what comes before the victim gets there. As previously mentioned, the redirect route involves interstitial URLs that can be noticed in the browser’s status bar for a split second. Some of these entities dispatch the Internet navigation according to the malicious actors’ plan, while others turn out to have ties with APIs of ad networks. This way, the intercepted traffic is monetized.

The Search Marquis virus usually arrives at Macs with an application that portrays itself as something useful and harmless. The default mode of the bundle installer only mentions the good part while concealing the presence of potentially unwanted items. This is a springboard for a quiet attack that instantly entails changes at both the system and browser levels. The virus tweaks the user-specified preferences in Safari, Mozilla Firefox, and Google Chrome to force hits to searchmarquis.com. From there, a predefined sequence of follow-up redirects occurs, culminating with Bing.

The persistence of Search Marquis has been the talk of the town since it exploded with numerous infections. It mishandles the macOS command prompt features to add a configuration profile that enforces peculiar browser behavior and hampers regular removal of the underlying evil app. Therefore, the fix is going to be half-baked unless the user deletes this profile from the corresponding section under System Preferences. The following steps will enlighten you on the whole cleaning process to help you stop the redirect madness in its tracks.

Uninstall Mac malware that redirects to searchmarquis.com

Removing threats behind Mac browser redirect schemes is quite a challenge due to their high persistence and stealth. The good news is that you can use a tried-and-tested cleaning technique to overcome these obstacles. The steps below will help you out.

  1. Expand the Go pull-down menu in the Apple menu bar, select Utilities, and double-click the Activity Monitor icon.
  1. Look for a process that has nothing to do with Apple services or legitimate apps you are using. An unfamiliar icon and a significant amount of CPU usage are a few attributes of a malicious executable.
  1. Select the suspect entry and click the Stop (X) button, which is the leftmost one in the upper toolbar. Click Quit in the follow-up dialog to terminate the unwanted process.
Terminate the unwanted process on Mac
  1. Open the Finder and select Applications in the “Favorites” area. Spot the misbehaving app and move it to the Trash.
Spot the misbehaving app and move it to the Trash
  1. Use the above-mentioned Go menu to open the Go to Folder window.
  1. Enter /Library/LaunchDaemons in the search box and press Enter or click the Go button.
  1. Check the LaunchDaemons folder for items that seem out of place. Move the likely culprits to the Trash.
Move the likely culprits to the Trash
  1. Use the same method to access the ~/Library/LaunchAgents (with the tilde symbol at the beginning), /Library/LaunchAgents, and ~/Library/Application Support folders. Find potentially unwanted items in each directory and delete them.
  1. Open System Preferences and pick Users & Groups. Hit the tab called Login Items. Select the app that shouldn’t be running at each login and use the built-in controls to delete it from the list.
  1. When on the System Preferences screen, select Profiles. Normally, no configuration profiles should be installed unless you are using a company-issued Mac. Choose the redundant entry added by malware and click the “minus” sign to get rid of it.
Delete malicious user profile
  1. Empty the Trash folder.

Now that you have uninstalled Mac malware that’s setting searchmarquis.com redirect activity in motion, there are several more things you need to do at the level of your web browsers that are probably still affected.

Declutter your web browser

  1. Purge Safari of toxic junk
  • Head to Safari Preferences, click the Privacy tab, and select Manage Website Data. Then, click the Remove All button.
Manage Website Data in Safari
  • Under Safari Preferences, go to the Advanced tab and activate the option saying Show Develop menu in menu bar.
  • Click Develop in the upper menu bar and select Empty Caches in the drop-down list.
  • Open the History menu and click Clear History. Follow further prompts to remove all browsing history.
  • Restart Safari.
  1. Revert to original Google Chrome settings
  • Open Chrome, click Customize and control Google Chrome, and select Settings
  • Click the Advanced button in the sidebar, select Reset settings, click Restore settings to their original defaults, and confirm the action.
Reset Chrome Settings on Mac
  • Restart Chrome.
  1. Reset Mozilla Firefox
  • Launch Firefox, click the Open Application Menu button, select Help, and click More Troubleshooting Information.
  • Click Refresh Firefox and follow on-screen prompts to clear unwanted browsing data.
Refresh Firefox on Mac
  • Restart Firefox.

Surf the web wisely

The likes of the Search Marquis virus are very easy to catch and equally difficult to remove from your Mac. Moreover, they can cause more serious consequences than messing around with web browsers. Personal data harvesting is an example of what they usually do behind your back. That being said, you would be better off avoiding these baddies down the line.

The top tip is to be a little paranoid about software installers available outside of the App Store. There is always a chance that these items are trickier than they appear. At the very least, exit the “express” setup mode to see the list of promoted programs and uncheck suspicious ones. Ideally, you should stick with official application marketplaces that use rigid checks to keep shady code away.

Leave a Reply

Your email address will not be published. Required fields are marked *