Skip to main content

Remove Search Marquis virus from Mac

Search Marquis virus Mac is a new persona of the Bing redirect malady that hijacks a victim’s web browser and causes annoying redirects unless removed.

Update: October 2024

Threat Profile
Name Search Marquis (searchmarquis.com) browser hijacker
Category Mac adware, redirect virus, PUA
IP Address 54.230.89.106
Related Domains searchmarquis.com, searchbaron.com, searchnewworld.com, mybrowser-search.com, api.lisumanagerine.club, search.surfharvest.xyz, search-location.com, searchsnow.com, searchitnow.info, r.a9g.io, nearbyme.io, search1.me, chillsearch.xyz, search-alpha.com
Symptoms Redirects web browser to Bing via searchmarquis.com, adds sponsored content to search results, causes system slowdown, resists regular removal
Distribution Techniques Fake Adobe Flash Player update popups, malware-riddled bundles, spam
Severity Level Medium
Damage Unwanted changes of browser preferences, privacy issues due to Internet activity tracking, search redirects, ads above the fold
Removal Scan your Mac with Combo Cleaner to detect all files related to the browser hijacker. Use the tool to remove the infection if found.

What is Search Marquis redirect virus?

There is a cybercriminal gang on the loose whose activity is shaping up to be a huge concern for the entire Mac community. Although these crooks don’t ruin systems or spread mayhem through greedy crypto-mining behind the victims’ backs, the malicious code they have been creating is hugely obnoxious and extraordinarily hard to remove from plagued Mac machines. The focus of all fishy campaigns under scrutiny is on the web surfing side of computer use. By depositing sneaky apps and plugins onto macOS systems without admins’ consent, the malefactors make browsers act up by rerouting the traffic to sites like searchmarquis.com. What is Search Marquis anyway? It is a manifestation of the virus that gives one’s Internet navigation set-up a malicious overhaul to promote its own landing page. From there, the users are forced to hit Bing.com, Search1.me, or Ask.com, with the browsing path traveling through a number of intermediate domains, such as Search Baron (searchbaron.com), before reaching the destination.

Browser settings defaulting to searchmarquis.com on Mac

Search Marquis infection chain

The Search Marquis virus slithers its way into a Mac by dint of a tricky software packaging scheme referred to as bundling. This technique co-promotes several applications under the guise of one that’s benign and typically free of charge. While legit per se, the mechanism provides attackers with an opportunity to push their harmful programs without notifying the would-be victim. Unless the default setup mode is unchecked and the custom option is selected in the installation client, the malware will rush into the Mac alongside an item that the user is knowingly installing.

As a result, the pest gets all the privileges it needs, and the prey is clueless about ever granting these permissions. From that moment on, the Search Marquis infection starts dominating all things web browsing on the target computer without allowing the administrator to revert to their normal configuration in a commonplace way. To top it off, the app is code-signed and therefore bypasses Apple’s notarization controls. It means that it doesn’t raise a red flag when checked by the Gatekeeper feature built into macOS.

Web browsing is the hardest-hit macOS area

As previously stated, this virus zeroes in on web browsers it detects on the compromised Mac. It supports Safari, Chrome, and Firefox – given the prevalence of these solutions, the impact is going to make itself felt in nearly every attack scenario. The rogue helper object incorporated into the victim’s preferred browser instantly tweaks the homepage, search, and new tab page settings to its own advantage. It replaces these values with searchmarquis.com so that the plagued user visits the unwanted page over and over.

The offending entity tends to additionally tamper with the DNS server settings for extra persistence. This interference leads to the pseudo search engine being constantly resolved instead of the desired one. To tighten the grip further, the culprit stealthily abuses the Mac’s built-in command line, or Terminal utility, to create a random-named configuration profile under System Preferences that holds sway over the targeted browser settings.

Device profile added by SearchMarquis to control Chrome

In Google Chrome, this foul play is the easiest to notice, as its main drop-down menu will include a notification saying “Managed by your organization”, as illustrated in the following image. In the case of infection, the message shows up even on a personal Mac that isn’t supervised by an administrator. Aside from generating hits to the fake search engine, this method of obtrusion reportedly has strange repercussions such as signing the victim out of their account in Chrome once in a while – which, obviously, adds insult to injury.

‘Managed by your organization’ message appears in Chrome due to Search Marquis attack

Search engine takeover leading to Bing

On the face of it, searchmarquis.com seems to be a primitive lookup instrument with a search box and a few links leading to the EULA, Privacy Policy, and the Contact Us page. No matter what keywords are entered in it, the sketchy service will return Bing.com. The route of the navigation, though, also includes a couple of URLs that the victim can only see for a fraction of a second. These transitional items denote advertisement networks where every such inconspicuous hit will count as a unique visit, thereby generating profit for the operators of this hoax. As this malicious campaign evolves, new in-between and destination pages are being added to the wicked mix. A couple of examples are:

  • searchnewworld.com
  • mybrowser-search.com
  • api.lisumanagerine.club
  • search.surfharvest.xyz
  • search-location.com
  • searchsnow.com
  • searchitnow.info
  • r.a9g.io
  • nearbyme.io
  • search1.me
  • chillsearch.xyz
  • search-alpha.com

As odd as it may sound, Search Marquis ultimately forwards web traffic to Bing

These sites return custom search results powered by a legitimate service, so the hoax keeps heading in basically the same direction, combining clearly harmful activity with benign elements. As of August 2023, the Search Marquis campaign underwent the biggest tweak in many months, accompanied by the addition of a new domain to the original stack. A good deal of the intercepted traffic has since been passing through the Search Alpha rogue service parked at search-alpha.com. Despite the URL switching, the shady logic is invariable: the adware hijacks a browser, reroutes it to a worthless provider with no proprietary search algorithms under its hood, and then the traffic reaches a Bing hosted search page.

Counterintuitively, the latter per se is an insignificant part of the attack equation, albeit an ostensible one. Its function is limited to furnishing the whole occurrence with deceptive hues of normality, while the submerged part of the iceberg holds murky URLs from the list above that fill the monetization void and thus matter the most from felons’ perspective.

Additional symptoms

Another likely symptom of the Search Marquis attack on a Mac is the surge of annoying alerts that say, Your computer is low on memory. These warnings usually pop up shortly after system startup and instruct the user to close a few applications to free up some memory. Meanwhile, the available RAM may be multiple times more than what’s required for all running programs to work flawlessly. This quirk, obviously, doesn’t appear to get along with the concept of a browser hijacker, and yet these predicaments bizarrely overlap in most cases. It turns out that such an alert may treacherously overlay a dialog that requests access to control Safari or another web browser. The “undercover” pop-up typically says some app or process whose name consists of multiple random numbers wants to perform actions within the web browser, including unwarranted ingress into the related documents and data. In other words, the faux low memory alert serves as malware’s curtain for privilege escalation on the Mac. The same is true for a more recent spoof warning variant that says, “Your hard drive is almost full”. This one urges a victim to release disk space when there is actually no need to do it. Again, it eclipses a permission request that shouldn’t be accepted.

Fake ‘Your computer is low on memory alert’ accompanying Search Marquis Mac infection

Sometimes the takeover of web preferences co-occurs with a stealth installation of a scareware app onto the system. The faux cleaning utility could be the one to blame for duping the user into thinking that their machine is short of RAM. This way, the misleading software tries to bilk the unsuspecting victim of a registration fee that will supposedly unlock the imaginary optimization features. So much for the pranks of the Search Marquis virus.

Mac adware is also increasingly leveraging tricks reminiscent of man-in-the-middle (MITM) attacks to misrepresent the appearance of web pages. For instance, it may embed advertisements or fake forms into both encrypted and unencrypted traffic. To this end, these culprits may quietly install a proxy tool that additionally enables them to snoop on victims’ online activities and grab details on the running software as well as hardware specifications. Search Marquis tends to take this route, thereby posing extra risks besides simply being a nuisance. What about the fix? The only way to address the issue is to spot and delete all elements of the perpetrating app. Read the follow-up sections to find out how it’s done.

Search Marquis virus manual removal for Mac

The steps listed below will walk you through the removal of this malicious application. Be sure to follow the instructions in the specified order.

  1. Expand the Go menu in your Mac’s Finder bar and select Utilities as shown below.

    Go to Utilities

  2. Locate the Activity Monitor icon on the Utilities screen and double-click on it.

    Select the Activity Monitor

  3. In the Activity Monitor app, look for a process that appears suspicious. To narrow down your search, focus on unfamiliar resource-intensive entries on the list. Keep in mind that its name isn’t necessarily related to the way the threat is manifesting itself, so you’ll need to trust your own judgement. If you pinpoint the culprit, select it and click on the Stop icon in the upper left-hand corner of the screen.

    Stop malicious process

  4. When a follow-up dialog pops up asking if you are sure you want to quit the troublemaking process, select the Force Quit option.

    Select the Force Quit option

  5. Click on the Go menu icon in the Finder again and select Go to Folder. You can as well use the Command-Shift-G keyboard shortcut.

    Use the Go to Folder feature

  6. Type /Library/LaunchAgents in the folder search dialog and click on the Go button.

    Open /Library/LaunchAgents folder

  7. Examine the contents of the LaunchAgents folder for dubious-looking items. Be advised that the names of files spawned by malware may give no clear clues that they are malicious, so you should look for recently added entities that appear to deviate from the norm.

    As an illustration, here are several examples of LaunchAgents related to mainstream Mac infections: com.pcv.hlpramc.plist, com.updater.mcy.plist, com.avickUpd.plist, and com.msp.agent.plist. If you spot files that don’t belong on the list, go ahead and drag them to the Trash.

    Root-level LaunchAgents folder contents

  8. Use the Go to Folder lookup feature again to navigate to the folder named ~/Library/Application Support (note the tilde symbol prepended to the path).

    Open ~/Library/Application Support folder

  9. When the Application Support directory is opened, identify recently generated suspicious folders in it and send them to the Trash. A quick tip is to look for items whose names have nothing to do with Apple products or apps you knowingly installed. A few examples of known-malicious folder names are UtilityParze, ProgressSite, and IdeaShared.

    Application Support folder contents

  10. Enter ~/Library/LaunchAgents string (don’t forget to include the tilde character) in the Go to Folder search area.

    Open ~/Library/LaunchAgents directory

  11. The system will display LaunchAgents residing in the current user’s Home directory. Look for dodgy items related to Search Marquis redirect virus (see logic highlighted in subsections above) and drag the suspects to the Trash.

    Contents of LaunchAgents folder in user’s home directory

  12. Type /Library/LaunchDaemons in the Go to Folder search field.

    Go to /Library/LaunchDaemons

  13. In the LaunchDaemons path, try to pinpoint the files the malware is using for persistence. Several examples of such items cropped by Mac infections are com.pplauncher.plist, com.startup.plist, and com.ExpertModuleSearchDaemon.plist. Delete the sketchy files immediately.

    LaunchDaemons folder contents

  14. Click on the Go menu icon in your Mac’s Finder and select Applications on the list.

    Go to Applications screen on Mac

  15. Find the entry for an app that clearly doesn’t belong there and move it to the Trash. If this action requires your admin password for confirmation, go ahead and enter it.

    Drag malicious app to the Trash

  16. Expand the Apple menu and select System Preferences.

    Select System Preferences

    Open System Preferences

  17. Proceed to Users & Groups and click on the Login Items tab.

    Proceed to Users & Groups

    The system will display the list of items launched when the computer is starting up. Locate the potentially unwanted app there and click on the “-” (minus) button.

    Delete unwanted login item

  18. Now select Profiles under System Preferences. Look for a malicious item in the left-hand sidebar. Several examples of configuration profiles created by Mac adware include TechSignalSearch, MainSearchPlatform, AdminPrefs, and Chrome Settings. Select the offending entity and click on the minus sign at the bottom to eliminate it.

    Go to Profiles

    Remove malicious configuration profile from Mac

    If your Mac has been infiltrated by adware, the infection will most likely continue to hold sway over your default web browser even after you remove the underlying application along with its components sprinkled around the system. Use the browser cleanup instructions below to address the remaining consequences of this attack.

Get rid of Search Marquis virus in web browser on Mac

To begin with, the web browser settings taken over by the Search Marquis virus should be restored to their default values. Although this will clear most of your customizations, web surfing history, and all temporary data stored by websites, the malicious interference should be terminated likewise. The overview of the steps for completing this procedure is as follows:

  1. Remove Search Marquis virus from Safari
    • Open the browser and go to Safari menu. Select Preferences in the drop-down list.

      Go to Preferences in Safari

    • Once the Preferences screen appears, click on the Advanced tab and enable the option saying “Show Develop menu in menu bar”.

      Advanced tab under Safari Preferences

    • Now that the Develop entry has been added to the Safari menu, expand it and click on Empty Caches.

      Empty Caches in Safari

    • Now select History in the Safari menu and click on Clear History in the drop-down list.

      Clear history in Safari

    • Safari will display a dialog asking you to specify the period of time this action will apply to. Select all history to ensure a maximum effect. Click on the Clear History button to confirm and exit.

      Select all history to clear

    • Go back to the Safari Preferences and hit the Privacy tab at the top. Find the option that says Manage Website Data and click on it.

      Manage Website Data option under Privacy tab

    • The browser will display a follow-up screen listing the websites that have stored data about your Internet activities. This dialog additionally includes a brief description of what the removal does: you may be logged out of some services and encounter other changes of website behavior after the procedure. If you’re okay with that, go ahead and click on the Remove All button.

      Confirmation dialog

    • Restart Safari
  2. Remove Search Marquis in Google Chrome
    • Open Chrome, click the Customize and control Google Chrome (⁝) icon in the top right-hand part of the window, and select Settings in the drop-down

      Chrome Settings

    • When on the Settings pane, select Advanced
    • Scroll down to the Reset settings section.

      Reset settings in Chrome on Mac

    • Confirm the Chrome reset on a dialog that will pop up. When the procedure is completed, relaunch the browser and check it for malware activity.

      Here’s how to reset settings in Chrome on Mac

  3. Remove Search Marquis from Mozilla Firefox
    • Open Firefox and go to Help – Troubleshooting Information (or type about:support in the URL bar and press Enter).

      Open Firefox and go to Help

      Select Troubleshooting Information

    • When on the Troubleshooting Information screen, click on the Refresh Firefox button.

      Refresh Firefox on Mac

    • Confirm the intended changes and restart Firefox.

Get rid of Search Marquis virus using Combo Cleaner removal tool

The Mac maintenance and security app called Combo Cleaner is a one-stop tool to detect and remove Search Marquis virus. This technique has substantial benefits over manual cleanup, because the utility gets hourly virus definition updates and can accurately spot even the newest Mac infections.

Furthermore, the automatic solution will find the core files of the malware deep down the system structure, which might otherwise be a challenge to locate. Here’s a walkthrough to sort out the Search Marquis issue using Combo Cleaner:

  1. Download Combo Cleaner installer. When done, double-click the combocleaner.dmg file and follow the prompts to install the tool onto your Mac.

    Download Combo Cleaner

    By downloading any applications recommended on this website you agree to our Terms and Conditions and Privacy Policy. The free scanner checks whether your Mac is infected. To get rid of malware, you need to purchase the Premium version of Combo Cleaner.

  2. Open the app from your Launchpad and let it run an update of the malware signature database to make sure it can identify the latest threats.
  3. Click the Start Combo Scan button to check your Mac for malicious activity as well as performance issues.

    Combo Cleaner Mac scan progress

  4. Examine the scan results. If the report says “No Threats”, then you are on the right track with the manual cleaning and can safely proceed to tidy up the web browser that may continue to act up due to the after-effects of the malware attack (see instructions above).

    Combo Cleaner scan report – no threats found

  5. In case Combo Cleaner has detected malicious code, click the Remove Selected Items button and have the utility remove Search Marquis threat along with any other viruses, PUPs (potentially unwanted programs), or junk files that don’t belong on your Mac.

    Combo Cleaner – threats found

  6. Once you have made doubly sure that the malicious app is uninstalled, the browser-level troubleshooting might still be on your to-do list. If your preferred browser is affected, resort to the previous section of this tutorial to revert to hassle-free web surfing.

FAQ

229

Was this article helpful? Please, rate this.

  • Karen Wong Avatar
    Karen Wong - 3 years ago
    I had that search baron on my Chrome and Safari on my Mac and I followed the instructions on how to get rid of it and it worked. I love the easy instructions and visuals to follow. Thanks so much

Authentication required

You must log in to post a comment.

Log in