Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Remove "weknow.ac" Malware in Chrome?

iMac (Retina 5K, 27-inch, Late 2015), 3.3 GHz Intel Core i5, 16 GB 1867 MHz DDR3, 1.7 TB free — Running High Sierra 10.13.6 (17G65). For a variety of reasons, Chrome is my default browser, and Google is my default search engine and homepage. While browsing with Chrome two days ago, I made the idiotic mistake of clicking on a Flash download popup and immediately noticed signs of infection by this malware. The main only noticeable effect is that my homepage, tab option, and search engine in the Chrome browser now default to this alien "weknow.ac" search engine, which produces results very different from Google's. I've tried three long phone troubleshooting sessions with Apple Help, including downloading and scanning with Malwarebytes, which read my computer as "clean." Also pursued other remedial steps I've seen suggested in other websites. (Although there are only a few that deal specifically with Chrome on Mac.) Uninstalled Chrome application, including trashing all its support folders from Library. However, the bug still keeps coming back. The "good" news is that Safari (so far) shows no sign of the infestation — so I'm using that as my only browser. However, I don't want my (still relatively new) iMac to go through the rest of its life with this alien entity ticking away in its innards. Can anyone here recommend a more permanent solution to my problem? Is there a third-party malware removal product that's both effective and trustworthy? Thanks in advance for any help.

iMac

Posted on Aug 15, 2018 6:51 AM

Reply
Question marked as Best reply

Posted on Sep 20, 2018 6:37 AM

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:


"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.


All I had to do then was use the command line to delete / modify the affected policies:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


The changes will not take effect until you restart Chrome.


I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

310 replies
Question marked as Best reply

Sep 20, 2018 6:37 AM in response to Reuben_Hood

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:


"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.


All I had to do then was use the command line to delete / modify the affected policies:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


The changes will not take effect until you restart Chrome.


I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

Sep 4, 2018 7:37 PM in response to Reuben_Hood

The adware behind this has gotten very sneaky about how these changes are made. The changes to the Chrome profile are non-trivial to reverse, and as a representative of Malwarebytes, I would not recommend relying on Malwarebytes to fix those settings. Even if the changes made by the adware were trivial, poking at the contents of undocumented Chrome-related files could potentially cause Chrome-related data loss, so it's not the sort of thing currently done by Malwarebytes for Mac.


Currently, my advice is to completely delete Chrome and all Chrome data files from the computer. Then reinstall a fresh copy of Chrome, and set it up from scratch. If you have Chrome bookmarks you don't want to lose, export those first and import them after reinstalling.


You also need to think about Chrome sync. If you're using it, you could end up syncing malicious changes right back onto your device, or onto other devices. You'll want to reset Chrome sync.


For Safari, there are a variety of techniques being used to change the settings. One is to add a bookmark and change Safari's settings to load "tabs for" that bookmark item at startup. This is easy to miss, since the homepage entry can be left untouched, making it appear that something is still installed if you're not observing carefully.


User uploaded file

Sep 20, 2018 7:29 AM in response to Skanson

Thanks for this response....can you please explain how to use the command line to delete / modify the affected policies? I can see that my policies are affected as described..


Applies toLevelSourcePolicy namePolicy ValueStatus

Current user

Recommended

Platform

DefaultSearchProviderEnabled

true

OK

Current user

Recommended

Platform

DefaultSearchProviderName

WeKnow

OK

Current user

Recommended

Platform

DefaultSearchProviderNewTabURL

Show value

OK

Current user

Recommended

Platform

DefaultSearchProviderSearchURL

Show value

OK

Current user

Recommended

Platform

HomepageIsNewTabPage

true

OK

Current user

Recommended

Platform

HomepageLocation

Show value

OK

Current user

Recommended

Platform

NewTabPageLocation

Show value

OK


not sure what to do once i get to the page chrome://policy/

thanks!!!

Oct 1, 2018 1:24 PM in response to Skanson

Thanks, I spent 2 hours researching how to remove weknow.ac and this works, However it now forces Chrome to always use the generic google home page for new windows and new tabs.

User uploaded file


If you want to use Chrome themes or have the base google homepage with most popular site visited (below the search bar) I found that you need to delete the first three via Terminal.

With Chrome closed, copy each line separately and past them in to the terminal.


defaults delete com.google.Chrome HomepageIsNewTabPage

defaults delete com.google.Chrome NewTabPageLocation

defaults delete com.google.Chrome HomepageLocation


Restart Chrome and should look like this with your most visited pages.


User uploaded file

Oct 24, 2018 2:03 PM in response to Reuben_Hood

OMG it worked on my OS and is simple. Only after 3 apple people couldn't help over 4 hours. ugh.


Go to your chrome browser

type in: chrome://policy/


if it says WeKnow anywhere you're 'effed! But not anymore 🙂


just go type in TERMINAL in search box. On the bottom right comes up a black box - select the box


User uploaded file


then this comes up:

User uploaded file


simply copy and paste everything in bold after the prompt:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


then hit enter...


it may say nothing was changed... ignore the because it did change!


then CLOSE and QUIT your Chrome browser by Right clicking and selecting QUIT

User uploaded file

then open your Chrome browser and it should be normal!!


Type in chrome://policy/ and you should see the following:

User uploaded file

Done! You're no longer 'offed!!

Oct 25, 2018 9:37 AM in response to nwatson2

Depends on where you're searching FROM. If you open a new Finder window and look for the search window in the top right of that window, you'll see a list of every item on your hard drive in any way related to the term "Terminal." Among these will be the "black box" icon below, which was mentioned by romaine on Oct 2. Double-click that icon, and the Terminal window opens, where you can type the commands themselves. Then check the results. Hope this simplifies it for you.
User uploaded file

Aug 24, 2018 12:59 PM in response to Reuben_Hood

UPDATE: I followed the steps described toward the end of this thread (posted on Tues, 8/21/2018) and was able to finally resolve the issue and completely remove weknow.ac from Google Chrome:

https://forums.malwarebytes.com/topic/235198-new-threat-weknowac/


Specifically, I did the following:

  1. Quit Chrome and delete the application
  2. Go to ~/Library/Application Support/ and completely delete the "Google" folder
  3. Go go ~/Library/Application Support/LaunchAgents/ and ~/Library/Application Support/LaunchDaemons/ and remove anything with "google" in the filename, as well as any suspicious files
  4. Follow the same steps for any other /Library/Application Support/ folders under your username or other users
  5. Search Finder for any files with "google" in the file name and delete them
  6. Reboot
  7. Open Safari and download and install Google Chrome


Good luck!

Jan 4, 2019 4:39 PM in response to saylah

  1. First, launch the Google Chrome and click the Menu icon (icon in the form of three dots).
  2. It will show the Google Chrome main menu. Choose More Tools, then click Extensions.
  3. You’ll see the list of installed extensions. If the list has the plugin labeled with “Installed by enterprise policy” or “Installed by your administrator”, then complete the following steps: Remove Chrome extensions installed by enterprise policy.
  4. Now open the Google Chrome menu once again, click the “Settings” menu.
  5. Next, click “Advanced” link, that located at the bottom of the Settings page.
  6. On the bottom of the “Advanced settings” page, click the “Reset settings to their original defaults” button.
  7. The Google Chrome will open the reset settings dialog box as on the image above.
  8. Confirm the internet browser’s reset by clicking on the “Reset” button.
  9. To learn more, read the blog post How to reset Google Chrome settings to default.


Mar 5, 2019 10:36 AM in response to Reuben_Hood

Also, if weknow.ac still pops up after you follow all of Skanson's steps, it is because weknow.ac installs itself as your iOS's administer. To remove weknow.ac as the administer, follow these steps:

  • Go to your Mac's System Preference (It will appear after you click the "Apple" icon on the menu
  • Look for "Profile" icon (which should not appear if you are the only Mac's administer)
  • Click the "Profile" icon
  • Remove all the profiles by clicking the "-" sign
  • Restart the computer to make the elimination effective

Jul 2, 2019 4:41 PM in response to Reuben_Hood

I've noticed that a "Profile" was setup preventing the setting to be changed in Chrome.

  1. System Preferences > Profiles remove the unrecognized profile (if this is a work computer you may want to check with IT to see if the profile is supposed to be there, by default there shouldn't be a profile.
  2. Once removed O)pen Chrome and go to Chrome > Preferences > Choose the 3 lines on the top left choose "Search Options" (or something like that) you'll see the Search option WeKnow listed there. You can change that to something else. If you don't have the option to change it (greyed out) refer to step 1.
  3. Below that there should be Manage Search Engines which shows a list of options, like Google, Bing. .... etc You'll see WeKnow there, remove that and any other you aren't wanting included.


I also suggest running an Anti-Malware program at some point, before or after you do this.

Aug 6, 2019 8:14 PM in response to Reuben_Hood

Well, Youtube has some videos with mixed results.

  1. Going to Systems preference and deleting the profile icon works only in part.
  2. Using Terminal - I struggle with this one. They refer to full list of commands to copy to terminal, only it does not say how to bring that list up on the screen.


My Safari and Chrome were affected. FireFox was much better in blocking the We know.ac virus.

Check Safari preference and go to the website tabs. We know is hidden in there and I have not been able to delete it.

In Chrome, removing profile from Systems preference allowed me to edit and remove weknow from the search engine, but it still comes up if i do a File, and new window.


I have found nothing that totally removed the we know.ac virus.


I tried many malware removal tools and none of them even recognized the virus.

Sep 3, 2019 12:14 PM in response to Reuben_Hood

I had this issue for the past like 6 months and did the malwarebytes scans, and even the default boot writes in terminal for my hijacked chrome browser. The we know hijacker writes an additional administrative profile which was the last thing I hadn't removed and none of the scans picked up on. If you've done everything a million times and it still doesn't work I recommend doing this.


  1. Go to system preferences.
  2. Next to Accessibility there may be an icon with a checkmark that says "Profiles" this is causing the redirect although the virus is gone.
  3. Select profiles.
  4. Delete the adminpref by clicking on the (-).


Below is the link that showed me how to do this if you are confused, I recommend doing terminal default boot writes, malwarebyte scans, and a system restart one last time as well.


https://www.pcrisk.com/removal-guides/13007-weknowac-redirect-mac


Regards,

Remove "weknow.ac" Malware in Chrome?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.