I have malware on my Chrome app on my iMac. From what I've read it probably came in with the last Adobe Flash Player update. I believe I have removed it from my Safari browser but cannot rid Chrome of it as every new tab I open is entitled "weknow" and is accompanied by a pop up window offering solutions for "mac virus and adware removal" by Mac Keeper. How can I remove this affliction from my computer? I operate on macOS High Sierra 10.13.6.
iMac, 10.12
One further question - I now have no profiles specified in the Profile system preferences.....is that normal?
Yes. Unless your Mac is managed as in corporate or similar institutional deployments with MDM, no Profiles should be installed. Scam products such as "MacKeeper" and its ilk are now exploiting that ability to prevent changes to Safari's Search preferences, and as you discovered the same exploit can be applied to Google products.
Read Beware bogus Adobe Flash "installers" - Apple Community. If you installed Adobe Flash Player I recommend uninstalling it. You are far less likely to succumb to fraudulent requests to "update" a product that isn't even installed.
You might also find the following applicable: Effective defenses against malware and other threats.
It's not from the actual Flash Player from Adobe. Those are fake messages skank web sites throw out to get you to download their junk.
See the current method of getting rid of WeKnow in Chrome in this topic.
Natch48,
Glad it helped. I can confirm what John Galt says (not that it's necessary--he clearly knows what he's talking about!). I too had no profiles left after deleting the 2 strange ones and everything is fine without them.
Kurt,
I removed mine following these steps. I had to repeat it twice on separate occasions. On the second, it worked completely.
Tips:
I got rid of this malware with these:
I copy and pasted the first line and then hit enter and then went to the next until I had finished all 6 below:
defaults write com.google.Chrome HomepageIsNewTabPage -bool false
defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"
defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"
defaults delete com.google.Chrome DefaultSearchProviderSearchURL
defaults delete com.google.Chrome DefaultSearchProviderNewTabURL
defaults delete com.google.Chrome DefaultSearchProviderName
I don't use Chrome, but knew a lot of people were having success with the commands in the linked topic. It does appear the commands or sequence of steps has changed a bit as the topic progresses.
Good of you to post an updated version here so other users finding this particular topic on Chrome/WeKnow have them without digging.
ibelng2jc,
Thanks for the help......I believe it was successful. I found only one profile and it was entitled Socrates, followed by an unusual text interspersed with many parentheses. I deleted it and it seems to have freed up my Safari browser (the line entries in the earlier help message did the same for my Chrome browser). One further question - I now have no profiles specified in the Profile system preferences.....is that normal?
Kurt
When I clicked onto the "topic" prompt all I got was 2 similar questions about malware removal, no method. Please advise.
jake
Sorry. It appears I picked up the wrong link.
@Natch48, I too was invaded by "weknow" malware on both Chrome AND Safari and it also came disguised as a (fake) Adobe Flash player download .After hours of searching I found a way to get rid of it (from an older thread). None of the other solutions from the thread worked for me (including pasting the command lines into Terminal which seemed to be effective for others) , but the one below did and was much simpler. Here it is (from Thomas Reed of Malwarebytes support):
It looks like you have an adware-related configuration profile installed, which is preventing you from changing your home page setting.
To remove this, open System Preferences, then click the Profiles icon. You should see either 2 or 3 different items listed. One of them appears to be legitimate, but the other two (they may be combined into one entry) are not. You can identify which is bad by looking at the information for each profile. The bad entry (or entries) will say "com.myshopcoupon" somewhere, and should also refer to "weknow.ac". Any such entries should be removed. Leave the profile that refers to "com.Infomaniak", as I believe that one is legitimate.
After removing the profile, you'll need to fix the home page settings.
But in case it helps you, MY situation was slightly different from the one described above, I had only 2 profiles and BOTH had "weknow" references in the info section of Profiles under SYSTEM Preferences (which appears when you select a profile).
One profile was related to Safari and the other to Chrome. In my situation, both Safari AND Google Chrome (which I have to use for work) had been hijacked/taken over by weknow.
I simply hit the little minus sign and deleted BOTH profiles following the instructions (above in bold) and voila --NO MORE WEKNOW either in Safari or Chrome. I did not lose bookmarks /favorites in either Safari or Chrome.
(Also just for info, I did not notice "com.myshopcoupon" anywhere, nor did I ever see the "com.Infomaniak" that Thomas Reed says would be legitimate. )
I do hope this helps you or someone else.
Malware Removal
