Remove "weknow.ac" Malware in Chrome?

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:

"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.

All I had to do then was use the command line to delete / modify the affected policies:

defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName

The changes will not take effect until you restart Chrome.

I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

UPDATE: I followed the steps described toward the end of this thread (posted on Tues, 8/21/2018) and was able to finally resolve the issue and completely remove weknow.ac from Google Chrome:

https://forums.malwarebytes.com/topic/235198-new-threat-weknowac/

Specifically, I did the following:

1. Quit Chrome and delete the application
2. Go to ~/Library/Application Support/ and completely delete the "Google" folder
3. Go go ~/Library/Application Support/LaunchAgents/ and ~/Library/Application Support/LaunchDaemons/ and remove anything with "google" in the filename, as well as any suspicious files
4. Follow the same steps for any other /Library/Application Support/ folders under your username or other users
5. Search Finder for any files with "google" in the file name and delete them
6. Reboot
7. Open Safari and download and install Google Chrome

Good luck!

My process was as follows:

1. Installed BitDefender software and ran Full Scan

2. Restored Google Chrome to it's initial settings as follows:

Click theCustomize and Control Google Chrome(Three stacked horizontal lines) button.

ClickSettings.

Scroll to the bottom and clickShow Advanced Settings.

Scroll to the bottom of advanced settings and clickReset Browser Settings.

ClickReset.

3. Then I checked for infected policies by accessing "chrome://policy/"

4. Then I used Terminal to run all of the following commands (one at a time) with Chrome closed:

defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName

Upon opening Chrome, everything was back to normal!

THANK YOU! After searching for a while this is the only thing that worked for me. Don't download any unnecessary malware programs people....

this works.

"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.

All I had to do then was use the command line to delete / modify the affected policies:

defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName

The changes will not take effect until you restart Chrome.

I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

I've noticed that a "Profile" was setup preventing the setting to be changed in Chrome.

1. System Preferences > Profiles remove the unrecognized profile (if this is a work computer you may want to check with IT to see if the profile is supposed to be there, by default there shouldn't be a profile.
2. Once removed O)pen Chrome and go to Chrome > Preferences > Choose the 3 lines on the top left choose "Search Options" (or something like that) you'll see the Search option WeKnow listed there. You can change that to something else. If you don't have the option to change it (greyed out) refer to step 1.
3. Below that there should be Manage Search Engines which shows a list of options, like Google, Bing. .... etc You'll see WeKnow there, remove that and any other you aren't wanting included.

I also suggest running an Anti-Malware program at some point, before or after you do this.

I had this issue for the past like 6 months and did the malwarebytes scans, and even the default boot writes in terminal for my hijacked chrome browser. The we know hijacker writes an additional administrative profile which was the last thing I hadn't removed and none of the scans picked up on. If you've done everything a million times and it still doesn't work I recommend doing this.

1. Go to system preferences.
2. Next to Accessibility there may be an icon with a checkmark that says "Profiles" this is causing the redirect although the virus is gone.
3. Select profiles.
4. Delete the adminpref by clicking on the (-).

Below is the link that showed me how to do this if you are confused, I recommend doing terminal default boot writes, malwarebyte scans, and a system restart one last time as well.

https://www.pcrisk.com/removal-guides/13007-weknowac-redirect-mac

Regards,

The adware behind this has gotten very sneaky about how these changes are made. The changes to the Chrome profile are non-trivial to reverse, and as a representative of Malwarebytes, I would not recommend relying on Malwarebytes to fix those settings. Even if the changes made by the adware were trivial, poking at the contents of undocumented Chrome-related files could potentially cause Chrome-related data loss, so it's not the sort of thing currently done by Malwarebytes for Mac.

Currently, my advice is to completely delete Chrome and all Chrome data files from the computer. Then reinstall a fresh copy of Chrome, and set it up from scratch. If you have Chrome bookmarks you don't want to lose, export those first and import them after reinstalling.

You also need to think about Chrome sync. If you're using it, you could end up syncing malicious changes right back onto your device, or onto other devices. You'll want to reset Chrome sync.

For Safari, there are a variety of techniques being used to change the settings. One is to add a bookmark and change Safari's settings to load "tabs for" that bookmark item at startup. This is easy to miss, since the homepage entry can be left untouched, making it appear that something is still installed if you're not observing carefully.

if using terminal doesn't work for you. The problem is that now We Know Ac is set as an Admin for your MAC directly affecting your terminal and if you input something there, it will not work as We Know Ac blocks it. So:

1. Go to your system preferences (the settings of our MAC), and look for a profiles icon.

2. Click on there (since in a default mac that shouldn't be there).

3. Remove all of the Admin blocks found.

4. And boom, you have a chrome free of malware.

This video & comment section ultimately saved me https://www.youtube.com/watch?v=C0xRhWCX2Is&vl=en

flyingblind wrote:

I just followed this steps, and after opening Chrome got the same old SEARCH screen.

There are many different things that have been said on that thread, some of them wrong. See this one for a complete set of steps:

https://forums.malwarebytes.com/topic/236261-how-to-remove-weknow-malware-and-ot hers/

Also, if weknow.ac still pops up after you follow all of Skanson's steps, it is because weknow.ac installs itself as your iOS's administer. To remove weknow.ac as the administer, follow these steps:

• Go to your Mac's System Preference (It will appear after you click the "Apple" icon on the menu
• Look for "Profile" icon (which should not appear if you are the only Mac's administer)
• Click the "Profile" icon
• Remove all the profiles by clicking the "-" sign
• Restart the computer to make the elimination effective

Hi everyone. Not a mac guy, not a computer guy, so all of this is over my head. But I wanted to share how I dealt with this on my wife's iMac. On the we know search page that forces its way on to your computer, on the bottom left was a FAQ's link. And in there was an uninstall link. I was skeptical but desperate. Cleaned everything right up. My 2 cents. Good luck..

Not very glamorous but this works:

run malware bytes as usual and remove whatever it comes up with.

Download appzapper and use it to remove Chrome and its extensions

restart system.

download a new copy of chrome and it should be clean.

App zapper pulls out the hidden extensions chrome uses. Maybe not as fancy but it’s beej working for me so far.

Did you delete the profile from your system prefs? There are other folders that can hold malware. https://www.pcrisk.com/removal-guides/13007-weknowac-redirect-mac

The steps listed here were the first steps I tried before I started changing the policies.

You need to open the "Terminal" application (use the search functionality at the top-right to find it). Then copy and paste, one by one, the commands from my above post into the terminal prompt, hitting enter after pasting each.

defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName

The changes will not take effect until you restart Chrome.

It is that simple.

1. First, launch the Google Chrome and click the Menu icon (icon in the form of three dots).
2. It will show the Google Chrome main menu. Choose More Tools, then click Extensions.
3. You’ll see the list of installed extensions. If the list has the plugin labeled with “Installed by enterprise policy” or “Installed by your administrator”, then complete the following steps: Remove Chrome extensions installed by enterprise policy.
4. Now open the Google Chrome menu once again, click the “Settings” menu.
5. Next, click “Advanced” link, that located at the bottom of the Settings page.
6. On the bottom of the “Advanced settings” page, click the “Reset settings to their original defaults” button.
7. The Google Chrome will open the reset settings dialog box as on the image above.
8. Confirm the internet browser’s reset by clicking on the “Reset” button.
9. To learn more, read the blog post How to reset Google Chrome settings to default.