Question:

Question: Remove "weknow.ac" Malware in Chrome?

iMac (Retina 5K, 27-inch, Late 2015), 3.3 GHz Intel Core i5, 16 GB 1867 MHz DDR3, 1.7 TB free — Running High Sierra 10.13.6 (17G65). For a variety of reasons, Chrome is my default browser, and Google is my default search engine and homepage. While browsing with Chrome two days ago, I made the idiotic mistake of clicking on a Flash download popup and immediately noticed signs of infection by this malware. The main only noticeable effect is that my homepage, tab option, and search engine in the Chrome browser now default to this alien "weknow.ac" search engine, which produces results very different from Google's. I've tried three long phone troubleshooting sessions with Apple Help, including downloading and scanning with Malwarebytes, which read my computer as "clean." Also pursued other remedial steps I've seen suggested in other websites. (Although there are only a few that deal specifically with Chrome on Mac.) Uninstalled Chrome application, including trashing all its support folders from Library. However, the bug still keeps coming back. The "good" news is that Safari (so far) shows no sign of the infestation — so I'm using that as my only browser. However, I don't want my (still relatively new) iMac to go through the rest of its life with this alien entity ticking away in its innards. Can anyone here recommend a more permanent solution to my problem? Is there a third-party malware removal product that's both effective and trustworthy? Thanks in advance for any help.

iMac

Posted on

Reply
Question marked as Solved
Answer:
Answer:

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:


"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.


All I had to do then was use the command line to delete / modify the affected policies:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


The changes will not take effect until you restart Chrome.


I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

Posted on

Question marked as Helpful

Sep 4, 2018 7:37 PM in response to Reuben_Hood In response to Reuben_Hood

The adware behind this has gotten very sneaky about how these changes are made. The changes to the Chrome profile are non-trivial to reverse, and as a representative of Malwarebytes, I would not recommend relying on Malwarebytes to fix those settings. Even if the changes made by the adware were trivial, poking at the contents of undocumented Chrome-related files could potentially cause Chrome-related data loss, so it's not the sort of thing currently done by Malwarebytes for Mac.


Currently, my advice is to completely delete Chrome and all Chrome data files from the computer. Then reinstall a fresh copy of Chrome, and set it up from scratch. If you have Chrome bookmarks you don't want to lose, export those first and import them after reinstalling.


You also need to think about Chrome sync. If you're using it, you could end up syncing malicious changes right back onto your device, or onto other devices. You'll want to reset Chrome sync.


For Safari, there are a variety of techniques being used to change the settings. One is to add a bookmark and change Safari's settings to load "tabs for" that bookmark item at startup. This is easy to miss, since the homepage entry can be left untouched, making it appear that something is still installed if you're not observing carefully.


User uploaded file

Question marked as Helpful

Sep 20, 2018 7:29 AM in response to Skanson In response to Skanson

Thanks for this response....can you please explain how to use the command line to delete / modify the affected policies? I can see that my policies are affected as described..


Applies toLevelSourcePolicy namePolicy ValueStatus

Current user

Recommended

Platform

DefaultSearchProviderEnabled

true

OK

Current user

Recommended

Platform

DefaultSearchProviderName

WeKnow

OK

Current user

Recommended

Platform

DefaultSearchProviderNewTabURL

Show value

OK

Current user

Recommended

Platform

DefaultSearchProviderSearchURL

Show value

OK

Current user

Recommended

Platform

HomepageIsNewTabPage

true

OK

Current user

Recommended

Platform

HomepageLocation

Show value

OK

Current user

Recommended

Platform

NewTabPageLocation

Show value

OK


not sure what to do once i get to the page chrome://policy/

thanks!!!

There’s more to the conversation

Read all replies

Aug 15, 2018 7:41 AM in response to macjack In response to macjack

Thanks for the suggestion, but I already ran Malwarebytes, as my original query mentioned. It pronounced my iMac "clean." Just tried it again, same result. The bug still exists, at least within the Chrome app. (Safari still appears to be bug-free, which is how I'm writing this entry.) Still seeking solution.

Aug 15, 2018 7:41 AM

Reply Helpful (3)

Aug 15, 2018 9:43 AM in response to macjack In response to macjack

Did not see any "second link." I was introduced to Malwarebytes while on the phone with Apple Support, and they walked me through the download and scan. I still have the Malwarebytes app, but don't see any reference to "manual uninstall directions ... for Google Chrome." It does sound promising, though. I'd welcome further advice.

Aug 15, 2018 9:43 AM

Reply Helpful

Aug 15, 2018 6:49 PM in response to Reuben_Hood In response to Reuben_Hood

Please read my blog to remove weknow.ac manually: Remove www.weknow.ac from Mac OS - SecureMacOS



<Disclaimer: this post contains links to my own website from which I may derive some form of compensation. My website does not contain 3rd party ads. This disclaimer is required by ASC Terms of Use whenever linking to one's own site or product.>

Aug 15, 2018 6:49 PM

Reply Helpful

Aug 17, 2018 11:17 AM in response to macjack In response to macjack

None of that works. Each of these "step-by-step" guides gives me a rundown of installing antivirus, I have installed 4! different ones that each have done absolutely nothing. I have followed manual delete, still here. scans find nothing. Nothing finds anything.


Every help chat on this gives me asinine help that does nothing

Aug 17, 2018 11:17 AM

Reply Helpful

Aug 17, 2018 5:18 PM in response to Reuben_Hood In response to Reuben_Hood

I have been researching this all afternoon, and I saw on another forum that "weknow.ac" seems to have changed their technique sometime within the past week, as any posts about removing the malware from July 2018 and before do not completely work. I have followed every possible step, removed all the malicious apps and Library files mentioned, run Malwarebytes, and I still can't get rid of the default "weknow.ac" search page in Chrome. I deleted Chrome and all its support files, reinstalled it, and the problem persists. There is something installed in the OS that keeps reinstalling the malware. For all the frustrated users on this board - I'm one of you - any guides to solving this problem prior to August 2018 will not fix the issue entirely. I am hoping Malwarebytes figures this out and releases an update to their software to include this latest attack.

Aug 17, 2018 5:18 PM

Reply Helpful (4)

Aug 24, 2018 12:59 PM in response to Reuben_Hood In response to Reuben_Hood

UPDATE: I followed the steps described toward the end of this thread (posted on Tues, 8/21/2018) and was able to finally resolve the issue and completely remove weknow.ac from Google Chrome:

https://forums.malwarebytes.com/topic/235198-new-threat-weknowac/


Specifically, I did the following:

  1. Quit Chrome and delete the application
  2. Go to ~/Library/Application Support/ and completely delete the "Google" folder
  3. Go go ~/Library/Application Support/LaunchAgents/ and ~/Library/Application Support/LaunchDaemons/ and remove anything with "google" in the filename, as well as any suspicious files
  4. Follow the same steps for any other /Library/Application Support/ folders under your username or other users
  5. Search Finder for any files with "google" in the file name and delete them
  6. Reboot
  7. Open Safari and download and install Google Chrome


Good luck!

Aug 24, 2018 12:59 PM

Reply Helpful

Sep 1, 2018 7:37 AM in response to culvercitymacuser In response to culvercitymacuser

I just followed this steps, and after opening Chrome got the same old SEARCH screen. Has anyone had any luck with cleaners other than malwarebytes.com? I have had the same experience of 2 Apple reps saying they were no longer able to help, that this was a Chrome problem. Safari and Firefox are clean now, thanks to a nice Apple rep yesterday named Duane.

Sep 1, 2018 7:37 AM

Reply Helpful
User profile for user: Reuben_Hood

Question: Remove "weknow.ac" Malware in Chrome?