Remove "weknow.ac" Malware in Chrome?

Aha!! This worked for me after doing a zillion other things to delete that piece of caca "weknow.ac" I still had a browser screen showing up with the fake icon images of AliBaba, Facebook, Google, et.al with a doctored "search" engine field box. Once I copied the lines, pasted into terminal, entered each one separately THEN rebooted my Mac, reopened Chrome and Voila! that pesky screen was gone for good!

By the way, did anyone else start getting phone calls on your mobile from a Chinese recording?

No, it won’t. Not even the $40 paid subscription version will do so.

Nor did the cryptic Terminal commands help me, as Weknow had infected Chrome, Safari and Firefox.

I called Apple Support, and for free the technician directed me to Profiles in System Settings; one of the many places this virus hides. In ten minutes - again, for no charge - the tech fixed my problem.

I’d strongly recommend calling Apple to remove WeKnow. It costs nothing, and the technicians seem to know all the places this persistent, difficult virus hides.

With me has worked and in a few seconds of copy/paste i fixed the issue. What can be different is that at the same moment i discovered the malware i start trying to fix the issue. Probably if the virus stays there more time will affect several other applications and browsers (they call it "virus" for this reason i guess)

My opinion is that the malware is installed exactly form the same people that pop up few second later with a "free" cleaner that will cost 39$ to work.. It is also possible that paying those 40$ you replied the virus in other areas aof the OS and Applications.

I was ready to initialize my mac rather than give them money ;-)

Worked for me.

Need to copy and pate all the above commands in Terminal one after the other, then press enter.

Then Quit Chrome and restart, no more weknow.ac

However, I do not know how to change the "New Tab Page", it's opening google, I need recents and frequently used like earlier

Hi! I have pasted each one of the commands from your post in the terminal prompt and the first work fine but when I paste the last 3 and hit enter I get this message:

Domain (com.google.Chrome) not found.

Defaults have not been changed.

Is there anything I can do for this to remove this malware? Thank you!

Sorry, but where should I copy these new policy names? Once I've found it in the search engine inside chrome://policy/, if I click on the link in blue, it opens a page with a lot of technical info, but no place to copy it...

The following code line wise need to be copied and pasted in "Terminal" app available in your launch pad.

defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName

You have to copy each and every line and then hit enter.

Everything worked out well after that, but, I like to have "New Tab Page" with recents and favourites being displayed, which is now displaying www.google.com when I hit the "+" to add new page. Except that every thing is good.

Appreciate if Skason can explain us how to get default New Tab Page in Chrome instead of www.google.com

THANK YOU! Apple support walked me through deleting WeKnow from Safari but after some tries, they could not get rid of it from Chrome. They gave me a Google number to call but unsurprisingly, I couldn't get through. Luckily I found your instructions and you've solved the problem!! Thank you.

Skanson... you are a genius!!!! THANK YOU! I was on the phone twice (two different people) with apple customer support and they couldn't fix it. Going into terminal, copy and pasting exactly what he posted, hitting enter in between each one, then hitting control AND the letter "O" at the same time saved the work in terminal and got rid of the WeKnow.ac browser.

"For Safari, there are a variety of techniques being used to change the settings. One is to add a bookmark and change Safari's settings to load "tabs for" that bookmark item at startup. This is easy to miss, since the homepage entry can be left untouched, making it appear that something is still installed if you're not observing carefully."

Please expound on this, I don't follow.

I deleted chrom and reinstalled. Weknow.ac still there.

Thanks1

for whatever reason the defaults delete instructions failed as not found - any thoughts?

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

2018-12-20 15:15:03.547 defaults[1268:13178] 

Domain (com.google.Chrome) not found.

Defaults have not been changed.

I deleted Chrome MANY times. But what you have to do is go to Terminal app on your laptop (go to Spotlight search) and then copy and paste these lines.

defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName

Restart Chrome. Works a treat!! I've had this problem for months to the point I just gave up using Chrome.

I have been researching this all afternoon, and I saw on another forum that "weknow.ac" seems to have changed their technique sometime within the past week, as any posts about removing the malware from July 2018 and before do not completely work. I have followed every possible step, removed all the malicious apps and Library files mentioned, run Malwarebytes, and I still can't get rid of the default "weknow.ac" search page in Chrome. I deleted Chrome and all its support files, reinstalled it, and the problem persists. There is something installed in the OS that keeps reinstalling the malware. For all the frustrated users on this board - I'm one of you - any guides to solving this problem prior to August 2018 will not fix the issue entirely. I am hoping Malwarebytes figures this out and releases an update to their software to include this latest attack.

Thanks, I spent 2 hours researching how to remove weknow.ac and this works, However it now forces Chrome to always use the generic google home page for new windows and new tabs.

If you want to use Chrome themes or have the base google homepage with most popular site visited (below the search bar) I found that you need to delete the first three via Terminal.

With Chrome closed, copy each line separately and past them in to the terminal.

defaults delete com.google.Chrome HomepageIsNewTabPage

defaults delete com.google.Chrome NewTabPageLocation

defaults delete com.google.Chrome HomepageLocation

Restart Chrome and should look like this with your most visited pages.

OMG it worked on my OS and is simple. Only after 3 apple people couldn't help over 4 hours. ugh.

Go to your chrome browser

type in: chrome://policy/

if it says WeKnow anywhere you're 'effed! But not anymore 🙂

just go type in TERMINAL in search box. On the bottom right comes up a black box - select the box

then this comes up:

simply copy and paste everything in bold after the prompt:

defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName

then hit enter...

it may say nothing was changed... ignore the because it did change!

then CLOSE and QUIT your Chrome browser by Right clicking and selecting QUIT

then open your Chrome browser and it should be normal!!

Type in chrome://policy/ and you should see the following:

Done! You're no longer 'offed!!