Level 1

54 points

Remove "weknow.ac" Malware in Chrome?

iMac (Retina 5K, 27-inch, Late 2015), 3.3 GHz Intel Core i5, 16 GB 1867 MHz DDR3, 1.7 TB free — Running High Sierra 10.13.6 (17G65). For a variety of reasons, Chrome is my default browser, and Google is my default search engine and homepage. While browsing with Chrome two days ago, I made the idiotic mistake of clicking on a Flash download popup and immediately noticed signs of infection by this malware. The main only noticeable effect is that my homepage, tab option, and search engine in the Chrome browser now default to this alien "weknow.ac" search engine, which produces results very different from Google's. I've tried three long phone troubleshooting sessions with Apple Help, including downloading and scanning with Malwarebytes, which read my computer as "clean." Also pursued other remedial steps I've seen suggested in other websites. (Although there are only a few that deal specifically with Chrome on Mac.) Uninstalled Chrome application, including trashing all its support folders from Library. However, the bug still keeps coming back. The "good" news is that Safari (so far) shows no sign of the infestation — so I'm using that as my only browser. However, I don't want my (still relatively new) iMac to go through the rest of its life with this alien entity ticking away in its innards. Can anyone here recommend a more permanent solution to my problem? Is there a third-party malware removal product that's both effective and trustworthy? Thanks in advance for any help.

iMac

Posted on Aug 15, 2018 6:51 AM

Top-ranking reply

User10000001

Level 1

4 points

Posted on Jul 2, 2019 4:41 PM

I've noticed that a "Profile" was setup preventing the setting to be changed in Chrome.

System Preferences > Profiles remove the unrecognized profile (if this is a work computer you may want to check with IT to see if the profile is supposed to be there, by default there shouldn't be a profile.
Once removed O)pen Chrome and go to Chrome > Preferences > Choose the 3 lines on the top left choose "Search Options" (or something like that) you'll see the Search option WeKnow listed there. You can change that to something else. If you don't have the option to change it (greyed out) refer to step 1.
Below that there should be Manage Search Engines which shows a list of options, like Google, Bing. .... etc You'll see WeKnow there, remove that and any other you aren't wanting included.

I also suggest running an Anti-Malware program at some point, before or after you do this.

View in context

310 replies

May 7, 2019 8:45 AM in response to WhyDee706

To change your homepage in Google Chrome, open your Chrome browser and click on the menu icon represented by three lines on the top right corner of the screen next to the Web address input field. Choose "Settings" from the drop-down options. In the "Settings" screen, check the box labeled "Show Home button".

May 7, 2019 8:48 AM in response to Muhsin7

ctts13

Level 1

12 points

Jan 23, 2019 11:58 AM in response to cmcostel71

On your MAC, on the top right, next to the date and time area, you'll see a "search" circle, click on that, and type "Terminal".

BDAqua

Level 10

250,253 points

May 11, 2019 6:38 AM in response to adil145

See if this helps...

https://macreports.com/how-to-remove-weknow-ac-malware-macos/

May 26, 2019 11:31 AM in response to steve5454

Had good luck with this...

https://support.google.com/chrome/thread/1985871?hl=en

Skanson

Level 1

19 points

Sep 20, 2018 6:37 AM in response to Reuben_Hood

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:

"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.

All I had to do then was use the command line to delete / modify the affected policies:

defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName

The changes will not take effect until you restart Chrome.

I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

Jan 13, 2019 3:32 PM in response to Skanson

This is only thing that worked and is really simple. Just copy the full sentence over 6 times and hit enter each time. I tried everything else posted, called Geek quad two times and they removed and it reappeared, removed Goolge twice, then tried this and it worked. Wasted a day. Do this first.

Jan 15, 2019 9:42 PM in response to Reuben_Hood

Skanson!!!! You are the best!!

Thank you so much for the terminal commands, they worked PERFECTLY on any MacBook Air. I have uninstalled and re-installed Chrome what feels like a million times, deleted tons of "suspicious" files and folders, etc etc and nothing worked until I got the terminal instructions from you. THANK YOU SO MUCH!!!

dnolimal

Level 1

4 points

Jan 19, 2019 6:30 PM in response to Skanson

Hi I'm still so confused I need help in the most layman explanation: I am opening terminal then entering the lines in your above post as follows, for example: "defaults write com.google.Chrome HomepageIsNewTabPage -bool false" What am i supposed to do next? Is that what you're saying to enter?

Jan 22, 2019 1:53 PM in response to Skanson

Can you please explain further how to do this step?

"You need to open the "Terminal" application (use the search functionality at the top-right to find it). Then copy and paste, one by one, the commands from my above post into the terminal prompt, hitting enter after pasting each."

I can't seem to get there....

Jan 30, 2019 2:51 AM in response to Reuben_Hood

Spent hours on this - this helped immediately. Not sure if some of the other stuff I did also helped, but doing this (deleting virus profiles) helped instantly. Still needed to go back and resent homepages, but now all good - YAY!!! Doesn't involve downloading anything extra.

https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/

Jan 31, 2019 10:15 AM in response to Skanson

This weknow.ac malware is driving me nuts.

Skanson I was able to find the policies you mentioned but can you provide some guidance on how to "use the command line to delete / modify the affected policies:"

Thanks!

Feb 4, 2019 11:27 AM in response to Reuben_Hood

i get unto this line of code and can't seem to get father. can anyone help! much appreciated!

HKXX-MacBook-Pro:~ HKMBR$ defaults delete com.google.Chrome DefaultSearchProviderSearchURL

2019-02-04 11:23:05.571 defaults[832:16253]

Domain (com.google.Chrome) not found.

Defaults have not been changed.

Feb 13, 2019 5:54 PM in response to Reuben_Hood

It is in Safari, I'm using Safari right now, and I have to use Clean My Mac every day and this thing still comes up as Homescreen even when it's not set to. I even deleted Chrome Browser hoping I wouldn't see it again.

mmz12

Level 1

4 points

Feb 14, 2019 2:29 AM in response to Skanson

Hi, I tried copying each command into Terminal and hitting enter, but Terminal returns a message saying "Domain (com.google.Chrome) does not exist. Defaults have not been changed." Do you know why this is happening?

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Remove "weknow.ac" Malware in Chrome?