You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Remove "weknow.ac" Malware in Chrome?

iMac (Retina 5K, 27-inch, Late 2015), 3.3 GHz Intel Core i5, 16 GB 1867 MHz DDR3, 1.7 TB free — Running High Sierra 10.13.6 (17G65). For a variety of reasons, Chrome is my default browser, and Google is my default search engine and homepage. While browsing with Chrome two days ago, I made the idiotic mistake of clicking on a Flash download popup and immediately noticed signs of infection by this malware. The main only noticeable effect is that my homepage, tab option, and search engine in the Chrome browser now default to this alien "weknow.ac" search engine, which produces results very different from Google's. I've tried three long phone troubleshooting sessions with Apple Help, including downloading and scanning with Malwarebytes, which read my computer as "clean." Also pursued other remedial steps I've seen suggested in other websites. (Although there are only a few that deal specifically with Chrome on Mac.) Uninstalled Chrome application, including trashing all its support folders from Library. However, the bug still keeps coming back. The "good" news is that Safari (so far) shows no sign of the infestation — so I'm using that as my only browser. However, I don't want my (still relatively new) iMac to go through the rest of its life with this alien entity ticking away in its innards. Can anyone here recommend a more permanent solution to my problem? Is there a third-party malware removal product that's both effective and trustworthy? Thanks in advance for any help.

iMac

Posted on Aug 15, 2018 6:51 AM

Reply
Question marked as Top-ranking reply

Posted on Sep 20, 2018 6:37 AM

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:


"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.


All I had to do then was use the command line to delete / modify the affected policies:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


The changes will not take effect until you restart Chrome.


I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

310 replies

Mar 26, 2019 6:49 AM in response to Skanson

hello.


i did exactly what you recommended after seeing the same thing in another website.

it worked fine. weknow was gone, and i haven't seen that new tab page since.

HOWEVER,

now, when i open a new tab, i simply get an about:blank screen, rather than the normal chrome new tab :/ (see below)


im pretty sure this is due to the delete statements, but im not sure. is there any way i can set it back? i will try using the "write" commands on this later and see if it works but i dont know. please help me out here

Aug 17, 2018 5:18 PM in response to Reuben_Hood

I have been researching this all afternoon, and I saw on another forum that "weknow.ac" seems to have changed their technique sometime within the past week, as any posts about removing the malware from July 2018 and before do not completely work. I have followed every possible step, removed all the malicious apps and Library files mentioned, run Malwarebytes, and I still can't get rid of the default "weknow.ac" search page in Chrome. I deleted Chrome and all its support files, reinstalled it, and the problem persists. There is something installed in the OS that keeps reinstalling the malware. For all the frustrated users on this board - I'm one of you - any guides to solving this problem prior to August 2018 will not fix the issue entirely. I am hoping Malwarebytes figures this out and releases an update to their software to include this latest attack.

Sep 1, 2018 7:37 AM in response to culvercitymacuser

I just followed this steps, and after opening Chrome got the same old SEARCH screen. Has anyone had any luck with cleaners other than malwarebytes.com? I have had the same experience of 2 Apple reps saying they were no longer able to help, that this was a Chrome problem. Safari and Firefox are clean now, thanks to a nice Apple rep yesterday named Duane.

Sep 3, 2018 3:02 PM in response to Kurt Lang

No, I'm not talking about MalWareBytes for Mac. I'm talking about the link How To Remove Weknow.ac Redirect (Virus Removal Guide)


That takes you to https://malwaretips.com/blogs/remove-weknow-ac/

AND malwaretips.com is NOT malwarebytes.com - so you are just downloading someone else's malware IMHO.


I was able to finally unscrew the links that were causing the issue by going in to the Library and removing com.MacMechanic.Mac-Mechanic.plist and com.macmechanic.mmhlpr.plist and then going in to Settings, scrolling down to Search Engine, clicking on manage search engines and then changing it from weknow search engine back to google and then deleting the weknow search engine. You must change it from the weknow search engine to something else before you can delete it btw.

Sep 3, 2018 3:10 PM in response to dhumble

Ah! Gotcha'.


Yes, there are tons of sites out there like that. You can type in any malware name you want to remove, and there are dozens, or hundreds of links that send you to sites to "fix" the problem. Almost all of which want you to download some no-name app to do the work for you. Some are blatant sales pitches for some of the worst utilities you could ever put on your Mac. Can't tell you how many I've seen that encourage the user to download MacKeeper.

Sep 5, 2018 5:38 AM in response to riccaliolio

Which step did you take to fix the problem? (Malwarebytes?) I rebooted my machine after installing that and I was still completely hijacked in chrome and firefox (search engine options disabled).


For the record, I have wiped everything and set my mac back to factory defaults so I am bugfree but am interested in community eradication or at least a workable solution. I sent support at weknow.ac an email telling them they are evil and am receiving responses that "would indicate" that they think users can just disable it. They sent the link https://www.bugsfighter.com/remove-weknow-ac-mac/ which I had come across but no one is going to be psyched with downloading anything after this experience (i.e., CleanMyMac3 or Appcleaner). Interesting/baffling that they even responded 😕.

Sep 24, 2018 10:38 AM in response to Skanson

Thank you Thank you Thank you! The fix turned out to be so simple — but only if you are familiar enough with the Command line to think of it in the first place! I have to say that all the comments about Google's looney-goosey code security system for third-party add-on features is kind of shocking, and has made me to decide to return to Safari as my default browser — at least for now. But it's still nice to know that I can use Chrome if I need to without fear of this nefarious little malware minion running around inside my browser. Thanks again, Skanson —

Sep 25, 2018 2:42 PM in response to Skanson

😍😍😍😍😍 THANK YOU SO MUCH!!!!!! After many calls with level 2 techs over 2 weeks my mom was getting nowhere. This did it. I helped her look all over the internet for fixes but all of the directions did not pertain. weknow.ac didn't exist anywhere and probably because Apple had already removed bits and pieces but not the actual virus.


You are a lifesaver Skanson. Now this info needs to get out there so everyone else can fix their system. It's really too bad the level 2 Apple techs don't know this. Hopefully someone at Apple is reading this and will have the Apple techs do this now.


Thanks again!!!!!!

Sep 25, 2018 6:56 PM in response to carrie4321

Carrie, I am not the most tech savvy person but I created my own website and no one touches it except myself so I am more tech-savvy than most I guess but I will definitely not be using the right terminology to explain things.


So Terminal is used to tell your computer to do something when you want it to do something to the whole computer. It's on every single Mac so it has to be there.


If you cannot find it by searching then go to Applications and then to Utilities and it should reside in Utilities.


Then open it up and copy and paste the commands one by one and then restart Chome. It really was a life saver. It's not the first time my mom or dad have downloaded something like this. My mom is usually savvy enough with not being tricked but this one got her and it really is one of the worst.

Remove "weknow.ac" Malware in Chrome?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.