User profile for user: Reuben_Hood
Reuben_Hood Author
User level: Level 1
54 points

Remove "weknow.ac" Malware in Chrome?

iMac (Retina 5K, 27-inch, Late 2015), 3.3 GHz Intel Core i5, 16 GB 1867 MHz DDR3, 1.7 TB free — Running High Sierra 10.13.6 (17G65). For a variety of reasons, Chrome is my default browser, and Google is my default search engine and homepage. While browsing with Chrome two days ago, I made the idiotic mistake of clicking on a Flash download popup and immediately noticed signs of infection by this malware. The main only noticeable effect is that my homepage, tab option, and search engine in the Chrome browser now default to this alien "weknow.ac" search engine, which produces results very different from Google's. I've tried three long phone troubleshooting sessions with Apple Help, including downloading and scanning with Malwarebytes, which read my computer as "clean." Also pursued other remedial steps I've seen suggested in other websites. (Although there are only a few that deal specifically with Chrome on Mac.) Uninstalled Chrome application, including trashing all its support folders from Library. However, the bug still keeps coming back. The "good" news is that Safari (so far) shows no sign of the infestation — so I'm using that as my only browser. However, I don't want my (still relatively new) iMac to go through the rest of its life with this alien entity ticking away in its innards. Can anyone here recommend a more permanent solution to my problem? Is there a third-party malware removal product that's both effective and trustworthy? Thanks in advance for any help.

iMac

Posted on Aug 15, 2018 6:51 AM

Reply
Question marked as Top-ranking reply
User profile for user: Skanson
Skanson
User level: Level 1
19 points

Posted on Sep 20, 2018 6:37 AM

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:


"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.


All I had to do then was use the command line to delete / modify the affected policies:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


The changes will not take effect until you restart Chrome.


I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

View in context
310 replies
User profile for user: bennett_betsy
bennett_betsy
User level: Level 1
4 points

Mar 6, 2019 3:00 PM in response to bu39

When you open Terminal window, there will already be some text that lists your last login date and ends with your computer name and/or your Apple ID, followed by a $. The cursor (indicated by a grey rectangle on my screen) will be located just after that $. You need to copy/paste each of the six commands listed in the original post on this thread one at a time. Each command starts with the word "defaults." For example, the first command is "defaults write com.google.Chrome HomepageIsNewTabPage -bool false". Copy that entire command. Then click on the Terminal window so it becomes the active window, and paste. The text (starting with the word "defaults" will paste itself immediately following the $. Hit return. You need to repeat for each of the six commands, copying exactly as they are listed (for the second and third commands, you include the quotation marks.) In case you are reading on a small screen that isn't showing the proper line breaks, there are six commands total, each one begins with the word "defaults". You will copy, paste, and hit return six individual times. Hope that helps.

Reply
User profile for user: Evan5656
Evan5656
User level: Level 1
4 points

Jun 25, 2019 9:59 AM in response to Skanson

I ALSO FIXED THE PROBLEM!


I wanted to follow up to this solution b/c this solution ultimately saved me. However, it's a year later and the malware has different app names and file names, and the policies are all different. So I wanted to update with my solution. Thanks to @Skanson for the original help with the Terminal commands, I wouldn't have known how to do that.


With inspiration from many different forums, I did several things which seem to have gotten rid of the problem entirely (fingers crossed):


1) Immediately delete/uninstall whatever malicious program you downloaded that ended up taking over Chrome. Mine was called "Macbook Cleaner Pro." I got a message from a website saying I needed to install the most up to date Adobe Flash Player, which was a clever trick b/c I actually have gotten legitimate updates like that several times throughout the last year, so I immediately downloaded it without thinking. Big mistake.


2) I used Malwarebytes to find any remaining files linked to Macbook Cleaner Pro (MCP). Although people are skeptical of Mac malware programs for good reason (I was using Dr. Cleaner for a while which eventually removed critical launch files that allowed my computer to restart and shutdown and I ended up having the wipe the computer and reinstall everything), Malwarebytes identified 5 additional MCP files through its normal scan function and deleted them. Happy about that b/c I wouldn't have found them myself.


3) The next thing I did was reset Chrome settings to default after exporting my bookmarks, which I didn't actually have to do b/c it is saved in the cloud, but just for good measure. Quit Chrome and reopen.


4) The final issue is all of the Chrome policies the malware installed automatically on Chrome that make it impossible to sign in to Chrome and show the message saying "Chrome is managed by your organization" or something similar, essentially cutting you out from changing settings, extensions, signing in, etc. And of course the malware is probably reading all of your movements and information and selling it to someone. I was on a bunch of different websites that warned against deleting policies that might be critical to the functioning of Chrome. But I eventually came across a blog that said that policies aren't necessary, that you only have them if Chrome is being managed by someone else or if you put them there yourself. Which I never have.. So, my conclusion was that Chrome shouldn't have any policies running. Into your address bar in Chrome, type in chrome://policy. Then use the following command online that you should plug into the Terminal app on Mac one by one with the name of the policy at the end: 


defaults write com.google.Chrome [POLICYNAME]


Put that into Terminal, hit enter, paste again and change the policy name, hit enter, etc. This process is deleting the policy you type in every time you hit enter. Do that one by one for every policy you see listed. When you're done, quit Chrome and reopen. Should fix it! If you can't see the entire policy name, click on it, it'll open a new tab that should read the entire policy name.


That solved the problem for me! Can't speak for anyone else, and I'm definitely not a computer whiz, but I wanted to throw this on here for other Mac users like me who are struggling.

Reply
User profile for user: Evan5656
Evan5656
User level: Level 1
4 points

Jun 25, 2019 10:01 AM in response to HeathenJeff

Hey HeathenJeff, I posted this in the general thread too, but wanted to respond to you directly, hope this helps!


—————


I wanted to follow up to this solution b/c this solution ultimately saved me. However, it's a year later and the malware has different app names and file names, and the policies are all different. So I wanted to update with my solution. Thanks to @Skanson for the original help with the Terminal commands, I wouldn't have known how to do that.


With inspiration from many different forums, I did several things which seem to have gotten rid of the problem entirely (fingers crossed):


1) Immediately delete/uninstall whatever malicious program you downloaded that ended up taking over Chrome. Mine was called "Macbook Cleaner Pro." I got a message from a website saying I needed to install the most up to date Adobe Flash Player, which was a clever trick b/c I actually have gotten legitimate updates like that several times throughout the last year, so I immediately downloaded it without thinking. Big mistake.


2) I used Malwarebytes to find any remaining files linked to Macbook Cleaner Pro (MCP). Although people are skeptical of Mac malware programs for good reason (I was using Dr. Cleaner for a while which eventually removed critical launch files that allowed my computer to restart and shutdown and I ended up having the wipe the computer and reinstall everything), Malwarebytes identified 5 additional MCP files through its normal scan function and deleted them. Happy about that b/c I wouldn't have found them myself.


3) The next thing I did was reset Chrome settings to default after exporting my bookmarks, which I didn't actually have to do b/c it is saved in the cloud, but just for good measure. Quit Chrome and reopen.


4) The final issue is all of the Chrome policies the malware installed automatically on Chrome that make it impossible to sign in to Chrome and show the message saying "Chrome is managed by your organization" or something similar, essentially cutting you out from changing settings, extensions, signing in, etc. And of course the malware is probably reading all of your movements and information and selling it to someone. I was on a bunch of different websites that warned against deleting policies that might be critical to the functioning of Chrome. But I eventually came across a blog that said that policies aren't necessary, that you only have them if Chrome is being managed by someone else or if you put them there yourself. Which I never have.. So, my conclusion was that Chrome shouldn't have any policies running. Into your address bar in Chrome, type in chrome://policy. Then use the following command online that you should plug into the Terminal app on Mac one by one with the name of the policy at the end: 


defaults write com.google.Chrome [POLICYNAME]


Put that into Terminal, hit enter, paste again and change the policy name, hit enter, etc. This process is deleting the policy you type in every time you hit enter. Do that one by one for every policy you see listed. When you're done, quit Chrome and reopen. Should fix it! If you can't see the entire policy name, click on it, it'll open a new tab that should read the entire policy name.


That solved the problem for me! Can't speak for anyone else, and I'm definitely not a computer whiz, but I wanted to throw this on here for other Mac users like me who are struggling.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Remove "weknow.ac" Malware in Chrome?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up