Remove "weknow.ac" Malware in Chrome?

iMac (Retina 5K, 27-inch, Late 2015), 3.3 GHz Intel Core i5, 16 GB 1867 MHz DDR3, 1.7 TB free — Running High Sierra 10.13.6 (17G65). For a variety of reasons, Chrome is my default browser, and Google is my default search engine and homepage. While browsing with Chrome two days ago, I made the idiotic mistake of clicking on a Flash download popup and immediately noticed signs of infection by this malware. The main only noticeable effect is that my homepage, tab option, and search engine in the Chrome browser now default to this alien "weknow.ac" search engine, which produces results very different from Google's. I've tried three long phone troubleshooting sessions with Apple Help, including downloading and scanning with Malwarebytes, which read my computer as "clean." Also pursued other remedial steps I've seen suggested in other websites. (Although there are only a few that deal specifically with Chrome on Mac.) Uninstalled Chrome application, including trashing all its support folders from Library. However, the bug still keeps coming back. The "good" news is that Safari (so far) shows no sign of the infestation — so I'm using that as my only browser. However, I don't want my (still relatively new) iMac to go through the rest of its life with this alien entity ticking away in its innards. Can anyone here recommend a more permanent solution to my problem? Is there a third-party malware removal product that's both effective and trustworthy? Thanks in advance for any help.

iMac

Posted on Aug 15, 2018 6:51 AM

Reply
Question marked as Top-ranking reply

Posted on Sep 20, 2018 6:37 AM

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:


"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.


All I had to do then was use the command line to delete / modify the affected policies:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


The changes will not take effect until you restart Chrome.


I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

310 replies

Sep 20, 2018 7:29 AM in response to Skanson

Thanks for this response....can you please explain how to use the command line to delete / modify the affected policies? I can see that my policies are affected as described..


Applies toLevelSourcePolicy namePolicy ValueStatus

Current user

Recommended

Platform

DefaultSearchProviderEnabled

true

OK

Current user

Recommended

Platform

DefaultSearchProviderName

WeKnow

OK

Current user

Recommended

Platform

DefaultSearchProviderNewTabURL

Show value

OK

Current user

Recommended

Platform

DefaultSearchProviderSearchURL

Show value

OK

Current user

Recommended

Platform

HomepageIsNewTabPage

true

OK

Current user

Recommended

Platform

HomepageLocation

Show value

OK

Current user

Recommended

Platform

NewTabPageLocation

Show value

OK


not sure what to do once i get to the page chrome://policy/

thanks!!!

Sep 27, 2018 5:10 PM in response to kelli265

Kelli there is no search in Terminal. You just simply enter the following info in the box and hit enter:



defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


I copy and pasted one line at a time and hit enter before going to the next one. But I think you can paste the whole thing and then hit enter. But that's it. 🙂

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Remove "weknow.ac" Malware in Chrome?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.