You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Remove "weknow.ac" Malware in Chrome?

iMac (Retina 5K, 27-inch, Late 2015), 3.3 GHz Intel Core i5, 16 GB 1867 MHz DDR3, 1.7 TB free — Running High Sierra 10.13.6 (17G65). For a variety of reasons, Chrome is my default browser, and Google is my default search engine and homepage. While browsing with Chrome two days ago, I made the idiotic mistake of clicking on a Flash download popup and immediately noticed signs of infection by this malware. The main only noticeable effect is that my homepage, tab option, and search engine in the Chrome browser now default to this alien "weknow.ac" search engine, which produces results very different from Google's. I've tried three long phone troubleshooting sessions with Apple Help, including downloading and scanning with Malwarebytes, which read my computer as "clean." Also pursued other remedial steps I've seen suggested in other websites. (Although there are only a few that deal specifically with Chrome on Mac.) Uninstalled Chrome application, including trashing all its support folders from Library. However, the bug still keeps coming back. The "good" news is that Safari (so far) shows no sign of the infestation — so I'm using that as my only browser. However, I don't want my (still relatively new) iMac to go through the rest of its life with this alien entity ticking away in its innards. Can anyone here recommend a more permanent solution to my problem? Is there a third-party malware removal product that's both effective and trustworthy? Thanks in advance for any help.

iMac

Posted on Aug 15, 2018 6:51 AM

Reply
Question marked as Top-ranking reply

Posted on Sep 20, 2018 6:37 AM

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:


"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.


All I had to do then was use the command line to delete / modify the affected policies:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


The changes will not take effect until you restart Chrome.


I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

310 replies

Sep 27, 2018 5:10 PM in response to kelli265

Kelli there is no search in Terminal. You just simply enter the following info in the box and hit enter:



defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


I copy and pasted one line at a time and hit enter before going to the next one. But I think you can paste the whole thing and then hit enter. But that's it. 🙂

Oct 3, 2018 8:36 AM in response to hanna161

My process was as follows:


1. Installed BitDefender software and ran Full Scan

2. Restored Google Chrome to it's initial settings as follows:

Click theCustomize and Control Google Chrome(Three stacked horizontal lines) button.

ClickSettings.

Scroll to the bottom and clickShow Advanced Settings.

Scroll to the bottom of advanced settings and clickReset Browser Settings.

ClickReset.


3. Then I checked for infected policies by accessing "chrome://policy/"

4. Then I used Terminal to run all of the following commands (one at a time) with Chrome closed:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName



Upon opening Chrome, everything was back to normal!

Oct 5, 2018 8:31 AM in response to Skanson

This did not work. These were my results:


Last login: Fri Oct
5 10:28:33 on ttys000

Davids-MBP:~ david$ defaults write com.google.Chrome HomepageIsNewTabPage -bool false

Davids-MBP:~ david$

Davids-MBP:~ david$ defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

Davids-MBP:~ david$

Davids-MBP:~ david$ defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

Davids-MBP:~ david$

Davids-MBP:~ david$ defaults delete com.google.Chrome DefaultSearchProviderSearchURL

2018-10-05 10:29:33.631 defaults[607:51951]

Domain (com.google.Chrome) not found.

Defaults have not been changed.

Davids-MBP:~ david$

Davids-MBP:~ david$ defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

2018-10-05 10:29:33.663 defaults[608:51956]

Domain (com.google.Chrome) not found.

Defaults have not been changed.

Davids-MBP:~ david$

Davids-MBP:~ david$ defaults delete com.google.Chrome DefaultSearchProviderName

2018-10-05 10:29:33.696 defaults[609:51960]

Domain (com.google.Chrome) not found.

Defaults have not been changed.

Most notably, as it says in highlight,

"Domain (com.google.Chrome) not found.

Defaults have not been changed."

Oct 7, 2018 8:28 PM in response to Skanson

We ended up having the same problem and were able to get rid of most everything except for the new tab page, which was hijacked by weknow.ac. Apple care found this post and your solution. Before we used terminal, I decided to try using App Cleaner & Uninstaller to completely delete chrome and this appeared to work for us (just did the free option). I went ahead and still used the Terminal solution just in case, but for those wary of using the command line interface, this seemed to work for us.

Oct 8, 2018 10:09 PM in response to Reuben_Hood

Not that it's any of my business which browser you choose to use, I am sure you are well aware of how Google love's to track everything you do online. Also, the ad blocker add on blocks everything except Google related objects. I've recently discovered a browser that is giving Chrome a run for it's money and is extremely good at weeding out adware. It is called Brave. As an added bonus, a good alternative to the Google Search engine is DuckDuckGo.

Oct 13, 2018 5:34 PM in response to Edgarc33

You need to open the "Terminal" application (use the search functionality at the top-right to find it). Then copy and paste, one by one, the commands from my above post into the terminal prompt, hitting enter after pasting each.


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


The changes will not take effect until you restart Chrome.


It is that simple.

Oct 15, 2018 11:02 AM in response to Skanson

Hi. Thanks for your help, but I'm having a problem where on the last three, it says "Defaults Have Not Been Changed" I have little experience with terminal and I'm so frustrated and tired of this virus. I'm not sure how to fix this. I've tried copying/pasting all at once, or doing one at a time (either in the box, or after clicking "New Command"


any help would be so appreciated.

Oct 17, 2018 10:36 PM in response to Reuben_Hood

So I have tried the copy and pasting the commands to terminal but they did not work for me. The solution I found was way more simpler than I expected. I found the video on youtube which was extremely hard to find, my gosh! I recommend copy and pasting the link. This "virus" annoyed me to the core. But it's gone now. All is right with my Mac. 🙂

SUPER MALWARE, "Weknow.ac" aimed at Mac-users, how to remove. - YouTube

https://www.youtube.com/watch?v=SrG_UKtpDEM

These are the same links I posted both just in case one works and one doesn't.

Hope this helps,

Cheers!

Remove "weknow.ac" Malware in Chrome?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.