You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Remove "weknow.ac" Malware in Chrome?

iMac (Retina 5K, 27-inch, Late 2015), 3.3 GHz Intel Core i5, 16 GB 1867 MHz DDR3, 1.7 TB free — Running High Sierra 10.13.6 (17G65). For a variety of reasons, Chrome is my default browser, and Google is my default search engine and homepage. While browsing with Chrome two days ago, I made the idiotic mistake of clicking on a Flash download popup and immediately noticed signs of infection by this malware. The main only noticeable effect is that my homepage, tab option, and search engine in the Chrome browser now default to this alien "weknow.ac" search engine, which produces results very different from Google's. I've tried three long phone troubleshooting sessions with Apple Help, including downloading and scanning with Malwarebytes, which read my computer as "clean." Also pursued other remedial steps I've seen suggested in other websites. (Although there are only a few that deal specifically with Chrome on Mac.) Uninstalled Chrome application, including trashing all its support folders from Library. However, the bug still keeps coming back. The "good" news is that Safari (so far) shows no sign of the infestation — so I'm using that as my only browser. However, I don't want my (still relatively new) iMac to go through the rest of its life with this alien entity ticking away in its innards. Can anyone here recommend a more permanent solution to my problem? Is there a third-party malware removal product that's both effective and trustworthy? Thanks in advance for any help.

iMac

Posted on Aug 15, 2018 6:51 AM

Reply
Question marked as Top-ranking reply

Posted on Sep 20, 2018 6:37 AM

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:


"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.


All I had to do then was use the command line to delete / modify the affected policies:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


The changes will not take effect until you restart Chrome.


I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

310 replies

Oct 23, 2018 2:33 PM in response to Skanson

Skanson,


After an entire day of nothing working, this did! However, when I restarted my computer, if I go to the chrome://policy page, it still shows my policies being messed up like they were before. Any idea why Chrome opens up fine after modifying the policies (via command line), but the policy page didn't change? I'm wondering if I'm still being "tracked."


Thanks again, for your post!

Oct 28, 2018 9:58 AM in response to Reuben_Hood

I've done as instructed and still no luck. Here is what is displayed after each line was copied and pasted:



Steves-MBP:~ stevehayko$ defaults write com.google.Chrome HomepageIsNewTabPage -bool false

Steves-MBP:~ stevehayko$ defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

Steves-MBP:~ stevehayko$ defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

Steves-MBP:~ stevehayko$ defaults delete com.google.Chrome DefaultSearchProviderSearchURL

2018-10-28 09:54:58.921 defaults[7694:440908]

Domain (com.google.Chrome) not found.

Defaults have not been changed.

Steves-MBP:~ stevehayko$ defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

2018-10-28 09:55:08.057 defaults[7695:441072]

Domain (com.google.Chrome) not found.

Defaults have not been changed.

Steves-MBP:~ stevehayko$ defaults delete com.google.Chrome DefaultSearchProviderName

2018-10-28 09:55:15.569 defaults[7696:441253]

Domain (com.google.Chrome) not found.

Defaults have not been changed.

Steves-MBP:~ stevehayko$

Oct 31, 2018 7:15 AM in response to Skanson

Hello Skanson and guys.

Thank you very much for your help.

Unfortunately, I have not been able to get rid of this malware. I have tried several things and I think I deleted partially that crap, but I still see it is on Chrome. I tried to follow Skanson's advice but I did not work. I think the problem is that English is not my native language so I think I did no understand how I have to proceed. If you have any idea to help me, I'd appreciate it very much.

Thank you, guys !

Tayronas

Oct 31, 2018 5:51 PM in response to tayronas

See post from robmaine above (Oct 24) and some posts that follow that one for more explicit step by step info. Copy and paste each entire line, including the blue links. I entered them one at a time at the Terminal black command entry box that appears after my user name, hitting return after each, but that may not be necessary.

Nov 17, 2018 10:36 PM in response to ChanelCinq

Thanks so much! So happy it works and that you further explained what needed to be done. Spent time with Apple Support staff today who didn't know how to fix this. And spent many hours afterwards, trying to find another solution than backing up my old MacBook to an external harddrive and then reinstalling everything, as the Apple Support person suggested. Which would have been quite cumbersome since I need to use an older version of Safari to get the Java plug-in to work with my electronic timesheet for work (PC world).

Tusind tak! A thousand thanks, as we say it in Danish.

Nov 18, 2018 9:08 PM in response to Skanson

I fell for the adobe flash needs updating scam and received the weknow.ac virus. I have spent a couple of hours trying to eliminate it by various means but the only that that fully works is to copy/paste your policies above into the terminal. I appreciate so much that you took the time to post the fix. I also downloaded malwarebytes and ran it.

Nov 25, 2018 5:43 PM in response to Skanson

THANK YOU! After searching for a while this is the only thing that worked for me. Don't download any unnecessary malware programs people....


this works.


"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.


All I had to do then was use the command line to delete / modify the affected policies:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


The changes will not take effect until you restart Chrome.


I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

Nov 27, 2018 3:36 PM in response to Skanson

Aha!! This worked for me after doing a zillion other things to delete that piece of caca "weknow.ac" I still had a browser screen showing up with the fake icon images of AliBaba, Facebook, Google, et.al with a doctored "search" engine field box. Once I copied the lines, pasted into terminal, entered each one separately THEN rebooted my Mac, reopened Chrome and Voila! that pesky screen was gone for good!


By the way, did anyone else start getting phone calls on your mobile from a Chinese recording?

Dec 2, 2018 9:37 AM in response to macjack

No, it won’t. Not even the $40 paid subscription version will do so.


Nor did the cryptic Terminal commands help me, as Weknow had infected Chrome, Safari and Firefox.


I called Apple Support, and for free the technician directed me to Profiles in System Settings; one of the many places this virus hides. In ten minutes - again, for no charge - the tech fixed my problem.


I’d strongly recommend calling Apple to remove WeKnow. It costs nothing, and the technicians seem to know all the places this persistent, difficult virus hides.

Dec 2, 2018 10:58 AM in response to anthonyfromreston

With me has worked and in a few seconds of copy/paste i fixed the issue. What can be different is that at the same moment i discovered the malware i start trying to fix the issue. Probably if the virus stays there more time will affect several other applications and browsers (they call it "virus" for this reason i guess)

My opinion is that the malware is installed exactly form the same people that pop up few second later with a "free" cleaner that will cost 39$ to work.. It is also possible that paying those 40$ you replied the virus in other areas aof the OS and Applications.

I was ready to initialize my mac rather than give them money ;-)

Remove "weknow.ac" Malware in Chrome?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.