Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Remove "weknow.ac" Malware in Chrome?

iMac (Retina 5K, 27-inch, Late 2015), 3.3 GHz Intel Core i5, 16 GB 1867 MHz DDR3, 1.7 TB free — Running High Sierra 10.13.6 (17G65). For a variety of reasons, Chrome is my default browser, and Google is my default search engine and homepage. While browsing with Chrome two days ago, I made the idiotic mistake of clicking on a Flash download popup and immediately noticed signs of infection by this malware. The main only noticeable effect is that my homepage, tab option, and search engine in the Chrome browser now default to this alien "weknow.ac" search engine, which produces results very different from Google's. I've tried three long phone troubleshooting sessions with Apple Help, including downloading and scanning with Malwarebytes, which read my computer as "clean." Also pursued other remedial steps I've seen suggested in other websites. (Although there are only a few that deal specifically with Chrome on Mac.) Uninstalled Chrome application, including trashing all its support folders from Library. However, the bug still keeps coming back. The "good" news is that Safari (so far) shows no sign of the infestation — so I'm using that as my only browser. However, I don't want my (still relatively new) iMac to go through the rest of its life with this alien entity ticking away in its innards. Can anyone here recommend a more permanent solution to my problem? Is there a third-party malware removal product that's both effective and trustworthy? Thanks in advance for any help.

iMac

Posted on Aug 15, 2018 6:51 AM

Reply
Question marked as Best reply

Posted on Sep 20, 2018 6:37 AM

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:


"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.


All I had to do then was use the command line to delete / modify the affected policies:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


The changes will not take effect until you restart Chrome.


I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

310 replies

Dec 4, 2018 7:43 PM in response to carola1984

The following code line wise need to be copied and pasted in "Terminal" app available in your launch pad.


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


You have to copy each and every line and then hit enter.


Everything worked out well after that, but, I like to have "New Tab Page" with recents and favourites being displayed, which is now displaying www.google.com when I hit the "+" to add new page. Except that every thing is good.


Appreciate if Skason can explain us how to get default New Tab Page in Chrome instead of www.google.com

Dec 18, 2018 6:03 PM in response to Reuben_Hood

Skanson... you are a genius!!!! THANK YOU! I was on the phone twice (two different people) with apple customer support and they couldn't fix it. Going into terminal, copy and pasting exactly what he posted, hitting enter in between each one, then hitting control AND the letter "O" at the same time saved the work in terminal and got rid of the WeKnow.ac browser.

Dec 19, 2018 6:02 PM in response to thomas_r.

"For Safari, there are a variety of techniques being used to change the settings. One is to add a bookmark and change Safari's settings to load "tabs for" that bookmark item at startup. This is easy to miss, since the homepage entry can be left untouched, making it appear that something is still installed if you're not observing carefully."


Please expound on this, I don't follow.


I deleted chrom and reinstalled. Weknow.ac still there.


Thanks1

Dec 29, 2018 1:04 PM in response to can200

I deleted Chrome MANY times. But what you have to do is go to Terminal app on your laptop (go to Spotlight search) and then copy and paste these lines.


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


Restart Chrome. Works a treat!! I've had this problem for months to the point I just gave up using Chrome.

Jan 16, 2019 7:43 PM in response to Reuben_Hood

if using terminal doesn't work for you. The problem is that now We Know Ac is set as an Admin for your MAC directly affecting your terminal and if you input something there, it will not work as We Know Ac blocks it. So:

1. Go to your system preferences (the settings of our MAC), and look for a profiles icon.

2. Click on there (since in a default mac that shouldn't be there).

3. Remove all of the Admin blocks found.

4. And boom, you have a chrome free of malware.

This video & comment section ultimately saved me https://www.youtube.com/watch?v=C0xRhWCX2Is&vl=en

Jan 30, 2019 2:51 AM in response to Reuben_Hood

Spent hours on this - this helped immediately. Not sure if some of the other stuff I did also helped, but doing this (deleting virus profiles) helped instantly. Still needed to go back and resent homepages, but now all good - YAY!!! Doesn't involve downloading anything extra.

https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/

Remove "weknow.ac" Malware in Chrome?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.