You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Remove "weknow.ac" Malware in Chrome?

iMac (Retina 5K, 27-inch, Late 2015), 3.3 GHz Intel Core i5, 16 GB 1867 MHz DDR3, 1.7 TB free — Running High Sierra 10.13.6 (17G65). For a variety of reasons, Chrome is my default browser, and Google is my default search engine and homepage. While browsing with Chrome two days ago, I made the idiotic mistake of clicking on a Flash download popup and immediately noticed signs of infection by this malware. The main only noticeable effect is that my homepage, tab option, and search engine in the Chrome browser now default to this alien "weknow.ac" search engine, which produces results very different from Google's. I've tried three long phone troubleshooting sessions with Apple Help, including downloading and scanning with Malwarebytes, which read my computer as "clean." Also pursued other remedial steps I've seen suggested in other websites. (Although there are only a few that deal specifically with Chrome on Mac.) Uninstalled Chrome application, including trashing all its support folders from Library. However, the bug still keeps coming back. The "good" news is that Safari (so far) shows no sign of the infestation — so I'm using that as my only browser. However, I don't want my (still relatively new) iMac to go through the rest of its life with this alien entity ticking away in its innards. Can anyone here recommend a more permanent solution to my problem? Is there a third-party malware removal product that's both effective and trustworthy? Thanks in advance for any help.

iMac

Posted on Aug 15, 2018 6:51 AM

Reply
Question marked as Top-ranking reply

Posted on Sep 20, 2018 6:37 AM

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:


"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.


All I had to do then was use the command line to delete / modify the affected policies:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


The changes will not take effect until you restart Chrome.


I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

310 replies

Jan 31, 2019 11:14 AM in response to robinhenry

Hi everyone. Not a mac guy, not a computer guy, so all of this is over my head. But I wanted to share how I dealt with this on my wife's iMac. On the we know search page that forces its way on to your computer, on the bottom left was a FAQ's link. And in there was an uninstall link. I was skeptical but desperate. Cleaned everything right up. My 2 cents. Good luck..

Feb 8, 2019 11:50 AM in response to Reuben_Hood

Not very glamorous but this works:

run malware bytes as usual and remove whatever it comes up with.

Download appzapper and use it to remove Chrome and its extensions

restart system.

download a new copy of chrome and it should be clean.


App zapper pulls out the hidden extensions chrome uses. Maybe not as fancy but it’s beej working for me so far.

Feb 13, 2019 6:02 PM in response to lambadger

Clean My Mac could be part of the problem, most here recommend removing that by Uninstalling it.


EtreCheck is a simple little app to display the important details of your system configuration and allow you to copy that information to the Clipboard. It is meant to be used with Apple Support Communities to help people help you with your Mac.


http://www.etresoft.com/etrecheck

Feb 19, 2019 4:20 PM in response to Skanson

OMG!!!!!!! THANK YOUUUUUUUUUUUUU. I have been dealing with this stupid weknow.ac malware for almost 4 months. I have tried everything and it still shows up when I open a new tab. This fix worked beautifully!!!! At one point, I had to delete my Chrome and use Safari. I was sooooo frustrated. McAfee didn't help, it doesn't see it.


I originally download the weknow.ac from a request to update my java. I found out later, that Java updates are never pushed through as a message. THANK YOU again!!! WooHoo.

Feb 21, 2019 1:52 AM in response to Skanson

Yep, ditto, thanks so much for this. Although the apple guy was very helpful and patient, sorted Safari out for me, and spent ages with me trying different things with Chrome, he didn't seem to know about this particular solution and warned me against going into terminal in case I deleted files that don't need deleting. But I just wanted to try it... and it worked. Brilliant. Thanks.

Feb 27, 2019 6:52 PM in response to Skanson

Thank you!!! It appears to have worked. I wasn't able to figure out how to change my terminal from bash to c-shell, but figured I would try enter your command lines anyway, one at a time, and it seems to have worked beautifully. I went back and checked the chrome policy after restarting chrome and it looked a lot different than when "weknow.ac" was in control.

THANK YOU

Mar 3, 2019 2:23 PM in response to Reuben_Hood

Thank You!! The "weknow..." virus affected my wife's computer (Chrome). Has taken us a long time to find a solution. However, your magic worked! I don't know how you figured this out, but you did. You are fabulous. Also, considering how many people have gotten infected with this, it is surprising that Apple has not created a solution. (We used Apple support and they were, in this case, not able to fix the problem.)


Now the big question: how did you figure this out? (Rhetorical.)

Mar 4, 2019 2:17 PM in response to Skanson

THANK YOU!!! I had been able to fix everything except for opening a new tab in Chrome, and I called Apple four times (hoping to get anyone who could help - but no luck) to no avail.


For those, like me, who had no idea how to open "Terminal", it is in the Applications folder under "Utilities."


There was already some text in there, but after the existing "$" I copied each line (the entire line, starting with defaults), pasted, and hit return. I repeated all six lines. And it worked!


Thanks you!!!

Mar 4, 2019 4:14 PM in response to Reuben_Hood

Can someone tell me (in simple terms, please) what I've done wrong?


I've read the entire thread, found where the Terminal is, and copied and pasted several times, but despite quitting Chrome after each attempt, I still get that "we know/Search" in Chrome.


If you check out my Terminal screen below, I'm obviously doing something wrong (or my Mac is really messed up), because after I copy and paste the commands and then hit Enter, it actually says "Defaults have not been changed."


Bruces-iMac:~ brucezwecker$ defaults write com.google.Chrome HomepageIsNewTabPage -bool false


Bruces-iMac:~ brucezwecker$ defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"


Bruces-iMac:~ brucezwecker$ defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"


Bruces-iMac:~ brucezwecker$ defaults delete com.google.Chrome DefaultSearchProviderSearchURL


2019-03-04 19:04:28.141 defaults[2913:163766] 


Domain (com.google.Chrome) not found.


Defaults have not been changed.


Bruces-iMac:~ brucezwecker$ defaults delete com.google.Chrome DefaultSearchProviderNewTabURL


2019-03-04 19:04:54.120 defaults[2924:165760] 


Domain (com.google.Chrome) not found.


Defaults have not been changed.


Bruces-iMac:~ brucezwecker$ defaults delete com.google.Chrome DefaultSearchProviderName


2019-03-04 19:05:09.087 defaults[2925:167038] 


Domain (com.google.Chrome) not found.


Defaults have not been changed.


Bruces-iMac:~ brucezwecker$ 


Bruces-iMac:~ brucezwecker$ 


Bruces-iMac:~ brucezwecker$ 

Mar 4, 2019 11:52 PM in response to amishboy51

Amishboy, I can't give you an exact fix (because this is all a mystery to me!), but before I did the "Terminal" solution, I had already done a ton of other things. For example, I am pretty sure I got infected with "Weknow" by downloading either Flash Player and/or MacKeeper so I deleted those files from my applications. I also went through all of the settings in Chrome and Safari and had to reset the homepage, the default search engine, etc., as all of those items had been changed to Weknow. I literally opened every "setting" or "preference" type option I could in Chrome and Safari and manually reset every single thing I could find. I also followed the instructions of another post: https://forums.malwarebytes.com/topic/236261-how-to-remove-weknow-malware-and-others, which suggestion deleting a bunch of items in the Library and Application sections of my hard drive. Anyhow, the point is that I think removing WeKnow is a multi-step process that requires doing all of these things. I'm sorry I don't have a simpler answer - this is all over my head! Good luck!



Remove "weknow.ac" Malware in Chrome?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.