You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Remove "weknow.ac" Malware in Chrome?

iMac (Retina 5K, 27-inch, Late 2015), 3.3 GHz Intel Core i5, 16 GB 1867 MHz DDR3, 1.7 TB free — Running High Sierra 10.13.6 (17G65). For a variety of reasons, Chrome is my default browser, and Google is my default search engine and homepage. While browsing with Chrome two days ago, I made the idiotic mistake of clicking on a Flash download popup and immediately noticed signs of infection by this malware. The main only noticeable effect is that my homepage, tab option, and search engine in the Chrome browser now default to this alien "weknow.ac" search engine, which produces results very different from Google's. I've tried three long phone troubleshooting sessions with Apple Help, including downloading and scanning with Malwarebytes, which read my computer as "clean." Also pursued other remedial steps I've seen suggested in other websites. (Although there are only a few that deal specifically with Chrome on Mac.) Uninstalled Chrome application, including trashing all its support folders from Library. However, the bug still keeps coming back. The "good" news is that Safari (so far) shows no sign of the infestation — so I'm using that as my only browser. However, I don't want my (still relatively new) iMac to go through the rest of its life with this alien entity ticking away in its innards. Can anyone here recommend a more permanent solution to my problem? Is there a third-party malware removal product that's both effective and trustworthy? Thanks in advance for any help.

iMac

Posted on Aug 15, 2018 6:51 AM

Reply
Question marked as Top-ranking reply

Posted on Sep 20, 2018 6:37 AM

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:


"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.


All I had to do then was use the command line to delete / modify the affected policies:


defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName


The changes will not take effect until you restart Chrome.


I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

310 replies

Mar 5, 2019 12:58 PM in response to bennett_betsy

Thank you, bennett, for a lot of good stuff here.


I think lulubo's tip below of deleting the fake admin profiles might've removed weknow already, but just in case, I just checked Applications and didn't see Flash Player or MacKeeper. I then went to Chrome Settings and Google was now identified as my default search engine. Weknow was still listed as a search engine, but unlike before, when I now clicked on the 3 vertical dots to the right, I was able to remove weknow from the list of search engines. Yesterday, I'd restored Chrome to the default settings.


Bottom line, this was a lot of mystery to me as well, but, fingers crossed, I'm rid of weknow now (and hopefully permanent).

Mar 6, 2019 1:46 PM in response to Skanson

Hey! Have had the We Know malware on my laptop for quite while now and havent had any luck in removing it. When i try to enter the policies or 'commands' into Terminal it says 'command not found'. Can anybody help please? Maybe i'm not copying and pasting the right info? could someone help me out please - what exactly need to be copied and pasted?

Mar 6, 2019 3:00 PM in response to bu39

When you open Terminal window, there will already be some text that lists your last login date and ends with your computer name and/or your Apple ID, followed by a $. The cursor (indicated by a grey rectangle on my screen) will be located just after that $. You need to copy/paste each of the six commands listed in the original post on this thread one at a time. Each command starts with the word "defaults." For example, the first command is "defaults write com.google.Chrome HomepageIsNewTabPage -bool false". Copy that entire command. Then click on the Terminal window so it becomes the active window, and paste. The text (starting with the word "defaults" will paste itself immediately following the $. Hit return. You need to repeat for each of the six commands, copying exactly as they are listed (for the second and third commands, you include the quotation marks.) In case you are reading on a small screen that isn't showing the proper line breaks, there are six commands total, each one begins with the word "defaults". You will copy, paste, and hit return six individual times. Hope that helps.

Mar 7, 2019 11:35 AM in response to Skanson

Your advice worked for me sort of.

While searching for solution I brought up duckduckgo and which worked great but not in the url. Every new tab opened in weknow, for convenience I added the duckduckgo extension.

I followed your directions to change Chrome polices in the terminal. The first time I stopped after the 3rd or 4th line. I spent several hours "cleaning up" the library with no success so tried your method again. That time everything seemed to work great!

Each tab opened to the google homepage, searches in search bar or URL showed no sign of weknow.

But duckduckgo was now the default search engine. I went to change that and found weknow was still there!

I uninstalled Chrome and moved to Safari (which I had earlier managed to free from weknow)

Next morning I reinstalled Chrome and weknow was in every page and tab.

I opened up the terminal to change the policies after the 4th line - “Domain (com.google.Chrome) not found. Defaults have not been changed”

I started removing apps and deleting files (malware searches come up clean).

I restarted & opened Chrome - Now I can search Google in search bar and weknow is still in the URL.

1st 3 lines are reflected in the policies, but no defaults shown in policy. I am going to try again, I guess starting with line 4.

....

Because weknow is only showing in Chrome now (even after un&re install) is the malware hiding in some file or app in a Chrome specific path?

Mar 13, 2019 3:55 AM in response to Skanson

Thanks a lot Skanson. It's been months that i have been struggling with this.

This solved my problem in an instant.


Just one suggestion - I'm a Mac newbie. So "Use the command line" part confused me a bit. I had to search around and then take a wild guess that you meant Terminal app. I was looking for a command prompt option in my Google Chrome app. (sorry, like i said, newbie!)


It will help people like me if you just mentioned Terminal before what the policies to be changed.


Rest of the answer was bang on. Thanks so much!


Mar 15, 2019 9:19 AM in response to mry50

Hi - I open the finder go to applications, along with all my apps is the utilities folder and in there I can open the terminal.

Weknow can be a challenge to remove in Chrome.

Even after following the instructions to change Chrome policies I uninstalled Chrome completely - then reinstalled it!!!

Keep us posted. I learned a lot trying to get rid of this little monster.



Mar 26, 2019 8:52 AM in response to Muhsin7

Goto setting and under startup check " open the new tab page "

under Appearance check " Show Home Button "

next line ... New Tab page Change ... click change and select Use the new tab page


close the setting page and restart chrome and you should be all set.


Also...

https://chrome.google.com/webstore/detail/blank-new-tab-page/jaadjnlkjnhohljficgoddcjmndjfdmi?hl=en


Apr 16, 2019 6:46 AM in response to Skanson

I'm not quite sure what search you are referencing. On the screen there is a box with the words "filter policy by name". I typed terminal there and got the response, no policy. At the very top right on my Mac, next to the time is a search icon. I typed terminal there, and got a listing of"possible hits", such as documents, other, PDF documents developer, and show in finder. I see I have chrome policies that have been affected. I feel like I'm so close, but not understanding terminal application. Thank you for any help you can give me!!!


Remove "weknow.ac" Malware in Chrome?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.