Malware Complaints

Virus and Malware Database

We have gathered from around the web the most popular complaints and answers concerning the web browser redirect Weknow.ac in an attempt to understand...

We have gathered from around the web the most popular complaints and answers concerning the web browser redirect Weknow.ac in an attempt to understand what its functions are and how it infects macs.

Topic: how to remove weknow.ac from safari

Friend has Macbook. Managed to get weknow.ac installed from a fake adobe flash update. It Has highjacked Safari and she won’t use any other browser. I deleted all the stuff I can see from the applications folder that look like secondary installs. But browser homepage can’t be reset – blocked from changes. I googled and found a ton of programs to do this but all have to be bought. Is there a manual procedure? And if not, what’s the best removal program to install to get this done now and the next time she does this?

Thanks.

 

This malware is worse now, it burrows into places I can’t go out of ignorance, ie fixing itself inside the ststem with a “program UUID Malwarebytes doesn’t get it and IT CANT BE PURGED EASILY. Nothing I’ve tried works. I tried a full reunstall all but it doesnt change and has it blocked. It screes up Chrime as well but I don’t use it. at at this point I can’t use Safari so I’m stuck with Firefox.

 

Dear all,

A relative of mine has a 2015 Macbook with Yosemite and, somehow, Weknow malware is now installed. I managed to remove it from Safari but not from Chrome. When you start Chrome, the page that appears is the one I chose in Settings, but when you open a new tab, the Weknow search page appears. I’ve tried to follow the manual uninstall instructions of weknow.ac but when I reach this point

Delete Profiles:

1. Open System Preferences

2. Go to Profiles

3. In the window that opens, choose the AdminPrefs and click the minus button on the bottom left – then click Remove – click OK.

the problem is that I don’t have any profile icon in System Preferences (I’m logged in as administrator). I’ve scanned and cleaned the Macbook using Malwarebytes, and it removed quite a few files with suspicious names such as myshopcoupon, but the new tab in Chrome still shows the search page from Weknow. I’ve run out of ideas. Any suggestion will be greatly appreciated. Thanks in advance.

 

iMac (Retina 5K, 27-inch, Late 2015), 3.3 GHz Intel Core i5, 16 GB 1867 MHz DDR3, 1.7 TB free — Running High Sierra 10.13.6 (17G65). For a variety of reasons, Chrome is my default browser, and Google is my default search engine and homepage. While browsing with Chrome two days ago, I made the idiotic mistake of clicking on a Flash download popup and immediately noticed signs of infection by this malware. The main only noticeable effect is that my homepage, tab option, and search engine in the Chrome browser now default to this alien “weknow.ac” search engine, which produces results very different from Google’s. I’ve tried three long phone troubleshooting sessions with Apple Help, including downloading and scanning with Malwarebytes, which read my computer as “clean.” Also pursued other remedial steps I’ve seen suggested in other websites. (Although there are only a few that deal specifically with Chrome on Mac.) Uninstalled Chrome application, including trashing all its support folders from Library. However, the bug still keeps coming back. The “good” news is that Safari (so far) shows no sign of the infestation — so I’m using that as my only browser. However, I don’t want my (still relatively new) iMac to go through the rest of its life with this alien entity ticking away in its innards. Can anyone here recommend a more permanent solution to my problem? Is there a third-party malware removal product that’s both effective and trustworthy? Thanks in advance for any help.

Answers:

I was finally able to fix this for chrome after having no luck with anything posted here. This is what I discovered:

“weknow.ac” changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you’re infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.

All I had to do then was use the command line to delete / modify the affected policies:

defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string “https://www.google.com/

defaults write com.google.Chrome HomepageLocation -string “https://www.google.com/

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName

The changes will not take effect until you restart Chrome.

I recommend following some of the other pieces of advice in this thread, ie definitely do a malware scan too.

 

The adware behind this has gotten very sneaky about how these changes are made. The changes to the Chrome profile are non-trivial to reverse, and as a representative of Malwarebytes, I would not recommend relying on Malwarebytes to fix those settings. Even if the changes made by the adware were trivial, poking at the contents of undocumented Chrome-related files could potentially cause Chrome-related data loss, so it’s not the sort of thing currently done by Malwarebytes for Mac.

Currently, my advice is to completely delete Chrome and all Chrome data files from the computer. Then reinstall a fresh copy of Chrome, and set it up from scratch. If you have Chrome bookmarks you don’t want to lose, export those first and import them after reinstalling.

You also need to think about Chrome sync. If you’re using it, you could end up syncing malicious changes right back onto your device, or onto other devices. You’ll want to reset Chrome sync.

For Safari, there are a variety of techniques being used to change the settings. One is to add a bookmark and change Safari’s settings to load “tabs for” that bookmark item at startup. This is easy to miss, since the homepage entry can be left untouched, making it appear that something is still installed if you’re not observing carefully.

 

Thanks, I spent 2 hours researching how to remove weknow.ac and this works, However it now forces Chrome to always use the generic google home page for new windows and new tabs.

User uploaded file

If you want to use Chrome themes or have the base google homepage with most popular site visited (below the search bar) I found that you need to delete the first three via Terminal.

With Chrome closed, copy each line separately and past them in to the terminal.

defaults delete com.google.Chrome HomepageIsNewTabPage

defaults delete com.google.Chrome NewTabPageLocation

defaults delete com.google.Chrome HomepageLocation

Restart Chrome and should look like this with your most visited pages.

User uploaded file

All quotes were taken from https://discussions.apple.com Forum

Daniel Sadakov

Daniel Sadakov has a degree in Information Technology and specializes in web and mobile cyber security. He harbors a strong detestation for anything and everything malicious and has committed his resources and time to battling all manners of web and mobile threats. He has founded MobileSecurityZone.com, a website dedicated to covering the top tech stories and providing useful tips for the everyday user, in an effort to reach and help more people.

No comments so far.

Be first to leave comment below.

Your email address will not be published. Required fields are marked *