Remove SMART SEARCH and weKnow.ac Malware virus from Chrome on Macbook Mac

[tacoma]

I think this was installed by a fake Adobe FLASH installer.

 

I removed most of it myself, but I could not get rid of this problem with Chrome:   If I started Chrome and then killed all the open tabs, what was left was a chrome widow that had a search box in the middle of the Chrome window. Above the search box it said SEARCH in google colors, below the search box was a button that said SMART SEARCH. If you clicked on the button, it brought you to a weKnow.ac website. which looked like this picture:   https://www.pcrisk.com/images/stories/screenshots201802/chumsearch-com-hijacker-main2.jpg   (or see attached pic )

Also on that SEARCH page it kept showing ads for things like MacKeep, etc

 

I tried many procedures from many different websites to no avail. I tried resetting Chrome, re-installing Chrome, set Chrome's home page and search providers, remove files from various locations, etc, etc. Many websites recommended to use COMBO CLEANER for MAC or  FRESHMAC remover tools but I was not able to find trust worthy reviews on those pay-for-removal tools. I did install and run Malwarebytes for MAC, it did find and remove some things, but it did not fix this issue.

 

The only way I was able to un-install or remove the remove SMART SEARCH and weKnow.ac malware virus from Chrome on Macbook Mac iOS was to do this from: https://discussions.apple.com/thread/8534513

 

"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.

 

Use the command line to delete / modify the affected policies. You do this by opening up "Terminal" and copy and paste each of the following entries below. I did each one at a time. I copy and pasted the first line and then hit enter and then went to the next until I had finished all 6 below:

 

defaults write com.google.Chrome HomepageIsNewTabPage -bool false

defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"

defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"

defaults delete com.google.Chrome DefaultSearchProviderSearchURL

defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

defaults delete com.google.Chrome DefaultSearchProviderName

 

Quit Chrome and restart it and voila the virus will be gone. I tried everything and 3 phone calls with Apple and this was the only thing that worked.

[alvarnell]

I suspect the instructions her for "nuking Chrome" would have solved this for you:

 

[karinig]

Thank you, thank you tacoma for this helpful advice! About a month ago, my laptop browser was hijacked, and, instead of the Google Chrome browser, all that came up was the Smartsearch screen you displayed above. We ran various anti-malware, anti-virus programs including Malwarebytes to no avail. We tried "nuking Chrome" as described above but that didn't work either. We paid a tech expert $80 to remove it, and it seemed to work for a few hours until the "weKnow" search took over again. I was thinking of just buying a new laptop, when I found this thread and followed your directions for changing the Chrome policies through terminal. Finally, problem solved! Can't thank you enough!

[alvarnell]

I'm glad you were able to solve your problem, but I'm really puzzled as to why "nuking Chrome" didn't accomplish the same thing. One of the steps was to delete 

~/Library/Preferences/com.google.Chrome.plist

which should have removed all those settings, allowing Chrome to establish default values when it was re-installed.

Perhaps someone with a sample of the malware that caused all this could help explain why that would not have worked for you.

[karinig]

Thanks for the reply alvarnell. We actually couldn't find any listings for Chrome in the Library Preferences folder on our MacBook Pro. If we'd been able to locate and delete the item above, that might have solved the problem also. 

[alvarnell]

Ah, that would explain it. You must have been looking in the wrong /Library/Preferences/ folder. The "~" indicates that it's the current user's Library which is often invisible in recent versions of macOS. To get to it you must hold down the Option (sometimes labeled Alt) key down and select Library from the Finder's Go menu.

[digitaldendrite]

I literally just had the same exact issue, and could only fix it by wiping the user account and starting a new one.  This is not just a chrome issue--safari (but not firefox) was infected.  I was very surprised that MWB didn't successfully clean this issue.   So, the above suggestions are clearly helpful for Chrome, but I suspect there is more going on here under the hood if Safari is also affected.

[alvarnell]

Did you follow the instruction listed in General and for Safari in the posting from @treed reference in my Post #2?

[digitaldendrite]

Sorry, I'm new here--can you link directly to the post?  I don't know where to find it (and, no, obviously, I didn't follow those instructions...)

Thanks.

[alvarnell]

It's the pinned posting at the top of this forum or click on 

 

[ankitasharma]

https://forums.malwarebytes.com/topic/236261-how-to-remove-weknow-malware-and-others/

Nuking Chrome completely finally worked. Follow the above instructions!

[JakeM]

I had this problem as well last night.  I have a cold and mistakenly installed a fake Adobe Flash Player (something I normally would never have done...) on my MacBook Air. I am attaching some screenshots here that are not in the above posts, so that if someone else is trying to fix their computer, they will know they are on the right track.

If I had stopped to check the Custom Installation options of this fake Adobe Flash Player, I would have noticed something was wrong.  It was installing things called MyShopcoupon, WeKnow, and Mac Cleanup Pro:

Since I didn't check the Custom Install options, though, my first clue was only when the installer opened a Terminal script window while the installation was in progress.  Then when I opened up Chrome and Safari, they were both taken over by new home pages and weird search engines.   In Chrome, it was as shown in the original post - where Google is normally written on the google homepage, instead the word "search" appeared with the letters in Google colors, and with a button for "Smart Search" below it. 

I first installed Malware Bytes.  It found some bad files that it quarantined that were part of the MyShopcoupon mess, and then required a restart.  After restarting though, Safari and Chrome were both still hijacked.  I then searched a bunch and eventually found this thread.  Thanks a bunch to you guys here for the good advice!

I entered the six lines into Terminal as suggested by the original poster (tacoma).  It didn't fix the problem with the hijacked browsers, but I still think they were good measures to take.   I then followed the link in Alvarnell's post above, which led to a post in this forum by Treed entitled "How to remove WeKnow malware (and others)".  This was extremely helpful.  Be sure to also follow the link in this post to remove fake profiles that are installed, as well.  Here are what the fake profiles looked liked on my laptop, when I opened System Preferences and then Profiles (Normally the Profiles icon is not even listed in System Preferences on my laptop.  This Malware had just created two new profiles - one each that modified Safari and Chrome, which you can see if you scroll down to the "DETAILS" section).  Then I selected each of them and clicked on the minus sign to remove each one.  Here are screenshots showing what the two bad profiles looked like:

I then followed the rest of the instructions in Treed's post for cleaning up Safari and Chrome.   I mostly use Chrome, so I first exported my bookmarks before deleting Chrome, so they wouldn't get erased.  I restarted my laptop, imported the bookmarks and everything looks good so far!  I am appreciative of this forum and all of its great advice.  I waded through a lot of junk and ineffective advice to remove this malware before finding this post.  A lot of the bad advice included instructions to install other programs to remove the malware.  Some google searching revealed that these programs are themselves malware.  Fortunately I knew enough to not install programs like that, or I would next be searching forums to figure out how to remove the new malware!

I still worry a little whether there are lingering files or spyware, even though everything looks back to normal (probably an irrational fear).  I would be curious to hear from others that have followed the same steps, about whether their computer has remained totally clean after employing the fixes above.

[Greeny213]

Thanks tacoma. Your instructions worked perfectly for me.

[PoloBlack]

 Hi @tacoma! I tried your steps to solve this annoying situation. However, I don't see the command line you're referring. Is this the screen you see? Could you provide any insight? 

[alvarnell]

As @tacoma explained, you need to open the Terminal application, found in /Applications/Utilities/ then copy and paste each of the 6 commands listed and hit return, one line at a time to make changes to the chrome policies. I suppose you might be able to change them using the Chrome interface you have shown, but that's not what is being recommended here.

[PoloBlack]

Thanks @alvarnell for clarifying going into the Terminal application. That was the key I was missing. Great information @tacoma finally got it off of my computer and back to the REAL Google start engine!

[alvarnell]

Glad I could help get you back on track.

[langstonha]

I was trying to help a user with the WeKnow Smart Search issue on OS X in Chrome.  Followed the instructions for nuking Chrome.  Reinstalled Chrome and everything looked OK until I opened a New Tab and guess what?  Here comes WeKnow and Smart Search all over again.  The user says that installing an update for Flash was the culprit.  User ended up doing a reset of the OS.  So strange that MWB couldn't pickup the malware.  So hope this helps someone else.  This malware is not easy to remove.  Any suggestions are always appreciated.

[Dereck13]

I have also maged to get Chrome stable but I have one remaining issue.

I cannot remove some weird search engines from the default search engine page.

Everytime I remove them they come back ???  duckduckgo.com is one

 

[sbforrest]

Tacoma's approach worked for me...many thanks! A pox on WeKnow's house!!

[HappyHunny]

@tacoma suggestion worked perfectly / quickly / easily !!

I am fairly good with my MacBook Pro, but I have NEVER typed anything in the "terminal" box because I do not have a clue about it and always feared killing my laptop. ☺️

I have used Safari for 5 yrs, and recently decided to change to Chrome.  The first thing I found was that I couldn't change "new tabs" from weknow to Google.  🥵

This drove me nuts as I managed to changed the Home page icon to Google.  When I came across this page in my desperate search I decided to throw caution to the wind and copy the commands into Terminal.  IT FLIPPING WORKED and I am so proud of myself - but more so I am grateful to @tacoma for taking the time to post his comment.  👍

I actually have MalwareBytes and think it is brilliant.  But if the weknow is a malware, why isn't this being picked up when my MalwareBytes does its regular scans ?!?  ☹️

Thank you so much @tacoma   I have now decided that I will learn more about using the Terminal 😁