Jump to content
tacoma

Remove SMART SEARCH and weKnow.ac Malware virus from Chrome on Macbook Mac

Recommended Posts

I think this was installed by a fake Adobe FLASH installer.
 
I removed most of it myself, but I could not get rid of this problem with Chrome:   If I started Chrome and then killed all the open tabs, what was left was a chrome widow that had a search box in the middle of the Chrome window. Above the search box it said SEARCH in google colors, below the search box was a button that said SMART SEARCH. If you clicked on the button, it brought you to a weKnow.ac website. which looked like this picture:   https://www.pcrisk.com/images/stories/screenshots201802/chumsearch-com-hijacker-main2.jpg   (or see attached pic )
Also on that SEARCH page it kept showing ads for things like MacKeep, etc
 
I tried many procedures from many different websites to no avail. I tried resetting Chrome, re-installing Chrome, set Chrome's home page and search providers, remove files from various locations, etc, etc. Many websites recommended to use COMBO CLEANER for MAC or  FRESHMAC remover tools but I was not able to find trust worthy reviews on those pay-for-removal tools. I did install and run Malwarebytes for MAC, it did find and remove some things, but it did not fix this issue.
 
The only way I was able to un-install or remove the remove SMART SEARCH and weKnow.ac malware virus from Chrome on Macbook Mac iOS was to do this from: https://discussions.apple.com/thread/8534513
 
"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.
 
Use the command line to delete / modify the affected policies. You do this by opening up "Terminal" and copy and paste each of the following entries below. I did each one at a time. I copy and pasted the first line and then hit enter and then went to the next until I had finished all 6 below:
 
defaults write com.google.Chrome HomepageIsNewTabPage -bool false
defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"
defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"
defaults delete com.google.Chrome DefaultSearchProviderSearchURL
defaults delete com.google.Chrome DefaultSearchProviderNewTabURL
defaults delete com.google.Chrome DefaultSearchProviderName
 
Quit Chrome and restart it and voila the virus will be gone. I tried everything and 3 phone calls with Apple and this was the only thing that worked.

chumsearch-com-hijacker-main2.jpg

Share this post


Link to post
Share on other sites

Thank you, thank you tacoma for this helpful advice! About a month ago, my laptop browser was hijacked, and, instead of the Google Chrome browser, all that came up was the Smartsearch screen you displayed above. We ran various anti-malware, anti-virus programs including Malwarebytes to no avail. We tried "nuking Chrome" as described above but that didn't work either. We paid a tech expert $80 to remove it, and it seemed to work for a few hours until the "weKnow" search took over again. I was thinking of just buying a new laptop, when I found this thread and followed your directions for changing the Chrome policies through terminal. Finally, problem solved! Can't thank you enough!

Share this post


Link to post
Share on other sites

I'm glad you were able to solve your problem, but I'm really puzzled as to why "nuking Chrome" didn't accomplish the same thing. One of the steps was to delete 

~/Library/Preferences/com.google.Chrome.plist

which should have removed all those settings, allowing Chrome to establish default values when it was re-installed.

Perhaps someone with a sample of the malware that caused all this could help explain why that would not have worked for you.

Share this post


Link to post
Share on other sites

Thanks for the reply alvarnell. We actually couldn't find any listings for Chrome in the Library Preferences folder on our MacBook Pro. If we'd been able to locate and delete the item above, that might have solved the problem also. 

Share this post


Link to post
Share on other sites

Ah, that would explain it. You must have been looking in the wrong /Library/Preferences/ folder. The "~" indicates that it's the current user's Library which is often invisible in recent versions of macOS. To get to it you must hold down the Option (sometimes labeled Alt) key down and select Library from the Finder's Go menu.

Share this post


Link to post
Share on other sites

I literally just had the same exact issue, and could only fix it by wiping the user account and starting a new one.  This is not just a chrome issue--safari (but not firefox) was infected.  I was very surprised that MWB didn't successfully clean this issue.   So, the above suggestions are clearly helpful for Chrome, but I suspect there is more going on here under the hood if Safari is also affected.

Share this post


Link to post
Share on other sites

I had this problem as well last night.  I have a cold and mistakenly installed a fake Adobe Flash Player (something I normally would never have done...) on my MacBook Air. I am attaching some screenshots here that are not in the above posts, so that if someone else is trying to fix their computer, they will know they are on the right track.

If I had stopped to check the Custom Installation options of this fake Adobe Flash Player, I would have noticed something was wrong.  It was installing things called MyShopcoupon, WeKnow, and Mac Cleanup Pro:

2135383344_ScreenShot2019-01-06at9_47_21PM.png.7e1d1de3cb24fcb880d788101e53f25e.png

Since I didn't check the Custom Install options, though, my first clue was only when the installer opened a Terminal script window while the installation was in progress.  Then when I opened up Chrome and Safari, they were both taken over by new home pages and weird search engines.   In Chrome, it was as shown in the original post - where Google is normally written on the google homepage, instead the word "search" appeared with the letters in Google colors, and with a button for "Smart Search" below it. 

I first installed Malware Bytes.  It found some bad files that it quarantined that were part of the MyShopcoupon mess, and then required a restart.  After restarting though, Safari and Chrome were both still hijacked.  I then searched a bunch and eventually found this thread.  Thanks a bunch to you guys here for the good advice!

I entered the six lines into Terminal as suggested by the original poster (tacoma).  It didn't fix the problem with the hijacked browsers, but I still think they were good measures to take.   I then followed the link in Alvarnell's post above, which led to a post in this forum by Treed entitled "How to remove WeKnow malware (and others)".  This was extremely helpful.  Be sure to also follow the link in this post to remove fake profiles that are installed, as well.  Here are what the fake profiles looked liked on my laptop, when I opened System Preferences and then Profiles (Normally the Profiles icon is not even listed in System Preferences on my laptop.  This Malware had just created two new profiles - one each that modified Safari and Chrome, which you can see if you scroll down to the "DETAILS" section).  Then I selected each of them and clicked on the minus sign to remove each one.  Here are screenshots showing what the two bad profiles looked like:

341317177_ScreenShot2019-01-06at10_17_46PM.png.1d6aa072d56413dcdd428184f15307fc.png

1036808736_ScreenShot2019-01-06at10_17_52PM.png.c3b9e9ed56472b99e27bec75b332231f.png

I then followed the rest of the instructions in Treed's post for cleaning up Safari and Chrome.   I mostly use Chrome, so I first exported my bookmarks before deleting Chrome, so they wouldn't get erased.  I restarted my laptop, imported the bookmarks and everything looks good so far!  I am appreciative of this forum and all of its great advice.  I waded through a lot of junk and ineffective advice to remove this malware before finding this post.  A lot of the bad advice included instructions to install other programs to remove the malware.  Some google searching revealed that these programs are themselves malware.  Fortunately I knew enough to not install programs like that, or I would next be searching forums to figure out how to remove the new malware!

I still worry a little whether there are lingering files or spyware, even though everything looks back to normal (probably an irrational fear).  I would be curious to hear from others that have followed the same steps, about whether their computer has remained totally clean after employing the fixes above.

Share this post


Link to post
Share on other sites

 Hi @tacoma! I tried your steps to solve this annoying situation. However, I don't see the command line you're referring. Is this the screen you see? Could you provide any insight? 

Screen Shot 2019-01-11 at 11.04.49 PM.png

Share this post


Link to post
Share on other sites

As @tacoma explained, you need to open the Terminal application, found in /Applications/Utilities/ then copy and paste each of the 6 commands listed and hit return, one line at a time to make changes to the chrome policies. I suppose you might be able to change them using the Chrome interface you have shown, but that's not what is being recommended here.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.