Jump to content
tacoma

Remove SMART SEARCH and weKnow.ac Malware virus from Chrome on Macbook Mac

Recommended Posts

I think this was installed by a fake Adobe FLASH installer.
 
I removed most of it myself, but I could not get rid of this problem with Chrome:   If I started Chrome and then killed all the open tabs, what was left was a chrome widow that had a search box in the middle of the Chrome window. Above the search box it said SEARCH in google colors, below the search box was a button that said SMART SEARCH. If you clicked on the button, it brought you to a weKnow.ac website. which looked like this picture:   https://www.pcrisk.com/images/stories/screenshots201802/chumsearch-com-hijacker-main2.jpg   (or see attached pic )
Also on that SEARCH page it kept showing ads for things like MacKeep, etc
 
I tried many procedures from many different websites to no avail. I tried resetting Chrome, re-installing Chrome, set Chrome's home page and search providers, remove files from various locations, etc, etc. Many websites recommended to use COMBO CLEANER for MAC or  FRESHMAC remover tools but I was not able to find trust worthy reviews on those pay-for-removal tools. I did install and run Malwarebytes for MAC, it did find and remove some things, but it did not fix this issue.
 
The only way I was able to un-install or remove the remove SMART SEARCH and weKnow.ac malware virus from Chrome on Macbook Mac iOS was to do this from: https://discussions.apple.com/thread/8534513
 
"weknow.ac" changes a group of Chrome policies so as to set a new default homepage, new tab behavior, etc. You can see your current Chrome policies by typing chrome://policy/ into your URL bar. If you're infected, it should be very obvious as the half-dozen or so policies changed by weknow will be displayed.
 
Use the command line to delete / modify the affected policies. You do this by opening up "Terminal" and copy and paste each of the following entries below. I did each one at a time. I copy and pasted the first line and then hit enter and then went to the next until I had finished all 6 below:
 
defaults write com.google.Chrome HomepageIsNewTabPage -bool false
defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"
defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"
defaults delete com.google.Chrome DefaultSearchProviderSearchURL
defaults delete com.google.Chrome DefaultSearchProviderNewTabURL
defaults delete com.google.Chrome DefaultSearchProviderName
 
Quit Chrome and restart it and voila the virus will be gone. I tried everything and 3 phone calls with Apple and this was the only thing that worked.

chumsearch-com-hijacker-main2.jpg

Share this post


Link to post
Share on other sites

Thank you, thank you tacoma for this helpful advice! About a month ago, my laptop browser was hijacked, and, instead of the Google Chrome browser, all that came up was the Smartsearch screen you displayed above. We ran various anti-malware, anti-virus programs including Malwarebytes to no avail. We tried "nuking Chrome" as described above but that didn't work either. We paid a tech expert $80 to remove it, and it seemed to work for a few hours until the "weKnow" search took over again. I was thinking of just buying a new laptop, when I found this thread and followed your directions for changing the Chrome policies through terminal. Finally, problem solved! Can't thank you enough!

Share this post


Link to post
Share on other sites

I'm glad you were able to solve your problem, but I'm really puzzled as to why "nuking Chrome" didn't accomplish the same thing. One of the steps was to delete 

~/Library/Preferences/com.google.Chrome.plist

which should have removed all those settings, allowing Chrome to establish default values when it was re-installed.

Perhaps someone with a sample of the malware that caused all this could help explain why that would not have worked for you.

Share this post


Link to post
Share on other sites

Thanks for the reply alvarnell. We actually couldn't find any listings for Chrome in the Library Preferences folder on our MacBook Pro. If we'd been able to locate and delete the item above, that might have solved the problem also. 

Share this post


Link to post
Share on other sites

Ah, that would explain it. You must have been looking in the wrong /Library/Preferences/ folder. The "~" indicates that it's the current user's Library which is often invisible in recent versions of macOS. To get to it you must hold down the Option (sometimes labeled Alt) key down and select Library from the Finder's Go menu.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.