How To Remove Malware (macOS) is malware or malicious software. It is basically a program that can hurt your Mac. This particular malware is a fake search engine ( It may look innocent but we records your activity without your permission. On your computer, is probably installed via a fake Adobe Flash update. A fake Adobe Flash will install this. It targets Safari, Mozilla Firefox, and Google Chrome. The way it operates is to hijack your browser settings and then to change your default search engine to without your participation.

If you have this. You definitely should remove it. This article explains how you can uninstall the malware.

See also: Amazon Winner, Free Gift Card, Congratulations Scams & How To Stop Them

How to remove

Before we continue,

Please do not trust the Fake Adobe Flash Player installer pop-up:

fake Adobe Installer

Please pay special attention what you install. As you can see below, read carefully what is being installed. It is not easy to completely remove this but it is possible. installer Steps:

Please follow the steps below to switch the hijacked default search engine in your browser (Chrome or Safari) back to your default search engine (e.g, Google or Bing etc):

During the steps, please note that if you see these names anywhere (MacSaver, MacVX, MacVaX, MacCaptain, MacPriceCut, SaveOnMac, Mac Global Deals or MacDeals, MacSter, MacXcoupon, Shop Brain, SShoP Brain, PalMall, MacShop, MacSmart, News Ticker Remover, Shopper Helper Pro, Photo Zoom, Best YouTube Downloader, ArcadeYum, Extended protection, Video download helper, FlashFree, GoldenBoy, Genieo, Inkeeper, InstallMac, CleanYourMac, MacKeeper, SoftwareUpdater), remove them.

See also: Critical Security Warning! Your Mac is Infected…Fix

1-Remove the profile. Here is how:

  1. On your Mac, open System Preferences (click the System Preferences icon in the dock)
  2. Click Profiles
  3. Select AdminPrefs
  4. Delete this profile (AdminPrefs) by pressing the minus icon.
  5. Now delete search engine settings:
    1. Chrome: chrome://settings/searchEngines
    2. Safari: Safari > Preferences > Search

2-Delete Remove anything related. Remove anything suspicious apps to the Trash folder. Look for recently added apps.

  1. Open the Applications folder
  2. Delete or also look for “MPlayerX”,“NicePlayer”. Look for suspicious apps.
  3. Empty Trash

3-Remove the weknow addon

  1. Safari: Safari > Preferences > Extensions > Locate the extension and remove it
  2. Google Chrome: Go to chrome://extensions/ and find the addon and remove it.
  3. Firefox: Go to about:addons and remove the addon.

4-Delete weknow files:

  1. Go > Go to Folder (or press Shift + Cmd + G)
  2. Enter /Library/LaunchAgents and click Go
  3. Look for suspicious files such as “installmac.AppRemoval.plist”, “”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist”. Some other names you should look for Genieo, Inkeeper, InstallMac, CleanYourMac, MacKeeper, SoftwareUpdater, MplayerX, NicePlayer, installmac.AppRemoval.plist”, “”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist,”, “”, “”, “com.avickUpd.plist”. If you see any of them, drag them to the Trash folder and then empty Trash.
  4. And now repeat the same process on the following folders:
    1. /Library/Application Support
    2. /Library/LaunchDaemons

5-If your browser is Chrome, follow the steps below to change some Chrome policies, if you are still having the problem:

  1. Open the Terminal app (Go > Utilities > Terminal or press Command+Space and search Terminal)
  2. Enter the commands below, hit Enter after each
  3. defaults write HomepageIsNewTabPage -bool false
  4. defaults write NewTabPageLocation -string “”
  5. defaults write HomepageLocation -string “”
  6. defaults delete DefaultSearchProviderSearchURL
  7. defaults delete DefaultSearchProviderNewTabURL
  8. defaults delete DefaultSearchProviderName
  9. Restart Chrome

Please note that the developers behind are very sneaky and they will likely further develop this malware so this means that those tips may not work in near future. We will try to keep updating this posts.

You may also want to install and run MalwareBytes.

Dr. Serhat Kurt worked as a Senior Technology Director. He holds a doctoral degree (or doctorate) from the University of Illinois at Urbana / Champaign and a master’s degree from Purdue University. Here is his LinkedIn profile.

Thank you for choosing to leave a comment.

Please note the following:

  • All comments are moderated.
  • Your email will NOT be published nor shared.
  • All SPAM comments will be deleted.
  • Please see our comment policy page for more info.

100 thoughts on “How To Remove Malware (macOS)”

  1. Best article on how to get rid of – thank you! Explaining where this virus could hide, how to access terminal (it’s on your computer – not the browser), and providing the new commands was very helpful. Thank you.

  2. I am unable to find admin or profiles. Is me as administrator the same thing? And, do I need to get rid of Chrome and gmail, as well as Google?

  3. Thank you so much!!! the terminal commands are the only thing that worked for me I’ve been trying to get rid of Weknow for so long now

  4. Thank GOD!! YOU SAVE ME I HAD LEAVE MY MAC FOR 1 YEAR BECAUSE OF WEKNOW i try your way and now it work thank you for helping me got rid of that da*n thing.

  5. When putting in the commands into Terminal I receive a line that says ” Domain ( not found. ” so they don’t seem to be working. When I open google Chrome it goes correctly to Google search engine, and when searching in the address bar, however it still says “Your browser is managed by your organization” when I look at my settings in Google Chrome, which tells me something bad is still there… I already deleted the “profiles” too. I just want to remove “Your browser is managed by your organization” properly!! Help please!!

  6. I had this malware last year & it took half a dozen Apple support calls to get rid of it. Then my MacBook went down & they wiped it during the repair. When I got it back & restored it from backup weknow was back. This time, when I called Apple they tried to tell me they can’t “support” Chrome. When I insisted & escalated to a supervisor, he had me do the simplest thing imaginable: shut down & reboot in “Safe” mode. When it was gone there, we restarted, et voila: gone! Try it! He also said Catalina may help prevent that, so backup after you get rid of it & upgrade.

    • Glad that worked for Ya. I have been been the apple store in the domain, Austin, TX. 12 times so far, they remove it and comes back before I make it home and I don’t even open the mac from the store to the house!!

  7. It worked!!!
    I’ve had this virus install itself multiple times every time I logged out. Thanks so much for the help because it’s gone now- and I recommend these instructions to anyone who have the problem. Surely Weknow should be illegal?
    Thanks again!

  8. How do you find “profiles” in system preferences? I have a Mac and I am using High Sierra. I cannot find “profiles” anywhere on my system

  9. Hi. these tips did not help. In my case weknow has become the organization manager of my chrome. I am locked out of deleting profiles. I’ve uninstalled chrome, I tried tip 5, I could not find the folders /Library/LaunchAgents etc. shift, command, g did not work, but I tried to find it using the search in finder and it returned no results. The first 3 steps were not on my Mac as well.

    • I found the library. On my Mac its just LIB
      I went through the steps to look and remove files. I decided to delete all files related to chrome.

  10. Thank you so much…the terminal commands finally did the trick. You people are awesome for posting these instructions!

  11. Please help! i did all the steps and cleaned my computer with two malware cleaners. im still having uses. what more can i do? i have spent hours trying to remove weknow from my mac and nothing has worked

  12. I tried to remove via the terminal [see Youtube video] but that didnot remove all of the malware from my computer. This guidance was immediately helpful!

  13. I was possessed by weknow, and it had given my standalone Mac an administrator. I deleted the AdminPrefs profile from my profile and ran the terminal scripts. I could never find hide nor hair of weknow on my system; it must be hiding as something else. Two things remain: Chrome still thinks it is managed by my organization, and my system preferences no longer has a profiles tab. Neither of these is a problem . . . yet!

    Many thanks for this article!!

  14. Removing these policies from the command line was the only thing that worked! I had trouble finding the specific files within my computer that were causing the problems; I was not able to delete them as a result. This helped me locate and delete them easily. I would suggest deleting all preferences rather than rewriting them. Also, check chrome://policy to see which ones are actually affecting your browser; they varied for me.

    Thank you!

  15. Thanks a lot! Thanks a ton! Thank you so much! I love you mate….
    You’re the lifesaver. This weknow has completely fu***d up the system.

    Thank you thank you thank you…

    Even this is not enough to thank you…

  16. Just want to update everyone, this worked for me today. So the assholes haven’t created a work around as of June 9, 2019

  17. I followed directions and reset my browser but see that weknow installation deleted my safari admin profiles in system preferences [suggestions as to how to get this back?] and in chrome weknow changes admin control and I don’t know what permanent effect this will have> Any updates?! Thanks for this post

  18. After many hours(!) of unsuccessful attempts to remove this persistent malware, these hints have finally helped. Thank you!

  19. Remarkable, and thank you! I was able to flush out the WeKnow thing from Safari previously, but could not remove it from Google Chrome. The malware was stuck in my Chrome policies. I had tried numerous remedies found on other websites, but this guidance–particularly No. 5–was what I needed to remove it from my system once and for all.

  20. I tried to follow the instructions to delete weknow from safari but I’m not able to delete the admin profiles. When I try to delete the admin profiles I get a pop up window my user ID is entered and it’s asking for a password. How can I get past that pop up window so I can delete the profiles? Thank you.

  21. Pls help i ran the cmds in terminal, and did all of the steps, and now when i try to open up a new tab, it is all blank, and in the search bar it says “about:blank”. I tried everything, including changing the chrome settings to redirect “about:blank” to “chrome://newtab” and “”. Respond quickly :))) i need this
    -Garfield Starr

  22. There is no profile listed under system preferences, there is no add-on or extension, there’s none of those listed in step 4 and step 5 I don’t understand. Am I supposed to start typing after it says “defaults write”? Or am I supposed to type that part too? I have malwarebytes installed and it’s not detecting anything. I spent 2 hours on the phone with apple today and they couldn’t even find it to remove it. They said it’s only attacking google chrome so the best thing I can do is uninstall google chrome and just use safari… please help me remove this nightmare

    • I found it under System Preferences -> Profiles. If you look at the code, you can see references to weknow so you can safely delete them.

  23. To reset safari homepage :

    Quit safari. Finder -> Go to *press tab key* Library /

    Go to Keychains. Move keychain-2.db to bin. Empty bin. Relaunch safari.

  24. Trying all sorts of things to fix the browsers and this finally worked for google chrome. Hope it still isn’t lurking somewhere! Thank you

  25. OMG! I accidentally downloaded the “Java Flash” file because I typed in I thought I went to the correct website for the euro train but apparently was so dead wrong!

    This page and the malware bytes were the only things that helped get my google search engine back up! I couldn’t find any of the files myself so I hope this all worked and will not cause any further issues.

  26. Serhat, my friend: Big thanks for sharing your fix!. Like others before me I tried multiple approaches for clearing a similar PUP/adware from MacPro Cleaner (which came from my careless Flash Player update). Malware Bytes and EtreCheck seem to have spotted and quarantined most of the bad stuff, but I was left with a hijacked/redirected my Chrome home page called Search Operator, which acts much like Now I just have to figure out why my Chrome browser is still “managed.”

    • Mine is still showing that Chrome is managed too! I don’t know how to get this part off but it is really irritating. If you find a fix, please let me know!

    • Hi, same thing happened to me. What did you do next for the to be your homepage? Or did you just leave it as about blank?

  27. Thanks a lot!!! This really helped … but unfortunately, now I get blank when I open Chrome. … no more going to any search engine like google …?

  28. Hopefully I got rid of it all with your instructions for my MacPro. I got the malware from a Flash Player download pop up that I thought was legit. As soon as I hit to download I knew something wasn’t right but didn’t know what happen till I saw the weknow website opening when I went into the internet and it sorta try’s to look like a Google webpage.

  29. Thanks a million … Now WE KNOW 😉

    A. suggestion :
    1-Remove the profile. Here is how:
    …5) Now delete search engine settings:
    Chrome: chrome://settings/searchEngines
    Safari: Safari > Preferences > Search
    [weknow didn’t show here but when i clicked on (MANAGE WEBSITES) it was right there and i could remove it, so you could perhaps add the following to your instructions :

    Safari: Safari > Preferences > Search >Manage Websites > weknow > remove

    B. Considering the malware could have come through a fake Adobe flash player upgrade, is there anything to search for and delete on that end ? like delete Adobe Flash player and reinstall ?

  30. Part number 5 was especially efficient for me, as the problem was only with Chrome. The 4 other points were not useful at all.
    Thanks a lot !

  31. I am just speechless with tears of joy in my eyes! I cannot thank you enough. For a relatively nontechnical person, this was an amazing gift to empower me to know that with the support of generous people like yourself, I can do it! Thank you immensely! It worked!!!

  32. It was hiding as MPlayerX this time! My only problem is that after following the instructions in step 5 for the Terminal commands, the search engine is finally gone but now my new tab page is an about blank page and not the standard new tab page for Chrome.

  33. Thank you! I was able to save a teacher’s mac book and will be able to help others with this instruction.

    • I don’t think there is a need to put it back on, after you delete all the fake weknow admin profiles, you don’t need to use the pane anymore.

  34. Thank you, also after you do all of those steps go back and make google ur search engine and remove since it will still be there.

  35. Thank you, also after you do all of those steps go back and make google ur search engine and remove since it will still be there.

  36. Yes I followed the steps diligently and it worked. Thank you a million times. Weknow is quite an insidious malware. Aren’t some people really mean to their fellow humans.

  37. 2019 February 17th- after getting the WeKnow Malware (fake Search Engine) when i rushed through a FlashPlayer update Pop-Up…i Finally got rid of it following these Steps..Thanks to Serhat Kurt’s instructions here.
    Still can’t believe it worked using my very mediocre computer skills.
    THANKS again!

  38. Thanks for instruction.

    I did all step by stem, but problems were not solved completely yet on Safari. I re-installed OS, but still some problems. Cannot show menu tool bar in local language, even though system setting was appropriately done.

    Another problem is disable of password auto-fill function on Safari.

    For Google Chrome, everything is fine now after re-installation of OS and Chrome app.

  39. Thank you thank you thank you!

    I don’t have “profiles” in my System Preferences (older OS or something I guess), but the Terminal commands you gave seem to have done it.

    Finally banished this criminal malware, after trying so many other things that didn’t work!

  40. Similar to many who have commented, this is the only thing that actually works. I had to follow all of the steps, and even though I didn’t find any sketchy Library files, checking to make sure of that is part of the process it seems. Seriously f weknow.

  41. I’ve never seen something this insidious on a Mac before. MalwareBytes wasn’t able to clean all of this mess up. Thanks to this page for the final piece of the puzzle. AFAIK I got everything.

    Note: change the fancy quotes to straight quotes in the terminal or you may end up with headaches.

    Step to solve the issue:

    #1 Run Malware Bytes
    #2 Follow instructions on this page.
    #3 Go into System Preferences > Security and Privacy and set Allow apps downloaded from App Store

  42. After searching the internet for a week and trying everything to remove, I followed your steps carefully and finally got rid of it. All other sites were simply incomplete. Thank you a thousand times!

  43. This is the only thing that helped,I have no way to be sure that this crap is not luring in the backgrund though… Thanks a lot guys!

    • it won’t give me the option to delete
      I have searched my Mac for it, but it is nowhere in my files. But, when I open my Google Chrome browser, it still opens to

      • I had already clobbered the AdminPrefs profile (two of them!) and the files in /Library/whatever and ~/Library/whatever, and I tried Chrome’s “Restore settings to original defaults”, but my Chrome was stubbornly pointing at we know until I did that series of “defaults” commands. Try those.

        • just open system prefrences look for an icon named profile.
          open the profile
          whatever accounts you see in it just remove it by hitting the – sign on the bottom left corner
          now remove chrome and reinstall it will be wiped out.

    • Thanks a lot! I’ve been trying for ages to delete this we know malware… This is the only thing that helped it.


Leave a Comment