How To Remove Weknow.ac Malware (macOS)
Weknow.ac is malware or malicious software. It is basically a program that can hurt your Mac. This particular malware is a fake search engine (www.weknow.ac). It may look innocent but we know.ac records your activity without your permission. On your computer, weknow.ac is probably installed via a fake Adobe Flash update. A fake Adobe Flash will install this. It targets Safari, Mozilla Firefox, and Google Chrome. The way it operates is to hijack your browser settings and then to change your default search engine to https://www.weknow.ac without your participation.
If you have this. You definitely should remove it. This article explains how you can uninstall the weknow.ac malware.
See also: Amazon Winner, Free Gift Card, Congratulations Scams & How To Stop Them
How to remove weknow.ac
Before we continue,
Please do not trust the Fake Adobe Flash Player installer pop-up:
Please pay special attention what you install. As you can see below, read carefully what is being installed. It is not easy to completely remove this but it is possible.
Please follow the steps below to switch the hijacked default search engine in your browser (Chrome or Safari) back to your default search engine (e.g, Google or Bing etc):
During the steps, please note that if you see these names anywhere (MacSaver, MacVX, MacVaX, MacCaptain, MacPriceCut, SaveOnMac, Mac Global Deals or MacDeals, MacSter, MacXcoupon, Shop Brain, SShoP Brain, PalMall, MacShop, MacSmart, News Ticker Remover, Shopper Helper Pro, Photo Zoom, Best YouTube Downloader, ArcadeYum, Extended protection, Video download helper, FlashFree, GoldenBoy, Genieo, Inkeeper, InstallMac, CleanYourMac, MacKeeper, SoftwareUpdater), remove them.
See also: Critical Security Warning! Your Mac is Infected…Fix
1-Remove the weknow.ac profile. Here is how:
- On your Mac, open System Preferences (click the System Preferences icon in the dock)
- Click Profiles
- Select AdminPrefs
- Delete this profile (AdminPrefs) by pressing the minus icon.
- Now delete search engine settings:
- Chrome: chrome://settings/searchEngines
- Safari: Safari > Preferences > Search
2-Delete weknow.ac. Remove anything weknow.ac related. Remove anything suspicious apps to the Trash folder. Look for recently added apps.
- Open the Applications folder
- Delete Weknow.ac or Weknow.ac.app also look for “MPlayerX”,“NicePlayer”. Look for suspicious apps.
- Empty Trash
3-Remove the weknow addon
- Safari: Safari > Preferences > Extensions > Locate the weknow.ac extension and remove it
- Google Chrome: Go to chrome://extensions/ and find the weknow.ac addon and remove it.
- Firefox: Go to about:addons and remove the addon.
4-Delete weknow files:
- Go > Go to Folder (or press Shift + Cmd + G)
- Enter /Library/LaunchAgents and click Go
- Look for suspicious files such as “installmac.AppRemoval.plist”, “myppes.download.plist”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist”. Some other names you should look for Genieo, Inkeeper, InstallMac, CleanYourMac, MacKeeper, SoftwareUpdater, MplayerX, NicePlayer, installmac.AppRemoval.plist”, “myppes.download.plist”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist, com.aoudad.net-preferences.plist”, “com.myppes.net-preferences.plist”, “com.kuklorest.net-preferences.plist”, “com.avickUpd.plist”. If you see any of them, drag them to the Trash folder and then empty Trash.
- And now repeat the same process on the following folders:
- /Library/Application Support
- /Library/LaunchDaemons
5-If your browser is Chrome, follow the steps below to change some Chrome policies, if you are still having the problem:
- Open the Terminal app (Go > Utilities > Terminal or press Command+Space and search Terminal)
- Enter the commands below, hit Enter after each
- defaults write com.google.Chrome HomepageIsNewTabPage -bool false
- defaults write com.google.Chrome NewTabPageLocation -string “https://www.google.com/”
- defaults write com.google.Chrome HomepageLocation -string “https://www.google.com/”
- defaults delete com.google.Chrome DefaultSearchProviderSearchURL
- defaults delete com.google.Chrome DefaultSearchProviderNewTabURL
- defaults delete com.google.Chrome DefaultSearchProviderName
- Restart Chrome
Please note that the developers behind weknow.ac are very sneaky and they will likely further develop this malware so this means that those tips may not work in near future. We will try to keep updating this posts.
You may also want to install and run MalwareBytes.
Thank you very much, super helpful and easy to follow.
Thanks. This was great. I appreciate the details. The terminal commands were the trick for me.
Best article on how to get rid of weknow.ac – thank you! Explaining where this virus could hide, how to access terminal (it’s on your computer – not the browser), and providing the new commands was very helpful. Thank you.
I am unable to find admin or profiles. Is me as administrator the same thing? And, do I need to get rid of Chrome and gmail, as well as Google?
Thank you so much!!! the terminal commands are the only thing that worked for me I’ve been trying to get rid of Weknow for so long now
Thank GOD!! YOU SAVE ME I HAD LEAVE MY MAC FOR 1 YEAR BECAUSE OF WEKNOW i try your way and now it work thank you for helping me got rid of that da*n thing.
When putting in the commands into Terminal I receive a line that says ” Domain (com.google.Chrome) not found. ” so they don’t seem to be working. When I open google Chrome it goes correctly to Google search engine, and when searching in the address bar, however it still says “Your browser is managed by your organization” when I look at my settings in Google Chrome, which tells me something bad is still there… I already deleted the “profiles” too. I just want to remove “Your browser is managed by your organization” properly!! Help please!!
It worked!! Thank you so much!!
Your suggestions worked for me. Appreciate the info!
This was the only blog that gave me the correct answer! Thank you!
I had this malware last year & it took half a dozen Apple support calls to get rid of it. Then my MacBook went down & they wiped it during the repair. When I got it back & restored it from backup weknow was back. This time, when I called Apple they tried to tell me they can’t “support” Chrome. When I insisted & escalated to a supervisor, he had me do the simplest thing imaginable: shut down & reboot in “Safe” mode. When it was gone there, we restarted, et voila: gone! Try it! He also said Catalina may help prevent that, so backup after you get rid of it & upgrade.
Glad that worked for Ya. I have been been the apple store in the domain, Austin, TX. 12 times so far, they remove it and comes back before I make it home and I don’t even open the mac from the store to the house!!
It worked!!!
I’ve had this virus install itself multiple times every time I logged out. Thanks so much for the help because it’s gone now- and I recommend these instructions to anyone who have the problem. Surely Weknow should be illegal?
Thanks again!
How do you find “profiles” in system preferences? I have a Mac and I am using High Sierra. I cannot find “profiles” anywhere on my system
Hi. these tips did not help. In my case weknow has become the organization manager of my chrome. I am locked out of deleting profiles. I’ve uninstalled chrome, I tried tip 5, I could not find the folders /Library/LaunchAgents etc. shift, command, g did not work, but I tried to find it using the search in finder and it returned no results. The first 3 steps were not on my Mac as well.
I found the library. On my Mac its just LIB
I went through the steps to look and remove files. I decided to delete all files related to chrome.
Finally! Thank you sooo much!!
Thank you so much…the terminal commands finally did the trick. You people are awesome for posting these instructions!
Please help! i did all the steps and cleaned my computer with two malware cleaners. im still having uses. what more can i do? i have spent hours trying to remove weknow from my mac and nothing has worked
I tried to remove weknow.ac via the terminal [see Youtube video] but that didnot remove all of the malware from my computer. This guidance was immediately helpful!
It seems to work after I installed and ran Malwarebytes; so far so good. Thanks so much!
I was possessed by weknow, and it had given my standalone Mac an administrator. I deleted the AdminPrefs profile from my profile and ran the terminal scripts. I could never find hide nor hair of weknow on my system; it must be hiding as something else. Two things remain: Chrome still thinks it is managed by my organization, and my system preferences no longer has a profiles tab. Neither of these is a problem . . . yet!
Many thanks for this article!!
well I hope it doesn’t become one. I have “weknow” but cannot find the profiles tab to get rid of it.
Removing these policies from the command line was the only thing that worked! I had trouble finding the specific files within my computer that were causing the problems; I was not able to delete them as a result. This helped me locate and delete them easily. I would suggest deleting all preferences rather than rewriting them. Also, check chrome://policy to see which ones are actually affecting your browser; they varied for me.
Thank you!
This is the only instructions works to remove weknow from Chrome! Thank you!
Thanks a lot! Thanks a ton! Thank you so much! I love you mate….
You’re the lifesaver. This weknow has completely fu***d up the system.
Thank you thank you thank you…
Even this is not enough to thank you…
Just want to update everyone, this worked for me today. So the assholes haven’t created a work around as of June 9, 2019
I followed directions and reset my browser but see that weknow installation deleted my safari admin profiles in system preferences [suggestions as to how to get this back?] and in chrome weknow changes admin control and I don’t know what permanent effect this will have> Any updates?! Thanks for this post
After many hours(!) of unsuccessful attempts to remove this persistent malware, these hints have finally helped. Thank you!
Remarkable, and thank you! I was able to flush out the WeKnow thing from Safari previously, but could not remove it from Google Chrome. The malware was stuck in my Chrome policies. I had tried numerous remedies found on other websites, but this guidance–particularly No. 5–was what I needed to remove it from my system once and for all.
What is the Terminal App? How do I find it?
https://macreports.com/how-to-use-terminal-on-mac-basic-commands/
Thank you!!! This was the only thing working, after many other tries.
This worked perfectly! Thank you so much! (:
Thank you so much! The commands on the terminal worked.
I tried to follow the instructions to delete weknow from safari but I’m not able to delete the admin profiles. When I try to delete the admin profiles I get a pop up window my user ID is entered and it’s asking for a password. How can I get past that pop up window so I can delete the profiles? Thank you.
Pls help i ran the cmds in terminal, and did all of the steps, and now when i try to open up a new tab, it is all blank, and in the search bar it says “about:blank”. I tried everything, including changing the chrome settings to redirect “about:blank” to “chrome://newtab” and “google.com”. Respond quickly :))) i need this
-Garfield Starr
There is no profile listed under system preferences, there is no add-on or extension, there’s none of those listed in step 4 and step 5 I don’t understand. Am I supposed to start typing after it says “defaults write”? Or am I supposed to type that part too? I have malwarebytes installed and it’s not detecting anything. I spent 2 hours on the phone with apple today and they couldn’t even find it to remove it. They said it’s only attacking google chrome so the best thing I can do is uninstall google chrome and just use safari… please help me remove this nightmare
I found it under System Preferences -> Profiles. If you look at the code, you can see references to weknow so you can safely delete them.
To reset safari homepage :
Quit safari. Finder -> Go to *press tab key* Library /
Go to Keychains. Move keychain-2.db to bin. Empty bin. Relaunch safari.
Trying all sorts of things to fix the browsers and this finally worked for google chrome. Hope it still isn’t lurking somewhere! Thank you
Finally, I remove it! Thank you so much!
OMG! I accidentally downloaded the “Java Flash” file because I typed in http://www.thayls.com. I thought I went to the correct website for the euro train but apparently was so dead wrong!
This page and the malware bytes were the only things that helped get my google search engine back up! I couldn’t find any of the files myself so I hope this all worked and will not cause any further issues.
THANK YOU!!!! I’ve tried so many things to get rid of this darn Malware for literally months now. The terminal codes are what finally did it.
Excellent, this really was the only thing that helped me!!
Serhat, my friend: Big thanks for sharing your fix!. Like others before me I tried multiple approaches for clearing a similar PUP/adware from MacPro Cleaner (which came from my careless Flash Player update). Malware Bytes and EtreCheck seem to have spotted and quarantined most of the bad stuff, but I was left with a hijacked/redirected my Chrome home page called Search Operator, which acts much like Weknow.ac. Now I just have to figure out why my Chrome browser is still “managed.”
Mine is still showing that Chrome is managed too! I don’t know how to get this part off but it is really irritating. If you find a fix, please let me know!
I did all the steps but now on my google chrome it says “about:blank” instead of google.com
Hi, same thing happened to me. What did you do next for the google.com to be your homepage? Or did you just leave it as about blank?
Thanks a lot!!! This really helped … but unfortunately, now I get blank when I open Chrome. … no more going to any search engine like google …?
Hopefully I got rid of it all with your instructions for my MacPro. I got the malware from a Flash Player download pop up that I thought was legit. As soon as I hit to download I knew something wasn’t right but didn’t know what happen till I saw the weknow website opening when I went into the internet and it sorta try’s to look like a Google webpage.
Finally – thank you for your help with this!
Thank you so much for the help!
Thanks a million … Now WE KNOW 😉
A. suggestion :
1-Remove the weknow.ac profile. Here is how:
…5) Now delete search engine settings:
Chrome: chrome://settings/searchEngines
Safari: Safari > Preferences > Search
[weknow didn’t show here but when i clicked on (MANAGE WEBSITES) it was right there and i could remove it, so you could perhaps add the following to your instructions :
Safari: Safari > Preferences > Search >Manage Websites > weknow > remove
B. Considering the malware could have come through a fake Adobe flash player upgrade, is there anything to search for and delete on that end ? like delete Adobe Flash player and reinstall ?
Thank you so much god bless you!!
Step 5 worked! Cut and paste exactly and it’s gone…after 6 months of trying different methods and using Safari.
Part number 5 was especially efficient for me, as the problem was only with Chrome. The 4 other points were not useful at all.
Thanks a lot !
I am just speechless with tears of joy in my eyes! I cannot thank you enough. For a relatively nontechnical person, this was an amazing gift to empower me to know that with the support of generous people like yourself, I can do it! Thank you immensely! It worked!!!
It was hiding as MPlayerX this time! My only problem is that after following the instructions in step 5 for the Terminal commands, the search engine is finally gone but now my new tab page is an about blank page and not the standard new tab page for Chrome.
I was able to remove it from chrome but not safari. Any further thoughts?
YES! This worked, finally. Grazie Mille!!
Thank you! I was able to save a teacher’s mac book and will be able to help others with this instruction.
I once deleted my “Profiles” Preference pane. Is there a way to remedy this?
Still having trouble here.
I don’t think there is a need to put it back on, after you delete all the fake weknow admin profiles, you don’t need to use the pane anymore.
Thank you! The Terminal commands were the key for me.
thanks very much. finally got rid of it.
Thank you, also after you do all of those steps go back and make google ur search engine and remove Weknow.ac since it will still be there.
Thank you, also after you do all of those steps go back and make google ur search engine and remove Weknow.ac since it will still be there.
I tried this, and instead my AdminPrefs got deleted?
I don’t know how to get them back?
HELP!
I deleted all my admin prefs too. Let me know if you find a way to fix this please
Thank you so much! This really helped!!!
Still having problems getting rid of it form Chrome. Please help. Have a MacBook Air and am not that technical. Thanks!
Thank you, macReports.❤️
This kinda worked
This worked for the Google Chrome issue Weknow!! Thanks
Yes I followed the steps diligently and it worked. Thank you a million times. Weknow is quite an insidious malware. Aren’t some people really mean to their fellow humans.
OMG I’ve tried to get rid of this annoying thing for so long and finally it worked, thanks so much!!!
2019 February 17th- after getting the WeKnow Malware (fake Search Engine) when i rushed through a FlashPlayer update Pop-Up…i Finally got rid of it following these Steps..Thanks to Serhat Kurt’s instructions here.
Still can’t believe it worked using my very mediocre computer skills.
THANKS again!
Step 5 worked! Thank you. Don’t type Instruction #9, just restart Chrome. Typo, not researt.
try to remove “Spigot” from Application Support…
Thanks for instruction.
I did all step by stem, but problems were not solved completely yet on Safari. I re-installed OS, but still some problems. Cannot show menu tool bar in local language, even though system setting was appropriately done.
Another problem is disable of password auto-fill function on Safari.
For Google Chrome, everything is fine now after re-installation of OS and Chrome app.
YES!!!!! at lasst a process that worked. Thank you many times.
Thank you thank you thank you!
I don’t have “profiles” in my System Preferences (older OS or something I guess), but the Terminal commands you gave seem to have done it.
Finally banished this criminal malware, after trying so many other things that didn’t work!
Similar to many who have commented, this is the only thing that actually works. I had to follow all of the steps, and even though I didn’t find any sketchy Library files, checking to make sure of that is part of the process it seems. Seriously f weknow.
I’ve never seen something this insidious on a Mac before. MalwareBytes wasn’t able to clean all of this mess up. Thanks to this page for the final piece of the puzzle. AFAIK I got everything.
Note: change the fancy quotes to straight quotes in the terminal or you may end up with headaches.
Step to solve the issue:
#1 Run Malware Bytes
#2 Follow instructions on this page.
#3 Go into System Preferences > Security and Privacy and set Allow apps downloaded from App Store
Thank you!! I finally removed it!
After searching the internet for a week and trying everything to remove weknow.ac, I followed your steps carefully and finally got rid of it. All other sites were simply incomplete. Thank you a thousand times!
This is the only thing that remove this stupid malware completely. Thank you
I did everything here, it didn’t work.
One thing I did that worked was this:
-Safari>Preferences>General
-Go to homepage and change it to google>https://www.google.co.uk
*or whatever website you use
This worked perfectly for me! Thank you!
you are a champion !!! that is the only thing that works
No help. The homepage option is disabled.
Finally, I remove it! Thank you so much!
This is the only thing that helped,I have no way to be sure that this crap is not luring in the backgrund though… Thanks a lot guys!
Agreed. This helped the issue. You are the best.
it won’t give me the option to delete weknow.ac
I have searched my Mac for it, but it is nowhere in my files. But, when I open my Google Chrome browser, it still opens to weknow.ac
I had already clobbered the AdminPrefs profile (two of them!) and the files in /Library/whatever and ~/Library/whatever, and I tried Chrome’s “Restore settings to original defaults”, but my Chrome was stubbornly pointing at we know until I did that series of “defaults” commands. Try those.
just open system prefrences look for an icon named profile.
open the profile
whatever accounts you see in it just remove it by hitting the – sign on the bottom left corner
now remove chrome and reinstall it will be wiped out.
Thanks a lot! I’ve been trying for ages to delete this we know malware… This is the only thing that helped it.