How to remove malware from Mac is malware that is one of several browser hijackers currently in the wild that redirects your web browser’s homepage its own search engine and then intercepts the searches you type in order to show you adverts. It manages to evade macOS security measures because it’s ‘bundled’ with what look like legitimate downloads of software like Adobe Flash Player.

How do I know if my Mac is infected?

When you launch a browser like Safari, Firefox, or Google Chrome, instead of seeing your usual homepage, you’ll see the search page (which resembles a very poor imitation of Google’s search page).

How did I get infected?

You downloaded malware when you downloaded another piece of software, perhaps an upgrade or a browser extension. Because it’s bundled with what appears to be a legitimate program, clears security when you confirm you want to install the piece of software you thought you had downloaded. It’s critically important that before you agree to download any update or program that you make sure you know where it has come from. Don’t respond to browser windows that pop-up telling you that you need to update software.

How to remove from applications

There are several steps needed to remove from your Mac. However, they are very straightforward.

  1. Launch System Preferences from the Apple menu or the Dock
  2. Look for a pane called Profiles. If it’s there, it should be next to Accessibility
  3. Click on the Profiles pane and check to see if there’s a profile called Admin Prefs
  4. If it’s there, click on AdminPrefs — unlocking System Preferences by clicking the padlock and typing your username and password, if necessary — and click the  ‘-‘ at the bottom of the window. That will remove it.

Check your Startup items

Malware sometimes inserts itself in your Login items so that it starts as soon as your Mac boots. You’ll need to hunt for it and remove it.

  1. In System Preferences, click on Users & Groups
  2. Click on your username, then click on the padlock and type your login details
  3. Select the Login Items tab
  4. Look through the list of items. If you see anything that looks like it might be the hijacker, or any other malware, click on it and click on the ‘-‘ to remove it.

Tip: There is an easier way to remove malicious login items, or any other login item you want to get rid of. CleanMyMac’s Login Items tool scans your Mac for programs that are permitted to startup at login. It then displays them in a windows and allows you to get rid of them with one click. CleanMyMac also allows you to quickly and easily remove browser extensions, uninstall apps, and reclaim tens of gigabytes of disk space.

CleanMyMac X - Login items

You can download a free version of CleanMyMac here, from developer's website

Remove Launch Agents and Daemons

This but sounds very technical, but it’s actually very easy.

1. In the Finder, click on the Go menu and choose “Go to Folder”. In the text box, type “/Library/LaunchDaemons”

2. When the folder opens, scan the list of .plist files and look for anything that seems suspicious. Most of the filenames should contain the name of a software vendor your recognize. If you find one that doesn’t, it may be malware

3. If you see a file that looks suspicious, click on it and press the spacebar to preview its contents. If you see anything that relates to, or seems suspicious, drag the file to the Trash

4. Repeat the above steps for /Library/LaunchAgents  and ~/Library/LaunchAgents

5. Once you’ve dragged all the files you want to get rid of to the Trash, restart your Mac.

How to remove from Safari

  1. Wait for your Mac to restart then launch Safari
  2. From the Safari menu, choose Preferences
  3. In the Preferences window, click on the Search tab and choose the search engine you want to use as the default
  4. Select the General tab and set the Homepage to whichever page you want, then choose from the options in the menus above it

How to remove from Chrome

1. Launch Chrome

2. Type “chrome://settings” into the address bar, or click the three horizontal lines at the left of the window

3. On the left of the screen, click “On start-up” and check the button next to “Open a specific page or set of pages”

4. Click on the “more” icon (three vertical dots)

5. Select “edit” and type or paste the URL of the page you want to use as your start-up page into the text box

6. Click Save

7. Press the Settings icon again

8. Select Search Engine

9. Choose “manage search engines” and press the “more” button next to the search engine, then select “Remove from list”

10. Click on the menu next to “Search engine used in the address bar” and select the search engine you want to use. If the one you want isn’t there, click “Manage search engines” and either add one from the bigger list or press “Add” and type the URL of another search engine

How to remove from Firefox

1. Launch Firefox

2. Press the Settings button (three lines) on the right hand side of the toolbar or type “about:preferences” into the address bar

3. Choose the Home category and, next to “Homepage and new windows”, click on the dropdown menu and select either “Firefox Home” or “Custom URL”. If you choose “Custom URL” type the URL you want to open into the text box.

4. Click the Search category and scroll down to “One-click Search Engines”. Click on and press Remove

5. Click on the menu under Default Search engine and choose the one you want

Delete suspicious extensions from your browsers

Now, remove the items that you think may be "double-agents" or don't serve any real purpose.

Final Steps: Rooting out the virus completely

The next steps are the most important because so far we have cleaned your Mac on the surface level. Now it's time to go deeper and delete WeKnow virus from the system directories.


Open Chrome, then paste this string into the URL field and press Return:

You will see a window like this one: 

Now see what's written in the Level column

If it reads "Recommended", unfortunately, you will have to reinstall Chrome completely. This is because WeKnow has hard-coded itself into administrative settings of Chrome. If it reads "Mandatory", go to STEP 2. 

For additional check:

Go to Applications/Terminal Open Terminal, paste the following command and press Return:

defaults read

Now, look through the results. If you see anything related to WeKnow there, again, the only remaining solution is to simply uninstall Chrome. You can use CleanMyMac X for this purpose. It's has an Uninstaller tool that will wipe out the remaining traces of any app it deletes.

STEP 2. 

With this step we will remove WeKnow virus from the Mac's library preferences associated with your username.

Open Finder, go up to the Go menu in the menubar -> Go to Folder, and paste this directory:

/Library/Managed Preferences/[your username]

You should enter [your username] as shown in System Preferences/Users & Groups. In my case, it's "Admin" but may be different on your computer. 

Open the folder. Now look for a “” file there. 

If you have found it in any of these locations, please open the file in any text editor and check if you can find any WeKnow mentions there. Then, manually remove the info from the file and restart your computer.

The same logic applies for Firefox and Safari. 

Protect your Mac

You've heard of many anti-malware solutions for Mac. But recently CleanMyMac (developed by MacPaw) has added a malware removal tool to their software that checks for adware, viruses, spyware and cryptocurrency miners. It's worth checking out. When you do a malware scan it lists anything it finds in its main window. You can then quickly remove it without traces from your Mac.

Removing malware files

You can find and download the free edition of the app here.

Have you succeeded in removing the virus? If not, contact us for more guidance at [email protected]

Okay, hope this article has helped you. Come by for more tips on Mac's health.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.