Weknow.ac is malware that is one of several browser hijackers currently in the wild that redirects your web browser’s homepage to its own search engine and then intercepts the search requests you type in order to show you adverts. It manages to evade macOS security measures because it’s ‘bundled’ with what looks like legitimate downloads of software like Adobe Flash Player.

So, how does Weknow.ac malware hijack your browser?

The Weknow.ac malware is usually able to hijack your browser by hiding inside a malicious browser extension or being bundled inside legitimate software. This means that you are likely going to voluntarily install the malware because you trust the extension or the software.

Once the Weknow.ac browser hijacker has been released from its delivery system, it immediately jumps onto your browser and starts changing settings. Your homepage will be changed to the Weknow.ac search engine. Your default search engine will also be changed. And visits to legitimate websites can be intercepted and diverted to ad-filled sites controlled by Weknow.ac.

How do I know if my Mac is infected?

When you launch a browser like Safari, Firefox, or Google Chrome, instead of seeing your usual homepage, you’ll see the Weknow.ac search page (which resembles a very poor imitation of Google’s search page).

How did I get infected?

You downloaded Weknow.ac malware when you downloaded another piece of software, perhaps an upgrade or a browser extension. Because it’s bundled with what appears to be a legitimate program, Weknow.ac clears security when you confirm you want to install the piece of software you thought you had downloaded. It’s critically important that before you agree to download any update or program, you make sure you know where it has come from. Don’t respond to browser windows that pop up telling you that you need to update software.

What the Weknow.ac browser hijacker can do to your Mac

The whole point of a browser hijacker is to control which sites you go to and what searches you make, and to provide malware-infected ads for you to click on. These ads will then, in addition to generating money for the malware maker, release other forms of malware that will infect your computer. It can turn into a vicious circle.

So, as well as influencing what you visit online, the malware threatens the security of your entire MacBook. It can lead to stolen files, compromised personal data, corrupted files, and infection across other devices on your network. It could also potentially attempt to change your Mac settings to its own benefit.

How to remove Weknow.ac from applications

There are several steps needed to remove Weknow.ac from your Mac. However, they are very straightforward.

  1. Launch System Preferences (System Settings in macOS Ventura) from the Apple menu or the Dock.
  2. Look for a pane called Profiles. If it’s there, it should be next to Accessibility. In macOS Ventura, it’s found in the Privacy & Security pane. 
  3. Click on the Profiles pane and check to see if there’s a profile called Admin Prefs.
  4. If it’s there, click on AdminPrefs — unlocking System Preferences by clicking the padlock and typing your username and password, if necessary — and click the ‘-’ at the bottom of the window. That will remove it. In macOS Ventura, you won’t need to unlock System Settings. 

Check your Startup items

Malware sometimes inserts itself in your Login items so that it starts as soon as your Mac boots. You’ll need to hunt for it and remove it:

  1. In System Preferences, click on Users & Groups > Login Items. For macOS Ventura, go to System Settings > General > Login Items. 
  2. Click on your username, then click on the padlock and type your login details. This step is not needed for macOS Ventura. 
  3. Look through the list of items. If you see anything that looks like it might be the Weknow.ac hijacker or any other malware, click on it and click on the ‘-’ to remove it.

Tip: There is an easier way to remove malicious login items or any other login item you want to get rid of. CleanMyMac’s Login Items tool scans your Mac for programs that are permitted to start up at login. It then displays them in a window and allows you to get rid of them with one click. CleanMyMac also allows you to quickly and easily remove browser extensions, uninstall apps, and reclaim tens of gigabytes of disk space.

You can download a free version of CleanMyMac here from the developer’s website.

Remove Launch Agents and Daemons

This may sound very technical, but it’s actually very easy.

1. In Finder, click on the Go menu and choose “Go to Folder.” In the text box, type /Library/LaunchDaemons

2. When the folder opens, scan the list of .plist files and look for anything that seems suspicious. Most of the filenames should contain the name of a software vendor you recognize. If you find one that doesn’t, it may be malware.

3. If you see a file that looks suspicious, click on it and press the spacebar to preview its contents. If you see anything that relates to Weknow.ac, or seems suspicious, drag the file to the Trash.

4. Repeat the above steps for /Library/LaunchAgents and ~/Library/LaunchAgents

5. Once you’ve dragged all the files you want to get rid of to the Trash, empty it and restart your Mac.

How to remove Weknow.ac from Safari

  1. Wait for your Mac to restart and launch Safari.
  2. From the Safari menu, choose Preferences/Settings.
  3. Now, click on the Search tab and choose the search engine you want to use as the default.
  4. Select the General tab and set the Homepage to whichever page you want. Then, choose from the options in the menus above it.

How to remove Weknow.ac from Chrome

1. Launch Chrome.

2. Type chrome://settings into the address bar or click the three vertical dots at the left of the window.

3. On the left of the screen, click “On startup” and check the button next to “Open a specific page or set of pages.”

4. Click on the “more” icon (three vertical dots).

5. Select “edit” and type or paste the URL of the page you want to use as your startup page into the text box.

6. Click Save.

7. Press the Settings icon again.

8. Select Search Engine.

9. Choose “manage search engines and site search” and press the “more” button next to the Weknow.ac search engine, then select “Remove from list.”

10. Click on the menu next to “Search engine used in the address bar” and select the search engine you want to use. If the one you want isn’t there, click “Manage search engines and site search” and either add one from the bigger list or press “Add” and type the URL of another search engine.

How to remove Weknow.ac from Firefox

1. Launch Firefox.

2. Press the Settings button (three lines) on the right-hand side of the toolbar or type about:preferences into the address bar.

3. Choose the Home category and, next to “Homepage and new windows,” click on the dropdown menu and select either “Firefox Home” or “Custom URL.” If you choose “Custom URL,” type the URL you want to open into the text box.

4. Click the Search category and scroll down to “Default Search Engines.” Click on Weknow.ac and press Remove.

5. Click on the menu under Default Search engine and choose the one you want.


Delete suspicious extensions from your browsers

Now, remove the items that you think may be “double agents” or don’t serve any real purpose. It’s commonly done from Preferences/Settings. All you have to do is look for the Extensions or Add-ons pane in each browser you have on a Mac and remove any extension you don’t recognize or didn’t install. 

Final Steps: Rooting out the virus completely

The next steps are the most important ones because, so far, we have cleaned your Mac on the surface level. Now, it’s time to go deeper and delete Weknow virus from the system directories.

STEP 1.

Open Chrome, then paste this string into the URL field and press Return: chrome://policy/

You will see a window like this one: 

Now, see what’s written in the Level column.

If it reads “Recommended,” unfortunately, you will have to reinstall Chrome completely. This is because Weknow has hard-coded itself into the administrative settings of Chrome. If it reads “Mandatory,” go to STEP 2. 

For additional check:

Go to Applications/Terminal. Open Terminal, paste the following command, and press Return:

defaults read com.google.Chrome

Now, look through the results. If you see anything related to Weknow there, again, the only remaining solution is to simply uninstall Chrome. You can use CleanMyMac for this purpose. It has an Uninstaller tool that will wipe out the remaining traces of any app it deletes.

STEP 2. 

With this step, we will remove Weknow virus from Mac’s library preferences associated with your username.

Open Finder, go up to the Go menu in the menubar > Go to Folder, and paste this directory:

/Library/Managed Preferences/[your username]

You should enter [your username] as shown in System Preferences or System Settings)/Users & Groups if you already run macOS Ventura. 

Open the folder. Now, look for a “com.google.Chrome” file there. 

If you have found it in any of these locations, open the file in any text editor and check if you can find any Weknow mentions there. Then, manually remove the info from the file and restart your computer.

The same logic applies to Firefox and Safari. 

Remove Weknow.ac automatically and protect your Mac

You’ve heard of many anti-malware solutions for Mac. But recently, CleanMyMac developed by MacPaw has added a Malware Removal tool to their software that checks for adware, viruses, spyware, and cryptocurrency miners. It’s worth checking out. When you do a malware scan, it lists anything it finds in its main window. You can then quickly remove it without traces from your Mac. In fact, it can easily remove Weknow.ac from your Mac, so you would not have to go through all of the manual steps we’ve listed above.

You can find and download the free edition of the app here.

How to prevent future Weknow.ac virus infections

With a few practical, straightforward tips, you can learn how to avoid browser hijacker malware, including the Weknow.ac virus.

Be cautious of links and email attachments

A lot of malware, including browser hijackers, are spread through infected weblinks and email attachments. Many of the top email platforms today have developed excellent malware detection tools, but nevertheless, some malware can still slip through the cracks.

Don’t click links or open email attachments from people you don’t know or trust.

Don’t sideload browser extensions

The usual way of downloading and installing browser extensions is by going through the browser’s official extensions site. But if an individual has made an extension, they could send you the file directly, thus bypassing browser safeguards by manually installing the extension. This is called sideloading.

Browser security safeguards are there for a reason — to protect you from threats. It’s highly recommended that you never bypass those protections to sideload an extension.

Don’t install browser extensions you don’t need

In addition to not sideloading extensions, you shouldn’t install browser extensions you don’t need. While it can be fun to try out different extensions, each one represents a security risk if malware manages to bypass the browser store’s internal vetting controls.

By keeping your extensions to the bare minimum required, you’re also minimizing your risk of a browser hijacking extension.

Only download apps from the App Store

The other way that browser hijackers infiltrate devices is via bundled software. The main software may be legitimate and something you bought. But it may also have a browser hijacker lurking inside, waiting for you to install the legitimate software.

You can greatly reduce this risk by confining your software and app downloads to the App Store. All entries in the app store are scanned and vetted, so you can be 99.9% sure that any downloads you make will be safe.

Put your browser security settings as high as possible

Every browser has an array of security settings, ranging from minimal to extremely secure. You can find them in the browser settings and can set your preferences regarding how the browser warns you about dangerous websites, how it scans downloads, and how it warns you about password breaches.

In some cases, using the highest security settings could make web browsing a bit more difficult. Nevertheless, it’s worth the tradeoff when you consider the enhanced level of security it brings.

Keep your browser up to date

Finally, keep your browser up to date with the latest security updates. You can find out if there’s an update by going to the settings. Afterward, a browser restart is normally required.

By keeping on top of all updates, you’re plugging as many holes in the browser as possible, reducing the number of opportunities for malware to take advantage of.

Have you succeeded in removing the virus? If not, contact us for more guidance at [email protected]

Okay, hope this article has helped you. Come by for more tips on Mac’s health.