![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
weknow malware
I knew Google was celebrating its 20th anniversary today, so I opened a new browser window to see the Google Doodle. I got a sorta-old-school-looking page labelled "search" in Google colors, which seemed sorta plausible, but I would have expected the name "Google" in one of the early, serif fonts. It didn't seem quite right. There were a couple of links at the bottom left corner of the page: "About Us", "FAQ", etc. all of which told me about something called "WeKnow", not Google.
Turns out WeKnow is a well-known browser hijacker that usually installs itself through a download page that claims to be an Adobe updater. (I'm not sure whether CleanMyMac is also a front for WeKnow, or is itself infected with WeKnow, or is just an unrelated but legitimate aggressive commercial software product.) There are a lot of pages on the Web about how to remove it, most of which tell you to pay and download their commercial product, which for all I know is actually WeKnow all over again. It had apparently infected both my Chrome and my Safari installations. The Safari installation can be fixed through the Preferences window inside Safari; Chrome was trickier. The most successful and believable instructions I found are shell commands to be executed from the Terminal window:
defaults read com.google.Chrome
to see all the currently-stored system defaults for the Chrome browser. Some of these will probably point to URL's containing "weknow.ac". Once you've confirmed the infection in this way, ...
defaults write com.google.Chrome HomepageIsNewTabPage -bool false
defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"
(or some other default location that you trust)
defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"
(ditto)
defaults delete com.google.Chrome DefaultSearchProviderSearchURL
defaults delete com.google.Chrome DefaultSearchProviderNewTabURL
defaults delete com.google.Chrome DefaultSearchProviderName
Then quit Chrome and restart it. (Just to make sure, I restarted the computer too.)
Turns out WeKnow is a well-known browser hijacker that usually installs itself through a download page that claims to be an Adobe updater. (I'm not sure whether CleanMyMac is also a front for WeKnow, or is itself infected with WeKnow, or is just an unrelated but legitimate aggressive commercial software product.) There are a lot of pages on the Web about how to remove it, most of which tell you to pay and download their commercial product, which for all I know is actually WeKnow all over again. It had apparently infected both my Chrome and my Safari installations. The Safari installation can be fixed through the Preferences window inside Safari; Chrome was trickier. The most successful and believable instructions I found are shell commands to be executed from the Terminal window:
defaults read com.google.Chrome
to see all the currently-stored system defaults for the Chrome browser. Some of these will probably point to URL's containing "weknow.ac". Once you've confirmed the infection in this way, ...
defaults write com.google.Chrome HomepageIsNewTabPage -bool false
defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"
(or some other default location that you trust)
defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"
(ditto)
defaults delete com.google.Chrome DefaultSearchProviderSearchURL
defaults delete com.google.Chrome DefaultSearchProviderNewTabURL
defaults delete com.google.Chrome DefaultSearchProviderName
Then quit Chrome and restart it. (Just to make sure, I restarted the computer too.)