refer:https://macreports.com/how-to-remove-weknow-ac-malware-macos/
1-Remove the weknow.ac profile. Here is how:
On your Mac, openSystem Preferences(click the System Preferences icon in the dock)
ClickProfiles
SelectAdminPrefs
Delete this profile (AdminPrefs) by pressing the minus icon.
Now delete search engine settings:
Chrome: chrome://settings/searchEngines
Safari: Safari &> Preferences &> Search
2-Delete weknow.ac. Remove anything weknow.ac related. Remove anything suspicious apps to the Trash folder. Look for recently added apps.
Open the Applications folder
Delete Weknow.ac or Weknow.ac.app also look for“MPlayerX”,“NicePlayer”. Look for suspicious apps.
Empty Trash
3-Remove the weknow addon
Safari: Safari &> Preferences &> Extensions &> Locate the weknow.ac extension and remove it
Google Chrome: Go tochrome://extensions/ and find the weknow.ac addon and remove it.
Firefox: Go toabout:addons and remove the addon.
4-Delete weknow files:
Go &> Go to Folder (or press Shift + Cmd + G)
Enter/Library/LaunchAgentsand click Go
Look for suspicious files such as“installmac.AppRemoval.plist”, “myppes.download.plist”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist”. Some other names you should look for Genieo, Inkeeper, InstallMac, CleanYourMac, MacKeeper, SoftwareUpdater, MplayerX, NicePlayer, installmac.AppRemoval.plist”, “myppes.download.plist”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist, com.aoudad.net-preferences.plist”, “com.myppes.net-preferences.plist”, “com.kuklorest.net-preferences.plist”, “com.avickUpd.plist”. If you see any of them, drag them to the Trash folder and then empty Trash.
And now repeat the same process on the following folders:
/Library/Application Support
/Library/LaunchDaemons
5-If your browser is Chrome, follow the steps below to change some Chrome policies, if you are still having the problem:
Open theTerminal app(Go &> Utilities &> Terminal or press Command+Space and search Terminal)
Enter the commands below, hit Enter after each
defaults write com.google.Chrome HomepageIsNewTabPage -bool false
defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"
defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"
defaults delete com.google.Chrome DefaultSearchProviderSearchURL
defaults delete com.google.Chrome DefaultSearchProviderNewTabURL
defaults delete com.google.Chrome DefaultSearchProviderName
3.Restart Chrome
Please note that the developers behind weknow.ac are very sneaky and they will likely further develop this malware so this means that those tips may not work in near future. We will try to keep updating this posts.
find appname and plist ,just like
find . -name “*” |grep -i UtilityOSDaemon
then delete all these files ;
source:https :// macreports.com/how -to-remove-weknow-ac-malware-macos/
“ weknow.ac ”A set of chrome policies will be changed to set up a new default home page, new tag behavior, etc. You can enter it in the address bar chrome://policy/ To see the current chrome policy. If you are infected, it should be very obvious, because we will show you about six policies that you know to change.
At this point, all we have to do is to use the command line to delete/modify the affected policies:
1, you need to open the “terminal” application.
2. Copy the following code to the terminal one by one, (add a [space] in the middle of each code) and press enter
defaults write com.google.Chrome HomepageIsNewTabPage -bool false
defaults write com.google.Chrome NewTabPageLocation -string "[https://www.google.com/](https://www.google.com/)"
defaults write com.google.Chrome HomepageLocation -string "[https://www.google.com/](https://www.google.com/)" defaults delete com.google.Chrome DefaultSearchProviderSearchURL defaults delete com.google.Chrome DefaultSearchProviderNewTabURL defaults delete com.google.Chrome DefaultSearchProviderName
3,21551;”Chrome25913;” 25165;”25928;
38142; 25509b; http://www.jianshu.com