How to eliminate Proton malware from the operating system
Written by Tomas Meskauskas on (updated)
What is the Proton malware?
Proton is a malicious program classified as a Remote Access Trojan (RAT). This type of malware enables remote access and control over an infected device. RATs are capable of allowing close to or user-level control over a machine. These Trojans have a wide variety of malicious capabilities, which can be used in likewise varied ways.
Proton has been observed being distributed under the guise of the "Symantec Malware Detector" anti-virus application, however, this RAT might be disguised as or bundled with other products, even legitimate sites with genuine Apple code-signing signatures (i.e. certificates). Proton malware is no way associated with NortonLifeLock Inc. (formerly known as Symantec).
The Proton RAT is capable of executing specific commands and managing system/personal files to a certain extent. It can collect device information such as hardware serial number, macOS (Mac Operating System) version, installed applications and last run terminal commands.
Furthermore, during Proton's installation, whilst under the guise of the fake "Symantec Malware Detector", it asks users to provide the admin account's username and password. This malicious program also gathers browsing-related information such as URLs visited, pages viewed, search queries typed, browser cookies, IP addresses and geolocations.
Other Proton's capabilities include taking screenshots and recording video via the device's webcam, however, the primary functionality of this Trojan is data extraction, specifically passwords. It can obtain these log-in credentials from Keychain Access and 1Password password managers, and from the GNU Privacy Guard (GPG) cryptographic software suite.
Additionally, Proton can record key strokes (keylogging). This feature is similarly used to target account credentials (i.e. usernames/passwords) and other sensitive data (e.g. financial information).
Other functionality of this malicious program presents users with custom native pop-up windows, which can request specific information to be entered (e.g. banking account information, credit card details, driver’s license, etc.). To summarize, the presence of Proton on systems can result in financial loss, serious privacy issues and identity theft.
If it is suspected or known that the Proton RAT or other malware has already infected the system, anti-virus software must be used to eliminate it immediately.
| Name | Proton RAT |
| Threat Type | Phishing, Scam, Mac malware, Mac virus. |
| Detection Names | Avast (MacOS:Proton-F [Trj]), BitDefender (Trojan.MAC.Proton.I), ESET-NOD32 (A Variant Of OSX/Proton.F), Kaspersky (HEUR:Backdoor.OSX.Proton.d), Full List (VirusTotal). |
| Symptoms | Your Mac becomes slower than normal, you see unwanted pop-up ads, you are redirected to dubious websites. |
| Distribution methods | Deceptive pop-up ads, free software installers (bundling), fake Flash Player installers, torrent file downloads. |
| Damage | Internet browser tracking (potential privacy issues), display of unwanted ads, redirects to dubious websites, loss of private information. |
| Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
XCSSET, Gmera, Tarmac, NUKESPED and AppleJeus are some examples of other Mac-specific malicious programs. Malware can have a broad range of functionalities, ranging from enablement of remote access/control to data-encryption for ransom purposes.
Regardless of how this malicious software operates, the purpose is identical: to generate revenue for the cyber criminals using it. Malware infections pose a serious threat to device and user safety. Therefore, you are strongly advised to remove all system infections without delay.
How did Proton infect my computer
As mentioned, the Proton RAT is disguised as "Symantec Malware Detector" anti-virus software. As well as employing the legitimate company name of "Symantec", the full-name ("Symantec Malware Detector") does not belong to any genuine product. This fake application was distributed via (now offline) malicious websites, which closely mimicked the Symantec blog.
On initial inspection, the fake blog appeared genuine, however under closer inspection, it was evidently bogus (e.g. legitimate SSL certificate issued not by Symantec’s certificate authority).
The blog post promoting Proton as "Symantec Malware Detector", concerned a supposedly new variant of the CoinThief malicious program and the fake anti-virus program was allegedly capable of detecting and removing CoinThief.
Afterwards, links to the bogus "Symantec" blog were heavily posted on Twitter (likely, via accounts hijacked by Proton RAT), however, Proton may be promoted using different disguises and methods. In general, malware is proliferated through untrusted download channels (e.g. unofficial and free file-hosting sites, Peer-to-Peer sharing networks and other third party downloaders), illegal activation ("cracking") tools, fake updates and spam campaigns.
"Cracking" tools can download/install malicious software, rather than activating licensed products. Fake updaters infect systems by exploiting weaknesses of outdated products and/or simply by installing malware, rather than the updates. Spam campaigns are large-scale operations, during which thousands of scam emails are sent.
These messages contain download links of infectious files and/or the files are attached to the emails. Malicious files can be in various formats (e.g. PDF and Microsoft Office documents, archive and executable files, JavaScript, etc.) and when they are executed, run or otherwise opened, the infection chain (i.e. malware download/installation) is initiated.
How to avoid malware infections
You are advised to research all software and only download from official and verified sources. Additionally, all products must be activated and updated using tools/functions provided by legitimate developers, since illegal activation tools ("cracks") and third party updaters are often used to proliferate malware.
Suspicious and/or irrelevant emails must not be opened, especially those with any links or attachments found in them, as this can result in high-risk infection. To ensure device and user safety, it is paramount to have a reputable anti-virus/anti-spyware suite installed.
Furthermore, this software must be kept up to date, used to run regular system scans and to remove detected/potential threats. If your computer is already infected with PUAs, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.
Proton malware disguised as the fake "Symantec Malware Detector" app:
Instant automatic Mac malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- What is Proton?
- STEP 1. Remove PUA related files and folders from OSX.
- STEP 2. Remove rogue extensions from Safari.
- STEP 3. Remove rogue add-ons from Google Chrome.
- STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.
Video showing how to remove adware and browser hijackers from a Mac computer:
Potentially unwanted applications removal:
Remove potentially unwanted applications from your "Applications" folder:
Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
Remove adware-related files and folders
Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...
Check for adware generated files in the /Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: /Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the ~/Library/Application Support/ folder:
In the Go to Folder... bar, type: ~/Library/Application Support/
In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.
Check for adware generated files in the ~/Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: ~/Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the /Library/LaunchDaemons/ folder:
In the "Go to Folder..." bar, type: /Library/LaunchDaemons/
In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.
Scan your Mac with Combo Cleaner:
If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.
Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.
After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.
Remove malicious extensions from Internet browsers
Remove malicious Safari extensions:
Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".
In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.
Remove malicious extensions from Google Chrome:
Click the Chrome menu icon 
(at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.
Remove malicious extensions from Mozilla Firefox:
Click the Firefox menu 
(at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.
Outstanding!
▼ Show Discussion