ProgressionLegion Mac virus (Free Guide)
ProgressionLegion Mac virus Removal Guide
What is ProgressionLegion Mac virus?
ProgressionLegion is a malicious Mac application designed by cybercriminals
ProgressionLegion is a malicious application that establishes persistence once installed
ProgressionLegion is an unwanted and dangerous software for Macs that specializes in inserting malicious ads into users' browsers and tracking their personal data. It belongs to a widespread malware strain known as Adload, which has been around since at least late 2017 and has hundreds of versions released. The infection can usually be identified easily by the icon it uses – a magnifying glass on gray background.
Alarming traits of the ProgressionLegion virus can be traced to its distribution, as it uses fake Flash Player updates and pirated software installers for distribution – a typical trait of malware. Upon infiltration, it installs several persistence components and implements a new browser extension that it uses to steal user data through. The extension also changes the homepage of Safari, Chrome, or another used browser.
If you have spotted that your system is infected with ProgressionLegion adware, you should immediately take action to eliminate it. In this article, we provide all the necessary details for this process to be successful.
Name | ProgressionLegion |
Type | Mac virus, adware, browser hijacker |
Malware family | Adload |
Distribution | Fake Flash Player installers or bundled software from malicious sources |
Symptoms | Installs a new extension and application on the system; changes homepage and new tab of the browser; inserts ads and malicious links; tracks sensitive user data via extension |
Removal | The easiest way to remove Mac malware is to perform a full system scan with SpyHunter 5Combo Cleaner security software. We also provide a manual guide below |
System optimization | Malware and adware can meddle with your system, reducing its performance. If you want to quickly fix various issues, we recommend you try using automated tools like FortectIntego |
How did you get infected?
The best way to deal with malware is not to get infected in the first place, as once the deed happens, the consequences might be relatively serious – additional malware installation, personal data disclosure to malicious parties, financial losses, and similar issues become a possibility.
Adload is among the most prominent adware strains that target Macs. While it has been around for several years now, its simple yet effective distribution techniques contribute to its success greatly. The most common two methods for distribution used by ProgressionLegion developers are illegal software bundles and fake/misleading ads.
Flash is an almost iconic software that was dominating plugin for multimedia content online. Cybercriminals soon discovered that many of its vulnerabilities[1] can be used to push malware to thousands of users automatically. While many of the flaws were patched, new ones arose.
Adobe finally decided to kill Flash at the end of 2020,[2] as more advanced technologies were long developed by that time. This signifies that all prompts to update Flash past the end-of-life date is fake, and you are likely to be infected with malware if you download one of these installers.
When it comes to illegal software installers, you should simply never risk downloading them. There will always be a chance of being infected when visiting peer-to-peer networks that host illegal software; the so-called cracks would most certainly be flagged by security tools, regardless if they actually infect your device with malware or not.
Thus, it becomes impossible for regular computer users to check whether such tools are dangerous or not, and disabling anti-virus protection can result in immediate infection.
ProgressionLegion spreads via Flash Player installers and other misleading ads
ProgressionLegion capabilities and removal
Adload family members work in a rather simple principle – they use effective distribution methods and once users enter their Apple ID during the installation process of this malicious software, they automatically allow the virus to get installed with elevated permissions. Consequently, the malware establishes various malicious files and changes settings, which might make it difficult to remove.
There are two components of the ProgressionLegion – the main application installed on the system level and the extension installed on the browser. Both of these components perform important virus functions and need to be eradicated carefully.
As soon as users provide access to the app, it uses the built-in AppleScript to create Login Items and new Profiles. It also adds itself to the exception list within the Gatekeeper and XProtect,[3] which allows it to remain on the system without being removed by the said defenses.
This is why, the easiest way to eliminate the infection is by scanning it with alternative security software, such as SpyHunter 5Combo Cleaner or Malwarebytes. Third-party security solutions could also help you to prevent the installation of Mac malware in the future, so we highly recommend keeping them running at all times.
If you would like to eliminate the infection manually, we provide the instructions below. Note that, regardless if you deleted malware with security software, we still recommend cleaning web browsers from cookies and other items to prevent unwanted tracking.
1. Remove the main app
We should start by stopping all the active processes that could be spawned by malware – you can do so by accessing Activity Monitor. Only then you should try deleting the main app:
- Open Applications folder
- Select Utilities
- Double-click Activity Monitor
- Here, look for suspicious processes and use the Force Quit command to shut them down
- From the menu bar, select Go > Applications
- In the Applications folder, look for all related entries
- Click on the app and drag it to Trash (or right-click and pick Move to Trash).
If you still couldn't eliminate the main app, you can try removing Login Items and unwanted User Profiles:
- Go to Preferences and select Accounts
- Click Login items and delete everything suspicious
- Next, pick System Preferences > Users & Groups
- Find Profiles and remove unwanted profiles from the list.
- Go to Preferences > Accounts > Login items and remove the malicious entries.
Finally, you have to get rid of the leftover files. Plist files especially are important to eliminate correctly, as they can help reinstate the virus afterward.
- Select Go > Go to Folder.
- Enter /Library/Application Support and click Go or press Enter.
- In the Application Support folder, look for any dubious entries and then delete them.
- Now enter /Library/LaunchAgents and /Library/LaunchDaemons folders the same way and delete all the related .plist files.
2. Take care of your browser
If you opt for manual removal, you should first remove the browser extension from Safari (you will find instructions for other browsers at the bottom of this article):
- Click Safari > Preferences…
- In the new window, pick Extensions.
- Select the unwanted extension and select Uninstall.
Next, make sure you delete browser cookies and other components to prevent data trackers from continuing their job. You can easily perform this task automatically with FortectIntego, a maintenance utility that can clean your system from all the leftover files.
- Click Safari > Clear History…
- From the drop-down menu under Clear, pick all history.
- Confirm with Clear History.
If you are unable to delete the extension in a regular way, you can reset the browser to ensure it is uninstalled properly. Perform the following steps:
- Click Safari > Preferences…
- Go to the Advanced tab.
- Tick the Show Develop menu in the menu bar.
- From the menu bar, click Develop, and then select Empty Caches.
Getting rid of ProgressionLegion Mac virus. Follow these steps
Remove from Mozilla Firefox (FF)
Remove dangerous extensions:
- Open Mozilla Firefox browser and click on the Menu (three horizontal lines at the top-right of the window).
- Select Add-ons.
- In here, select unwanted plugin and click Remove.
Reset the homepage:
- Click three horizontal lines at the top right corner to open the menu.
- Choose Options.
- Under Home options, enter your preferred site that will open every time you newly open the Mozilla Firefox.
Clear cookies and site data:
- Click Menu and pick Settings.
- Go to Privacy & Security section.
- Scroll down to locate Cookies and Site Data.
- Click on Clear Data…
- Select Cookies and Site Data, as well as Cached Web Content and press Clear.
Reset Mozilla Firefox
If clearing the browser as explained above did not help, reset Mozilla Firefox:
- Open Mozilla Firefox browser and click the Menu.
- Go to Help and then choose Troubleshooting Information.
- Under Give Firefox a tune up section, click on Refresh Firefox…
- Once the pop-up shows up, confirm the action by pressing on Refresh Firefox.
Remove from Google Chrome
Delete malicious extensions from Google Chrome:
- Open Google Chrome, click on the Menu (three vertical dots at the top-right corner) and select More tools > Extensions.
- In the newly opened window, you will see all the installed extensions. Uninstall all the suspicious plugins that might be related to the unwanted program by clicking Remove.
Clear cache and web data from Chrome:
- Click on Menu and pick Settings.
- Under Privacy and security, select Clear browsing data.
- Select Browsing history, Cookies and other site data, as well as Cached images and files.
- Click Clear data.
Change your homepage:
- Click menu and choose Settings.
- Look for a suspicious site in the On startup section.
- Click on Open a specific or set of pages and click on three dots to find the Remove option.
Reset Google Chrome:
If the previous methods did not help you, reset Google Chrome to eliminate all the unwanted components:
- Click on Menu and select Settings.
- In the Settings, scroll down and click Advanced.
- Scroll down and locate Reset and clean up section.
- Now click Restore settings to their original defaults.
- Confirm with Reset settings.
How to prevent from getting adware
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.
- ^ Thomas Holt. What Are Software Vulnerabilities, and Why Are There So Many of Them?. Scientific American. Science Magazine.
- ^ Adobe Flash Player EOL General Information Page. Adobe. Official page.
- ^ Sergiu Gatlan. New AdLoad malware variant slips through Apple's XProtect defenses. Bleeping Computer. Technology news and support.