How to remove apps designed to promote extrasafe.xyz and similar websites
Written by Tomas Meskauskas on (updated)
What is extrasafe[.]xyz?
extrasafe[.]xyz is a deceptive website, the main purpose of which is to trick visitors into downloading and installing a potentially unwanted application (PUA). The app is apparently capable of removing viruses that this website has supposedly detected.
Commonly, pages such as extrasafe[.]xyz are opened through other websites of this kind, clicked deceptive advertisements, and installed PUAs. In any case, people do not often visit these sites intentionally. Do not trust these sites or download applications from them - use only official websites.
There are at least two versions of the extrasafe[.]xyz site (mobile and desktop) - one suggesting that the visitor's device is infected with viruses, the other suggesting that it might be tracked.
The main goal is to deceive visitors into installing an application (at the time of research, extrasafe[.]xyz promoted apps named Globe VPN-Internet Security and Fireblocker Security - Adblock), which supposedly remove viruses and/or prevent further damage.
Neither extrasafe[.]xyz nor other similar deceptive pages can be trusted, even if the advertised apps are legitimate. All software should be downloaded from official web pages, and never through or from sites such as this one. As mentioned, browsers generally open these sites due to installed PUAs.
Note that promotion of dubious, deceptive websites is not the only problem with the aforementioned PUAs. They often serve ads and collect browsing-related data. They feed users with various ads. For example, coupons, banners, surveys, and pop-ups.
When clicked, these can open untrusted websites or even execute scripts designed to cause download/installation of unwanted apps. PUAs can also record details such as addresses of visited websites, entered search queries, geolocations, IP addresses and other browsing data.
They sometimes access and record personal details as well. Furthermore, developers misuse the data to generate revenue by selling it to third parties (potentially, cyber criminals) or in other ways. PUAs can cause thus problems such as identity theft, issues relating to browsing safety, online privacy, and other issues.
Therefore, all PUAs should be uninstalled immediately and avoided in future.
Name | Extrasafe.xyz pop-up |
Threat Type | Phishing, Scam, Mac malware, Mac virus. |
Fake Claim | Extrasafe[.]xyz suggests that the visitor's device is either infected with viruses or might be tracked. |
Serving IP Address | 172.67.147.246 |
Promoted Unwanted Application | Globe VPN-Internet Security and Fireblocker Security - Adblock. |
Symptoms | Your Mac becomes slower than normal, you see unwanted pop-up ads, you are redirected to dubious websites. |
Distribution methods | Deceptive pop-up ads, free software installers (bundling), fake Flash Player installers, torrent file downloads. |
Damage | Internet browser tracking (potential privacy issues), display of unwanted ads, redirects to dubious websites, loss of private information. |
Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
Some more examples of deceptive web pages are berrigroun[.]com, application-update[.]com and hastopnet[.]com. Typically, they suggest that the visitor's device is infected with viruses, is exposed to problems relating to privacy, browsing safety, etc., and encourages the user to solve the supposed problem with a specific application.
Generally, people download and install PUAs inadvertently, and this is often the reason why browsers open dubious web pages.
How did potentially unwanted applications install on my computer?
In most cases, people are tricked into downloading and installing potentially unwanted apps when developers distribute them using a deceptive marketing method called "bundling". This method is used to trick people by including the unwanted applications into the set-ups of other programs as 'additional offers'.
Generally, information about additionally-included apps can be found in "Advanced", "Custom and other similar settings, however, many users leave the settings unchecked and unchanged, thereby allowing PUAs to infiltrate. In some cases rogue downloads/installations happen through clicking deceptive advertisements, which then execute certain scripts.
How to avoid installation of potentially unwanted applications
You are advised to download all software from official and trustworthy websites. Avoid third party downloaders, installers, unofficial web pages, Peer-to-Peer networks (torrent clients, eMule) and other channels of this kind. Check all "Custom", "Advanced" and other settings available in the setup and decline offers to download or install additionally-included apps.
Do not click ads that appear on dubious web pages (e.g, adult dating, gambling, pornography pages), since they can open untrusted websites or even cause download/installation of unwanted, potentially malicious apps. Remove any, suspicious extensions, plug-ins, and add-ons installed on the browser, and programs of this kind installed on the operating system.
If your computer is already infected with PUAs, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.
Text in the mobile extrasafe[.]xyz version (see screenshot above):
Your iPhone is severly damaged by (39) viruses
We've noticed that your Apple is 28.1% Damaged by (30) harmful viruses from recent adult sites. It will soon corrupt your iPhone's SIM card and damage your contacts, photos, data, and applications.
4 minutes and! 57 seconds
If you don't remove the virus now, it will cause serious damage to your iPhone. Here's what you need to do (step by step):
Step 1: Tap and install app for free on the App Store!
Step 2: Open the application to speed up and fix your browser now!
Repair Now
Screenshot of a second mobile version:
Text in this version:
WARNING
Your iPhone May Be Tracked. Read Below To Disable!
Some big corporations might track your search and browsing history to build a detailed profile of you. This sensitive information can be linked to you and used to spy your device
Here is how you can solve this in just a few seconds (Step by Step)
Step 1: Tap SECURE MY DEVICE to install iProtector from the App Store.
Step 2: Open the application to activate the latest update and protect your connection.
Secure My Device
Screenshot of a desktop version:
Text in this version:
ATTENTION - Viruses found!
Your Apple is severely damaged by (39) viruses! Soon your Apple SIM card will be corrupt and it will damage your contacts, photos, data, applications, etc ..
Screenshot of a second desktop version:
Text in this version:
Your iPhone is severly damaged by (39) viruses
We've noticed that your Apple is 28.1% Damaged by (30) harmful viruses from recent adult sites. It will soon corrupt your iPhone's SIM card and damage your contacts, photos, data, and applications.
4 minutes and! 57 seconds
If you don't remove the virus now, it will cause serious damage to your iPhone. Here's what you need to do (step by step):
Step 1: Tap and install app for free on the App Store!
Step 2: Open the application to speed up and fix your browser now!
Repair Now
Screenshot of the download page for Globe VPN-Internet Security (promoted through the first extrasafe[.]xyz version):
Screenshot of the download page for Fireblocker Security - Adblock (promoted through the second extrasafe[.]xyz version):
To enable pop-up blocking, fraudulent website warnings, and remove web browsing data in mobile Apple devices, follow these steps:
First, go to "Settings", and then scroll down to find and tap "Safari".
Check if the "Block Pop-ups" and "Fraudulent Website Warning" toggles are enabled. If not, enable them immediately. Then, scroll down and tap "Advanced".
Tap "Website Data" and then "Remove All Website Data".
Instant automatic Mac malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- What is extrasafe[.]xyz?
- STEP 1. Remove PUA related files and folders from OSX.
- STEP 2. Remove rogue extensions from Safari.
- STEP 3. Remove rogue add-ons from Google Chrome.
- STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.
Video showing how to remove adware and browser hijackers from a Mac computer:
Potentially unwanted applications removal:
Remove potentially unwanted applications from your "Applications" folder:
Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX", "NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
Remove adware-related files and folders
Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...
Check for adware generated files in the /Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: /Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the ~/Library/Application Support/ folder:
In the Go to Folder... bar, type: ~/Library/Application Support/
In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.
Check for adware generated files in the ~/Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: ~/Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the /Library/LaunchDaemons/ folder:
In the "Go to Folder..." bar, type: /Library/LaunchDaemons/
In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.
Scan your Mac with Combo Cleaner:
If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.
Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.
After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.
Remove malicious extensions from Internet browsers
Remove malicious Safari extensions:
Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".
In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.
Remove malicious extensions from Google Chrome:
Click the Chrome menu icon (at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.
Remove malicious extensions from Mozilla Firefox:
Click the Firefox menu (at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.
▼ Show Discussion