Threat Database Rogue Websites

Threat Scorecard

Ranking: 6,189
Threat Level: 20 % (Normal)
Infected Computers: 84
First Seen: October 20, 2023
Last Seen: October 24, 2023
OS(es) Affected: Windows

During their examination of deceptive websites, infosec experts encountered an installer that delivers a browser hijacker designed to promote the fraudulent search engine known as Browser hijackers are commonly known for altering browser settings and leading users to specific websites through redirects. However, in this particular case, the browser hijacker exhibited an unusual behavior as it refrained from making any noticeable alterations to the user's browser settings. Instead, it employs a sophisticated and intricate mechanism to ensure its persistence on the affected system, making it exceptionally challenging to remove. Takes Users to Dubious Destinations through Redirects

With the setup that promotes installed on a user's system, any search queries introduced into their Web browser's URL bar will lead to automatic redirects to the website. It's important to note that illegitimate search engines like are typically incapable of providing genuine search results, so they redirect users to well-known and legitimate Internet search engines such as Bing, Google, Yahoo and others.

However, the destination to which leads users can vary significantly. The redirects, and sometimes redirection chains, seem to be random in nature, but they can also be influenced by the user's geolocation. In some instances, has been observed redirecting to legitimate search engines like Bing, while in other cases, it directs users to nonfunctional or suspicious web pages. This unpredictability in redirection destinations is a characteristic of this browser hijacker.

To make matters more complex, this browser hijacker utilizes a persistence-ensuring technique to prevent users from easily recovering their web browsers. The redirections are facilitated through a process called 'UITheme.exe.' What sets this hijacker apart is that it's not a straightforward task to remove it. It employs a legitimate Windows tool from Microsoft known as the Deployment ToolKit's 'ServiceUI' to ensure the 'UITheme.exe' process is restarted automatically after it's terminated via the Task Manager or following system reboots. This persistence mechanism adds an extra layer of challenge for users attempting to get rid of the browser hijacker from their system.

How to Remove the Redirects?

To remove the browser hijacker promoting the dubious address from your system, follow these steps:

  1. Open the Windows Task Manager: You can access Task Manager by pressing 'Ctrl + Shift + Esc' or 'Ctrl + Alt + Delete' and then selecting Task Manager from the options presented.
  2.  Locate the 'ServiceUI.exe' process: In Task Manager, scroll down the list of running processes and look for 'ServiceUI.exe.' Once you've found it, select it.
  3.  Terminate the 'ServiceUI.exe' process: Click the 'End Task' button. This action will stop the 'ServiceUI.exe' process, which is responsible for ensuring that 'UITheme.exe' restarts.
  4.  Locate 'UITheme.exe': In Task Manager, search for the 'UITheme.exe' process.
  5.  End the 'UITheme.exe' process: Select 'UITheme.exe,' and click the 'End Task' button. This will halt the 'UITheme.exe' process.
  6.  Open the 'System32' Windows folder: Open File Explorer and navigate to the 'System32' folder, which is typically located in C:\Windows\System32.
  7.  Locate 'UITheme.exe': In the 'System32' folder, look for a file named 'UITheme.exe.'
  8.  Delete 'UITheme.exe': Right-click on 'UITheme.exe' and select 'Delete' from the context menu. Confirm that you want to delete the file when prompted.

By applying these steps, you will have effectively removed the 'UITheme.exe' file associated with the browser hijacker. This should help prevent the hijacker from automatically restarting and ensure a cleaner system without the redirects to Do not forget to exercise caution when making changes to your system files and processes, as improper actions can affect your computer's stability and functionality.

URLs may call the following URLs:


Most Viewed