Threat Scorecard

Ranking: 5,530
Threat Level: 20 % (Normal)
Infected Computers: 64
First Seen: October 20, 2023
Last Seen: October 23, 2023
OS(es) Affected: Windows is the web address associated with a fraudulent search engine. Researchers have discovered a deceptive Web page that employs a bait-and-switch tactic, utilizing explicit content as a lure to entice users into downloading an installation setup. What's particularly concerning is that this installer includes a browser hijacker that promotes the website.

Typically, software in this category alters browser settings to redirect users to certain websites or inundate them with unwanted ads. Surprisingly, in this instance, the setup did not make any visible changes to the user's browser. However, it's crucial to note that this hijacker employs a persistence-ensuring mechanism. It takes measures to ensure it remains on the user's system and prevents them from easily recovering their hijacked browsers. This persistence mechanism could make it challenging for users to regain control over their browsing experience.

Browser Hijackers Often Promote Dubious Sites through Intrusive Tactics

Upon conducting a thorough analysis of the setup that promotes, information security researchers have uncovered a unique and intriguing behavior pattern. This setup, upon installation, exerts its influence primarily on new browser tabs. Each time a new tab is opened, a redirect is initiated, directing the user to the website. What sets this particular browser hijacker apart is that it generates these redirects with randomized search queries, introducing a level of unpredictability to its operation.

The term 'fake search engine' is used to categorize such deceptive online tools, as they typically fall short of delivering legitimate search results. Instead, they consistently reroute users to established search engines like Bing, Google, Yahoo, and others. Normally, browser-hijacking software is known for redirecting users to illegitimate search engines whenever they open a new tab or input a search query into the URL bar. However, as we've previously noted, the behavior exhibited by the browser hijacker is notably distinct.

What adds an additional layer of complexity to this situation is the hijacker's employment of a persistence-ensuring mechanism. In this context, these redirects are facilitated through a process referred to as 'UITheme.exe.' Surprisingly, merely terminating this process does not bring an end to the redirects. The browser hijacker leverages a tool from the Microsoft Deployment Toolkit known as 'ServiceUI' to ensure that 'UITheme.exe' is automatically restarted after it's forcibly terminated through the Windows Task Manager or following system reboots. This persistence-ensuring technique poses a challenge to users attempting to eradicate unwanted redirects and regain control of their browser's behavior.

How to Get Rid of the Redirects?

To stop the unwanted and disruptive redirects to, follow these comprehensive steps:

  1. Open Windows Task Manager: First, you need to access the Windows Task Manager. You can get this result by pressing Ctrl + Shift + Esc or Ctrl + Alt + Delete and then selecting "Task Manager."
  2.  Terminate 'ServiceUI.exe' Process: Inside Task Manager, navigate to the list of running processes. Look for the process labeled "ServiceUI.exe" and select it. To terminate this process, click on "End task."
  3.  End the 'UITheme.exe' Process: Continue by locating the process named "UITheme.exe" within the Task Manager. Once found, select it, and then, similar to the previous step, click on "End task" to stop this process.
  4.  Navigate to the 'System32' Windows Folder: Now, you'll need to open the 'System32' folder in the Windows directory. You will find this folder at 'C:\Windows\System32.'
  5.  Locate 'UITheme.exe' and Delete It: Inside the 'System32' folder, search for the file named 'UITheme.exe.' Once you've identified it, proceed to delete this file.

By following the instructions, you'll effectively terminate the problematic processes and remove the 'UITheme.exe' file from your Windows System32 directory, which should help address the issues associated with the browser hijacker and its persistence mechanisms.

URLs may call the following URLs:


Most Viewed