Click on screenshot to zoom
Danger level 7
Type: Browser Hijackers
Common infection symptoms:
  • Hijacks homepage
  • Changes default search engine is an untrustworthy domain which redirects users straight to third-party websites containing advertisements, online surveys, or asking to register to get access to some kind of content, e.g. premium online games. is set on all their browsers against their will, which suggests that this infection should be called a browser hijacker. This browser hijacker shares similarities with, so it does not surprise specialists working at at all that it acts quite aggressively after infiltrating computers. Annoying redirections to dubious websites can, of course, be stopped by deleting this browser hijacker from the system fully. Sadly, it applies modifications upon the entrance that make it hard to delete it. To name only a few, it modifies shortcuts, more specifically, the Target line of all web browsers it finds installed on the computer, usually, Internet Explorer, Google Chrome, and Mozilla Firefox. In addition, it drops a folder Browsers in %APPDATA% containing files it needs to work properly. Evidently, users will have to put much effort into the removal process.

Malware analysts have noticed after looking inside files located in %APPDATA%\Browsers that they contain the so-called obfuscated commands. For example, one of the .bat files (exe.emorhc.bat) which can be found there contains a command c:\PROGRA~1\google\chrome\APPLIC~1\chrome.exe” It is used to make sure that Google Chrome opens the website containing the commercial content. The same can be found in other .bat files (exe.erolpxei.bat and exe.xoferif.bat) which are, evidently, used to control Internet Explorer and Mozilla Firefox. They will open the same page automatically too when they are opened. Do not click on ads you see and do not take any surveys because you might be asked to enter information which might then be sold to bad people. Users might also be presented with malicious advertisements which might redirect to pages promoting malware. Theoretically, the automatic installation of undesirable software might be started too after clicking on a bad ad, so security specialists suggest eliminating all these ads as soon as possible. Redirections to dubious websites with commercials will no longer take place if you go to remove the browser hijacker today.

Users should go to stop redirections to third-party websites because this might result in the emergence of privacy-related problems as well. For example, users might be taken to pages after clicking on advertisements whose main goal is to steal information. It is especially dangerous to enter personal details on untrustworthy websites. Cyber criminals might lure users into doing that by showing pop-ups telling that users are one step from winning an expensive item, e.g. a cell phone. Of course, this is only one of the tactics used by them, so always keep the personal information to yourself on all occasions.

Bundled malicious installers are the ones spreading the browser hijacker. It has been noticed by researchers that users who periodically download free software from Torrent and P2P pages become victims of browser hijackers more frequently, so you could have downloaded a bundle together with the browser hijacker from there too. Of course, these are not the only sources of suspicious applications.

In the case of, it starts working immediately after the successful infiltration. First of all, it hijacks all shortcuts belonging to browsers. It usually changes the default Target line to %Homedrive%:\Users\{username}\AppData\Roaming\Browsers\exe.xoferif.bat. Sadly, all shortcuts, even those located in the Start menu, are affected by it. It is not the only change it makes on the affected computer. After its entrance, a new folder containing files of this threat could be located too. If you do not want to encounter any other browser hijacker again, acquiring a reputable antimalware tool should be your top priority today.

Do not expect to delete the browser hijacker through Control Panel because it will be impossible to do that. The only way to remove this computer infection manually is to delete its folder with files from %APPDATA% and then fix all hijacked browsers’ shortcuts. You are welcome to use our manual removal guide if you need guidance. Alternatively, you can give permission to a reputable antimalware tool to delete for you. Invest only in a reputable scanner, e.g. SpyHunter and do not trust by any means those malware removers promoted on dubious file-sharing pages.

Delete manually

  1. Press Win+E to launch the Windows Explorer.
  2. Go to %APPDATA% (open this directory by entering it at the top of the Explorer).
  3. Find all shortcuts hijacked (their target lines should contain data pointing to a .bat file). They should be located here:
  • %ALLUSERSPROFILE%\Start Menu\Programs
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs
  • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
  • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs
  • %USERPROFILE%\Desktop
  1. Fix all shortcuts. What you need to do is to right-click on a shortcut, open the Shortcut tab, and delete the line from Target line.
  2. Enter a line pointing to the .exe file of your browser, e.g. "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Internet Explorer), "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" (Mozilla Firefox), or "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" (Google Chrome).
  3. Click OK.
Download Spyware Removal Tool to Remove*
  • Quick & tested solution for removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.