Removal Guide

Do you know what is? is a vicious browser hijacker that affects Google Chrome, Internet Explorer, and Mozilla Firefox browsers. This threat is very clandestine, and its name does not exactly come into the main picture, which is why users might have trouble identifying it as a threat. The way this hijacker works is truly confusing, but we will try to untangle the mess to make it all clear for you. First and foremost, we have to warn you that this hijacker is dangerous. If you do not remove it in time, your virtual security could be jeopardized in a serious way. Obviously, at the end of it all, you need to delete hijacker from your browsers, and the sooner you do this, the better.

Where does come from? This hijacker is very clandestine, which means that it needs a secret backdoor into your operating system. The sad thing is that most victims of this infection will provide cyber criminals with the backdoor themselves. You might do that by downloading a malicious software bundle or a corrupted file introduced to you via a misleading pop-up offer. It could also be downloaded along with other malicious infections that might be just as devious. The malicious is dropped to the folder named “Browsers” under %AppData%, and the main file is named “exe.xoferif.bat”. When the hijacker strikes, it changes the targets of all browser shortcuts to represent the path to this file (you will see “%Appdata%\Browsers\exe.xoferif.bat” added in the Target path). Do you know what a browser Target is? You can access it by right-clicking the shortcut of any browser and selecting “Properties.” By modifying the Target, the hijacker ensures that every time you launch the infected browser, you are automatically routed to “” Removal screenshot
Scroll down for full removal instructions

Although, initially, users are routed to, they are automatically rerouted to via This is messy, and that indicates that the creator of this hijacker is trying to foil the trail. When it comes to, this search provider is completely unpredictable. As you might have noticed, it does not reveal any information about itself, which is a sign that something is being hidden from you; most probably, malicious activity. This search tool displays banner advertisements that you should never interact with, as well as a search dialog box. This search box represents “Google Custom Search,” but do not be misled by the name “Google.” Although the well-known company is responsible for the “Custom Search” search engine, it is in no way associated with the hijacker or the results that are shown to you by its developer. Do NOT interact with the search results because they are most likely to be modified. If you do, you could expose yourself to dangerous scams and corrupted sites.

Do you need further reasoning why deleting hijacker is important? We are sure that you do not want to waste any more time with this devious threat. Although its removal is not the easiest of tasks, we are sure you can handle it yourself. The biggest problem is that it might take some time to modify all of the browser shortcuts, which is exactly what you will need to do. In the guide below, we provide a list of directories where you might find browser shortcuts. In general, most users have shortcuts on their Desktops, Taskbars, and Start menus. Check these locations first. You can also delete all shortcuts, modify the original .exe file and create new shortcuts. Additionally, you will need to remove hijacker file, but that is the easiest part. The most difficult part is keeping your operating system malware-free in the future, and because of that, we advise installing anti-malware software.


  1. Launch Explorer by simultaneously tapping Win+E keys.
  2. Enter %AppData% into the address bar.
  3. Right-click the folder named Browsers and click Delete (this folder should contain exe.xoferif.bat).
  4. Locate the shortcut of the infected browser. This shortcut might be located in one of these folders:
    • %ALLUSERSPROFILE%\Start Menu\Programs
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs
    • %USERPROFILE%\Desktop
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs
  5. Right-click the infected shortcut and select Properties.
  6. Click the Shortcut tab and find the Target section.
  7. Replace the existing path with the path of your original browser (e.g., for Mozilla Firefox, it might be "C:\Program Files\Mozilla Firefox\firefox.exe").
  8. Click OK and restart the browser.

N.B. Make sure you fix the Targets on all corrupted browser’s shortcuts.

In non-techie terms:

The malicious hijacker is truly clandestine, and identifying it as the main threat might be difficult. However, if you check the Target of the infected browser, and you find the URL to this hijacker added to the Target path, you can be sure that this is the infection you are dealing with. You need to delete this hijacker because it corrupts your browsers illegally, redirects to third-party pages without your authorization, and exposes you to a search engine that might showcase misleading links instead of legitimate search results. Obviously, the sooner you get rid of this nonsense, the better. We suggest following the guide below and, afterward, scanning your PC with a malware scanner. If other infections are detected – and it is very likely that they will be – erase them immediately.