Remove / (TopYea) Fake Search Browser Virus or is a browser hijacker virus which changes the homepage of your browsers to its own domains. It changes the browser shortcuts so every time you open your internet browser a malicious search engine full of advertisements will open. The virus hides deep in Windows system and comes back even if you remove suspicious extensions or change the shortcuts.

The malicious homepages are full of advertisements and usually include a search field redirecting to Google custom search. The main purpose of this virus is to earn money for the creator by generating traffic to the advertisements from the hijacked browsers. Even though some of the advertisements may be from legitimate networks, it could also include malicious links leading to further infections. Also, the search engine monitors your browsing activity, history and related data.

This hijacker takes control of your browser settings, impairs your browsing experience and tracks your activity. Therefore, you should remove it as soon as possible. We have an automatic removal and protection tool. It will remove the threat and secure your computer from any viruses in the future. You can also find a manual removal guide below. Use the guide only if you feel confident in editing Windows system settings.

Recommended Method: Download Browser Hijacker Virus Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is / browser hijacker?

The main purpose of this hijacker is to replace the homepages of your browsers (including Chrome, Firefox, Opera, Internet Explorer, Microsoft Edge and more) and drive traffic to the creator’s websites. The websites are disguised as search engines although they just include custom Google Search and do not have real search functions themselves. Such hijackers usually generate revenue for the creators from advertisement views and clicks. Sometimes malicious homepages also promote other viruses by suggesting various updates and displaying warnings as well as redirecting to infected links.

Here are several websites belonging to the virus creators:

This malware focuses on modifying the shortcuts of your browsers so you will see the annoying advertisements reappear even if you remove all suspicious extensions or reset the browser settings. It is designed to be hidden deeply in the Windows system so you would not be able to remove it easily. The virus usually has a scheduled VBScript that modifies the shortcuts and makes it come back in case a user decides to remove it. After infection the virus destroys itself and only leaves the scheduled task. This means that there is no infected file on the system and it is harder to detect and remove the hijacker.

The following browsers are targeted by the virus:

Internet Explorer 
Chrome Firefox 
360 Chrome 
Sogou Explorer 
QQ Browser 
Baidu Browser 
TheWorld Browser 
Tencent Traveler

The most common way to get infected with this virus is by installing a program that has / hijacker bundled with it. Skipping the installation steps and neglecting to uncheck any “install additional software” fields can result in getting this adware even if you were installing a potentially harmless program. Other ways of getting infected include opening spam email attachments or other suspicious files, downloading illegal torrents, cracks and other software from unverified providers.

You should remove this adware in order to prevent spying on your browsing activity as well as to restore the browsing experience impaired by this virus. It is possible to curb this threat by following our manual guide, however, we recommend the automatic tool as it will also protect from any further infections as well. You will also be able to contact the removal tool support team and ask for manual removal help in case it has problems detecting the threat.

Here are some screenshots of the browser hijacker websites. Sometimes the websites are down and display errors or redirect to other pages:


 Manual Removal Instructions:

NB: Manual removal does not guarantee that this or any other threat will not come back in the future. You need to properly secure your machine even if you successfully remove the virus and the symptoms are gone. Use the tool provided at the top of this page to protect your machine from future infections.

Bookmark or print out this page before proceeding further. You can also open it on a separate device while working on the removal. This will guarantee that you will be able to come back after a browser or computer restart.

Step 1:

Remove the infections source from Windows Management Instrumentations.

Start by searching for “cmd” in Windows search.

Right-click on cmd.exe (command prompt) and choose to “Run as administrator“.

Enter the following in the newly opened black window:


Press Enter.

Windows Management Instrumentations will launch.

There is also an alternative quicker way to launch Windows Management Instrumentations but sometimes it does not give you the right permissions:

Hold Windows () key and click R key.

Enter the following in the field:


Click OK.

Windows Management Instrumentation Tester tool will open in a new window.

When Windows Management Instrumentations launches:

Click Connect…

In the Namespace field input the following:


Click Connect.

Now all buttons will be enabled.

Click Open Class…

A window with an input field will open. Enter the following:


Click OK.

Click Instances when another window opens.

You should see a list of ActiveScriptEventConsumer Instances.

The malicious one is usually listed as follows:


Select this entry and click Delete in order to remove it.

Step 2:

Delete the shortcuts for all browsers on your computer as they have been changed by the virus. Browser hijacker includes its own website in “Target” field.

The virus modifies browser shortcuts in the following locations:

C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu
C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu
C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

Recreate all browser shortcuts again in order to have clean launch.

Alternatively, you can click Properties on each of the shortcuts and remove any additions made to the Target field by the virus.

After removing browser hijacker

Even though the virus has been removed you should still secure your computer with a proper antivirus software in order to prevent future attacks. Also, avoid installing suspicious programs and always follow the installation steps carefully in order not to skip removal options for any additional unwanted programs.

  1. Hytham says:

    Thank you for trying to help
    am stuck at step 1
    when i try to delete “ActiveScriptEventConsumer.Name=”ASEC”” i gut an error:
    number: 0x80041003
    Facility: wmi
    Description: Access Denied
    can you help me please

    1. Support says:

      Hello Hytham, could you elaborate at what exact point of Step 1 do you get this error? Does this happen when you click the “Delete” button or earlier?

      Maybe you use the computer as another user than Administrator which may not allow you to perform the action?

      Have you tried rebooting the computer and trying the Step 1 again

    2. Support says:

      Here is a solution that might work:
      1. Search for “cmd” using Windows search
      2. Right-click on command prompt (cmd.exe) program and choose “Run as administrator”
      3. Enter “wbemtest” without quotes and click enter
      4. The WMI should now open and you should be able to save the changes.

      This article has been updated as well to include the additional steps.

Leave a Reply

Your email address will not be published. Required fields are marked *

Begin typing your search above and press return to search. Press Esc to cancel.