How I managed to remove Top-Arama browser hijacker/virus

[REDACTED]

(O boy how I will grow to love THIS thread)

A friend of mine:
He IS running the latest Avast (free) version.
I do not know the exact version number of his Avast, I'm writing this from MY computer (with neither an antivirus, nor a virus on it), but his Avast IS the latest (free) one; everything is up-to date and all his shields was up and running OK.

And he called me for help of removal something called "Top-Arama" virus /browser hijacker.
Link to the image:
http://dqp77l5g73bzp.cloudfront.net/wp-content/uploads/2015/10/search-top-arama-virus.png

Ok - no big deal; i thought - You already have an up-to date Avast, so let us simply run a full scan and let Avast to remove it.
Latest Avast (free version) running on his Win7 with the up-to-date definitions detected: literary NOTHING!!!???!!!
(Edit: Avast did found and removed 3 threats in the process, I just missed Avast report yesterday; Pop-up of Avast faded off after a long-time scanning and I missed it.)

Ok, no big deal i thought again - let's run an AntiMalvareBytes full system scan (AntiMalvare free, with up-to-date definitions installed in just a minute (NO REGISTRATION "drag" for AntiMalvare by the way!), and detected and removed 2900 non-malvare objects, and about 5 malvare objects).

After sytem restart (enforced by the AntiMalvareBytes program) - Top-Arama was still there in his Google Chrome browser.

Ok no big deal, we will just "default" the Google Chrome settings, home page, and disable all plugins - and so on, but - nope - Top Arama was still there?!?

At this point my confidence in belief of the possibility for the successful removal of the "Top Arama" virus from his Avast-protected computer started to "wear off"!

I have to find SOME solution for him, and since my idea was not accepted (the idea at the end was: "just forget about the Google Chrome and go on using Netscape Navigator browser - like I do, as Netscape, the browser from 1995 is apparently immune to TopArama but the latest Google Chrome apparently is not") - i wonder:

- Did Avast ever developed something like a "stand-alone-tool" for Top-Arama removal?
- If not, then did anyone else developed something like a stand-alone-tool for Top-Arama removal?

[essexboy]

Top arama is a new one on me, never heard of that before

Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Select  additions at the bottom
• Press Scan button.
  
  
• It will produce a log called FRST.txt in the same directory the tool is run from. 
  
• Please attach both logs generated.

[REDACTED]

His is Win7 32bit;
I will be again at his place tomorrow morning;
Will do that first thing tomorrow morning, thank you.

[essexboy]

No problem, this is a new one hence MBAM is not seeing it.  You say it is attached only to Chrome

[Eddy]

It is a browser hijacker and not really a new one.
Already known for at least 6 months and MBam does detect it.

Could be that avast is detecting it as a PUP since it comes bundled with freeware software as video recording/streaming, download-managers and PDF creators.

[REDACTED]

MBam does detect it.

Mbam did detected a HUGE list, removed all, but after restart - that one (TopArama) still remained.

Could be that avast is detecting it as a PUP since it comes bundled with freeware software as video recording/streaming, download-managers and PDF creators.

Avast literary detected: NOTHING.
(Default install, default everything)

You say it is attached only to Chrome

Yes, only to Chrome: He's got Chrome, Mozilla Firefox (and now Netscape as well)
It is attached only to chrome; and maybe to his torrent program (not shure but I guess so.)

If I could only find the process of the virus....

[Eddy]

Avast literary detected: NOTHING. (Default install, default everything)

That means PUP detection is not enabled.

[REDACTED]

Avast literary detected: NOTHING. (Default install, default everything)

That means PUP detection is not enabled.

I'll check that tomorrow morning as well.
(How do I enable PUP detection in latest Avast?)
(Should Avast be able to detect it then?)

[essexboy]

Go to settings > general

[Pondus]

(Should Avast be able to detect it then?)

NO security program have 100% detection or zero false positives, and new versions arrive very day

[REDACTED]

No problem, this is a new one hence MBAM is not seeing it.  You say it is attached only to Chrome

I am terribly sorry: Mbam did saw it and it DID removed it yesterday!
Apparently it remained ONLY in the Chrome's resources.pak file as a modification...

C:\ProgramFiles\Google\Chrome\Application\[chrome version number]\resources.pak

I foud it by searching the contest of ALL files on Hard Disk C: (TotalCommander - advanced search - search for all files on hard drive C, not older than 1 month, and containing "Top-Arama" search string).

After the manual deletion of the moddified resources.pak file of the Google Chrome - chrome could not work. (Don't even know what that APK file for chrome is - anyway?)
Well... don't know.. don't care...

Since Chrome could not work without that APK file after I simply deleted it...
Then... solution: kill & delete all Chrome's files and processes, and perform clean install of Google Chrome.
Status: OK!
Thank You again.