olkpikmlhoaojbbmmpejnimiglejmboe malware is synced, I can't escape

amissingleaf

amissingleaf last edited by

\HKEY_CURRENT_USER\SOFTWARE\Opera Software\514abe5a3ee09dc580b870efeb8b6616\PreferenceMACs\Default\extensions.opsettings\olkpikmlhoaojbbmmpejnimiglejmboe

Subject: Malicious extension olkpikmlhoaojbbmmpejnimiglejmboe keeps reappearing in registry after login

Hello,

I'm experiencing a persistent issue with a malicious Chrome extension (ID: olkpikmlhoaojbbmmpejnimiglejmboe) that keeps regenerating in Opera's registry despite multiple removal attempts.

Problem Details:

• Deleting Opera profile folder (%AppData%\Opera Software\Opera Stable) works temporarily
• Registry entry reappears: HKEY_CURRENT_USER\SOFTWARE\Opera Software[profileID]\PreferenceMACs\Default\extensions.opsettings
• Happens immediately after Google login/sync (even with sync disabled)
• Clean when logged out, contaminated when logged in
• Same issue occurs in Chrome browser

What I've tried:

1. Complete Opera profile deletion

2. Registry cleanup (all olkpikmlhoaojbbmmpejnimiglejmboe entries removed)

3. Disabled sync, logged out of Google account

4. Chrome://extensions and opera://extensions show no extension

Root cause appears to be Google sync server pulling the malicious extension ID upon login.

Questions:

1. Is Opera pulling extension data from Google Chrome sync servers?
2. How can I completely purge this extension ID from sync data?
3. Is there a server-side sync reset for Opera/Google account?
4. Does Opera cache extension settings independently of Chrome sync?

Opera version: Latest stable
OS: Windows 10

This extension was likely installed accidentally via Chrome Web Store and now syncs across browsers. Need permanent solution to stop registry regeneration.

Thank you!

leocg

leocg Moderator Volunteer @amissingleaf last edited by

@amissingleaf Opera doesn't synchronise extensions from Chrome store.

burnout426

burnout426 Volunteer last edited by

You can reset Google Sync at https://chrome.google.com/sync.

You can reset Opera Sync at https://www.sync.opera.com/ using the "Reset passphrase" link. Opera doesn't sync with Google's servers though. It only syncs with sync.opera.com and only extensions from addons.opera.com are synced.

For good measure, you should scan your system with the free version of Malwarebytes.

Also, look in "C:\Users\yourusername\AppData\Roaming" and "C:\Users\yourusername\AppData\Local" for a folder that's manifest.json in it. If you find one, open manifest.json in a text editor and see if that looks like the culprit. If so, delete the extension folder.

In the Windows task manager, see if there are any weird processes running. There could be malware running that keeps reinstalling the extension.

Check in "HKEY_LOCAL_MACHINE\SOFTWARE\Policies" for a "Google" key to see if there are any subkeys that are force-loading the extension.

Check "HKEY_CURRENT_USER\Software\Policies", and "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies" too.

Check "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Chrome\Extensions", "HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions" and "HKEY_CURRENT_USER\Software\Google\Chrome\Extensions" too.

For Opera's desktop shortcut, right-click on it, goto "properties" and check the target field command on the "Shortcut" tab to make sure there are no command-line switched being passed to opera.exe to directly load an extension. Same with Opera's pinned taskbar icon by right-clicking it and right-clicking "Opera Browser" and going to "properties".

Check the "Startup" tab in the Windows task manager and "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" and "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run".

Searching for "olkpikmlhoaojbbmmpejnimiglejmboe" in the registry and removing things like you did will probably cover that, but you can manually check those keys just in case.

If a test standalone installation of Opera is not affected, but a regular installation is, you might have to uninstall the regular installation, delete its install folder and then delete/rename the "Opera Stable" folder in both "C:\Users\yourusername\AppData\Roaming\Opera Software" and "C:\Users\yourusername\AppData\Local\Opera Software".

You can goto the URL chrome://policy in both Chrome and Opera to see if it's picking up any polices from the registry. In Opera, you'll need to enable the "Show policy page" flag at the URL opera://flags/#policy first though.