unwanted download and install

A Former User

I don't want to use software that magically appears on my system.
But you said "I'm not sure if it's a real Opera."

So if it's a fake Opera browser or a highly modified version to get you to use other search engines that pay or promote this kind of distribution, to get you to see different ads and track you via extensions, made by a malicious person, or perhaps a third-party installer or utility pushing it into your system and you're going to blame Opera Software ASA for that and **** on their products?

totrecal

totrecal

blackbird71,that was my first thought. When the SSL thing hit the news I installed LastPass password generator, but not anything else. I've added Bitmeter since this started. I've searched out malicious software like you mentioned, but this one really has me stumped. Since Vipre hasn't been able to detect this, I agree it's got to be hiding somewhere like you mentioned. I'll give those two programs you gave me a try, thanks.

A Former User

It really does sound like this is malware of some sort.
Things don't just install themselves without some other agent being involved.
When and if it happens again, look in Task Manager to see what's actually running.
If the file opera.exe is listed as running, find it on the system and look at its properties, especially the digital signature.
I'd be very surprised if it's a genuine opera file.

A Former User

Even if it's the genuine Opera, a third-party app may be pushing the installer. Maybe Opera partnered with a third-party to advertise their software and they have no knowledge this third-party is doing things like that perhaps to fool Opera into thinking this company's ad campaign is very successful...

We just don't know yet.

Until now we have no info about what's running in your system, no log, no screenshots... I'll remain skeptic. If it's proven Opera is doing that on purpose, I'll be the first to defend you and try to get this practice to shut down.

kuhlmanck

kuhlmanck

One step might be to disable and delete all MSIE toolbars.

What's your default browser? IE, Firefox, Chrome, ???

linuxmint7

linuxmint7

Do a scan with Malwarebytes in safe mode.

totrecal

totrecal

You guys are great!

As I continue to dig into this I find a record in my Vipre antivirus that shows 22.0.1471.70 as the version of Opera that is being installed. Since July 8, there have been six downloads and installs. I've run both AdwCleaner and Malwarebytes, but not in safe mode. They did pick up a couple of culprits that Vipre has been blocking too. I've made a copy of my processes with no apps running, and will be watching for Opera to sneak in again. I'll be going back into safe mode to see what else I can catch. Vipre scan has been run in safe mode twice now.

Considering the response here, I really have to consider Opera as one of my browsers when I've solved this problem. What's the opinion here about what would happen, if I had the newest version of Opera already installed? Would I at least get some notice that Opera was already on my computer? Right now the only notice I get is the icon that shows on my desktop. My main browser right now is Firefox, and I rarely use Chrome. Internet Explorer has been deleted since this system was new. I could drop Chrome and add Opera.

I can't imagine Opera would be trying on its own to install on my system. Like most of you, I believe somehow I let the download/install sneak in with some other program. Until this started I had no connection with Opera.

I really have to thank all of you. Until I got on this forum it was beginning to look like I'd be formatting my hard drive, and starting over. Of course, I'm still not sure I've got a fix yet.

A Former User

It would be very interesting to see what would happen if you did install Opera "properly"!

totrecal

totrecal

Went to youtube and checked old reviews of Opera from the beginning of the year. All pretty good on ver 19. Since I'm not really using Chrome, I think I'll install a "real" version tonight and see what happens. Might as well turn this lemon into lemonade.

christoph142

christoph142

You got the right spirit

A Former User

Internet Explorer has been deleted since this system was new.

Huh?
Come again?

totrecal

totrecal

Joshl, I never found IE to be a very good browser. First thing I do is disable or delete it.

blackbird71

blackbird71

...
I can't imagine Opera would be trying on its own to install on my system. Like most of you, I believe somehow I let the download/install sneak in with some other program. Until this started I had no connection with Opera.
I really have to thank all of you. Until I got on this forum it was beginning to look like I'd be formatting my hard drive, and starting over. Of course, I'm still not sure I've got a fix yet.

The only "legitimate" instances of auto-repeating install attempts I've ever run across are when Windows attempts a user-initiated or auto-update installation and somehow things get fouled up such that the installation breaks in mid-stream. Depending on how the install fails, Windows may repeatedly attempt to continue the install but be unable to complete it. Consequently, the "stuck" install may even attempt to unsuccessfully repeat itself each time the computer is re-started or the installation of another program is attempted.

Because that seems significantly different from what you describe in your situation, because nobody has attempted an initial install of Opera on that system according to your posts, and because Opera ASA (being a reputable company) never attempts to force-install its software onto a computer that already does not have Opera installed (ie: update), the implication is that malware of one form or another is involved in your problem. The degree of maliciousness of that malware cannot be determined until it has been identified. What does seem clear is that your system has been compromised, with the degree and type of compromise remaining undetermined thus far. In such an atmosphere, I personally would not attempt to install anything new onto the system (including genuine Opera) until I had fully established the computer to be squeaky clean. In this case, 'squeaky clean' includes no longer experiencing the false Opera installation attempts, or any other abnormality. On the other hand, if you plan on reformatting the system anyhow, then of course you can do anything with it in the meantime.

As you probably know, malware can take many forms and embed itself in many ways, up to and including rootkits (which intercept the operating system's internal 'calls' to completely hide itself from a user unless he's using very specialized anti-rootkit tools - and even then, it can be difficult to detect and remove some rootkits). Until you can analyze the actual cause of your problem, you should consider the system to be compromised, and that should impact what you do and trust with the computer, especially passwords and financial transactions. If you elect a reformat of the drive and re-installation of Windows, be sure to do a low-level format to make sure that any possible malware in the Master Boot Record of the drive is also wiped out.

totrecal

totrecal

Thanks for the input Blackbird71. Thought I was staying ahead of the criminals, but they keep making improvements.:(

sgunhouse

sgunhouse Moderator Volunteer

I'll presume there isn't something else you know about that happens "every three days"? Does it always happen at the same time? (When you start up that day, 10:00 AM, etc.) Opera itself doesn't sound like something malware would install - though as suggested previously someone might include a malware extension - something to steal bank passwords or some such - or some of the fake search engines. Very strange ...

If it always installs at the same time you might try watching for some strange process that runs just before that. Other than that - scan it before you delete it, perhaps? Send a copy of the installer to your AV people for them to examine?

I have to presume whatever installer you get runs unattended - without any dialog that has buttons for Options, Install and Cancel? Presuming you're not an admin account in XP, do you get a UAC dialog (where Windows asks if the program is allowed to make changes to the computer)? Of course XP doesn't show such a dialog if you're an administrator.

totrecal

totrecal

sgunhouse, yesterday I was checking the history in Vipre,and in the Autopatch section I found a record of Opera installs. Turns out it's not every three days, but every two to four days and not the same time each day. I also found it strange that malware would want to install Opera. My thought was maybe Opera allowed access that my browsers didn't. It looks like Opera is more secure than Chrome or Firefox. So that might not be true.

Right now we're trying to catch this process in the act so I can see what might be running then. This all happens in the background. I'm on Windows Seven. I was pleased to see Seven asks for permission to make changes to the hard drive, but whatever this is doesn't make itself known. At least not while it's running. I have installed Bitmeter, which I've used before when on XP. Since Bitmeter runs constantly, I can see a download even when my browser and email are closed.

I've manually hunted down malware that got on a network I was administering, and had shut down Norton to infect the network. So it was a fairly sophisticated program, but that was years ago. Hackers have gotten a lot more clever, and I've been out of the business for quite a while now. It's been a very long time since I've had anything like this on one of my systems. Kind of scarey really.:(

blackbird71

blackbird71

@totrecal, have you tried using the free analysis tools like Process Explorer from Sysinternals (now part of Microsoft)? It gives a view of what has originated the various running processes. Also TCPview (also from Sysinternals/Microsoft) gives a view of what is in the TCP stack, from whence it originated, and where it might be calling out to.

totrecal

totrecal

blackbird71, both autorun and Process Explorer have been on my system since I first set it up. I'm going to add TCP view right away. BTW, just for kicks I installed Opera 23 last night. Malware tried loading again this morning, but this time I got a box asking did I want this upgrade and I declined. Doesn't solve the problem, but at least I got the little bug to talk to me. It's actually tried twice this morning. I rejected it both times. First time it tried this morning I had no other programs running. All I could see on task manager that was not there last night was an upgrade.exe and an install.exe. I'm going to use the sysinternals stuff to see what I can monitor when it shows up again.

I've been running Process Explorer on previous systems, but never could find out what the colors were about. Do you know?

A Former User

Options>Configure Colors will tell you what the colours represent and of course allow you to change them if you want to.

totrecal

totrecal

I would like to thank everyone that's been offering suggestions here. I believe I may have solved the problem. It seems Vipre may have been the culprit. They have a security "patch" on a bunch of internet programs that includes the major browsers. I'm not sure why, but it was forcing an upgrade and install of Opera. Just ran a fix that included their patch on browsers I use and got the same results I was getting before. I'll be waiting a few days to see if this is the fix, but it sure looks like it.

Thanks to a number of you I now have more security on the system, and a few more tools to work with. This is one of the better forums I've had the pleasure of commenting on. I think I'll be back.