After last update, Opera isn't standard browser
-
upgradevictim last edited by
I did not see your 2:51 post before making my post.
As you can see from the link, my Opera %appdata% file shows several files created or modified at the time of the attempted upgrade.
Do I understand your note correctly: that the creation and modification of these files is NOT the result of any activity by Opera's servers?
This is a very important point.
I was not aware of any malware which could install by mocking itself as an Opera upgrade.
-
linuxmint7 last edited by
Go to 'Help / About Opera' to see exactly what version you have currently install, though it is definitely a Presto version going by your screen shots.
-
A Former User last edited by
Are you the administrator of your system? Are there any kids around, perhaps? :rolleyes:
Just in case... -
upgradevictim last edited by
Opera 13?
This is how my Opera now logs, same as before:
Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.17
Opera.exe and opera.dll both show version 12.17.1863.0.
-
linuxmint7 last edited by
Do you know what version of Opera you were on before this 'suspicious' update activity occurred ?.
-
upgradevictim last edited by
can't go to Help > Opera because it doesn't show.
No one has physical access to my machine. I am the sole user.
-
upgradevictim last edited by
As I said, the version number of Opera has not changed. I have website logs showing the same version before and after the event, and there has been no change to any of the files in Program Files/Opera (at least according to Windows timestamps). The only change seems to be in the Opera %appdata% files.
-
blackbird71 last edited by
@upgradevictim, I'm trying to reconstruct a picture of what first occurred, especially the update splash screen. Per your second post, you stated that you were presented with a splash screen upon starting Opera; you then stopped Opera and restarted it and again got the splash screen; next you: "instead of proceeding with the upgrade, I just put an address in the address bar and started browsing, expecting to browse with old Opera as usual. I then found that everything had been upended, with the top bar showing Home, Bookmarks, Tools, Help and such gone."
Perhaps it's just the way it's worded, but it conveys an impression that up to and including the moment of entering the address in the address bar, the format/appearance of the Opera screen appeared "normal" in terms of what you expected for bars, buttons, and screen-frame; and that it changed only right at the point of starting to browse.
Was the update "splash screen" first displayed within the Opera page viewing area or overlaid on top of the Opera screen like a Windows message pop-up, etc? At the moment when you first entered browsing data into the address box, did the Opera appearance seem like what you normally expected? If so, at what point did it suddenly (?) change to what you currently have?
-
A Former User last edited by
...or try accessing
opera://help
.Linux, that's been probably the files, do you think?
(Just reported a weird behaviour with this user's (in particular) postcount - do you, guys, see the "1" too there?) -
linuxmint7 last edited by
As I said, the version number of Opera has not changed.
Yeah sorry, saw that but slipped my mind when I was replying.
This definitely does not sound like activity from Opera or its update process, as there was nothing to update, as you say, you already had the latest version.
Are you sure there is nothing running amok on your computer, or maybe some software that offers the ability to update software for you automatically ?.
Any anti virus software installed, other than PrivateFirewall 7 ?.
-
blackbird71 last edited by
...
I was not aware of any malware which could install by mocking itself as an Opera upgrade.While malware still must obey the laws of physics and the protocols of software, never underestimate the cleverness or creativity of hackers... nor the permutations of possible outcomes if a hack "goes bad" in midstream.
I realize memory is not always reliable, but it is important to try to recall exactly (as much as possible) what occurred at the beginning of the whole episode, particularly before memory shifts and/or gets colored by later thoughts and questions. Details of the initial experience of the update splash screen may shed light on where it might have actually come from, which in turn may give light on what it might have later done (and how).
-
upgradevictim last edited by
No AV other that PF 7.
The splash screen was in a frame; there were no navigation buttons available, but there was an address bar. There was no way to move from it. I restarted the browser, thinking the splash screen would disappear, but it didn't, so I browsed to a website using the address bar, and discovered the appearance of the browser had changed completely.
I am quite willing to send the %appdata% files to someone at Opera who can tell me whether they are in right order, or not.
And yes, I note my post count isn't increasing for some reason. (I'm posting with Firefox, not Opera).
-
linuxmint7 last edited by
No AV other that PF 7.
Have you thought about maybe doing a scan for malware or other such dodgy software that maybe lurking on your system that you may not know about ?. Maybe PrivateFirewall 7 may not be enough ?, and it's always good to have a second or even third opinion.
-
upgradevictim last edited by
The upgrade splash was a full screen, probably lightish blue with some graphics in the center. As I have said, I was furious because it gave me no option to postpone or reject the upgrade.
Yes, there are hackers about here who are motivated and talented. But I would certainly not want to be alarmist about this unless I was absolutely sure that those files on my machine did not come from Opera.
-
A Former User last edited by
-break
[playing-around] Yes, you're definitely cursed: unnatural happenes on your machine, Operaforums doesn't want to update your postcount.
You're doomed, dude! :cheers: [/playing-around]
/end of -break -
blackbird71 last edited by
...
The splash screen was in a frame; there were no navigation buttons available, but there was an address bar. There was no way to move from it. I restarted the browser, thinking the splash screen would disappear, but it didn't, so I browsed to a website using the address bar, and discovered the appearance of the browser had changed completely.
...And:
The upgrade splash was a full screen, probably lightish blue with some graphics in the center.
...That sounds as if it was actually a web-page appearing within a browser, rather than a typical "floating" update pop-up notification. Can you recall what the splash screen actually said? That is, did it tell you an Opera update was required, that an update was in-progress, or that an update had already occurred (like with a "welcome" screen)?
What version of Windows are you using? If you navigate through its control panel to the 'uninstall' programs area that one normally uses to remove a program, how many instances of Opera appear in that listing? Since Opera isn't capable of "updating" a Presto version into a Blink version, I'm trying to figure out if something instead of updating, triggered a normal 'manual,' first-time Blink Opera installation, which would be installed in parallel with the old installation, and send you to a welcome screen. In such a case, that new-install process would create new Opera shortcuts that would direct the user to the new installation, rather than the old Opera installation (which would still live on the system).
-
A Former User last edited by
Black, we've already guessed that's probably not the case. And I'm thinking of a malicious site now... Another question is what pushed it.
If that something was on machine before - to call on that site - ?"Upgradevictim", can you access your browser's history (if you haven't been browsing much since the event)? (You weren't in the private mode, were you?)
And - was your antimalware software up-to-date at the moment? -
blackbird71 last edited by
Black, we've already guessed that's probably not the case. And I'm thinking of a malicious site now... Another question is what pushed it.
...Uhmm... I'm unaware that any conclusions have been reached, other than a recognition that Presto Opera installations cannot currently be updated into Blink Opera installations. What is still conjecture is whether a normal Blink Opera installation was somehow invoked on his system, occurred, and installed its own shortcuts - which, when clicked, the user dutifully thought would activate his old browser, but which instead activated the new install and routed that browser to Opera's "welcome" page upon browser startup. Thus far, I've not seen anything definitive that rules out two Opera versions being on his system - especially if the root (c:) program folders haven't been examined for that possibility.
My own suspicions also lean toward malware involvement, but we need to find out precisely what has actually occurred... and what has not occurred.
-
A Former User last edited by
As I said, the version number of Opera has not changed. I have website logs showing the same version before and after the event, and there has been no change to any of the files in Program Files/Opera (at least according to Windows timestamps). The only change seems to be in the Opera %appdata% files.
Black, the user seems to have checked things...> This is how my Opera now logs, same as before:
Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.17
Opera.exe and opera.dll both show version 12.17.1863.0. -
blackbird71 last edited by
As I said, the version number of Opera has not changed. I have website logs showing the same version before and after the event, and there has been no change to any of the files in Program Files/Opera (at least according to Windows timestamps). The only change seems to be in the Opera %appdata% files.
Black, the user seems to have checked things...> This is how my Opera now logs, same as before:
Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.17
Opera.exe and opera.dll both show version 12.17.1863.0.Yes, I understand. But I'm unsure whether or not that means he doesn't have two Opera versions installed (or Opera and who-knows-what)... it shows something being "logged" somewhere, but there's a lot of room for confusion in that. And the versions of the files he's looking at may not be the files actually in use when he activates "Opera"... that would require some deeper examination with a process explorer, etc. when the "Opera" is running to track down where (folder/file/etc) it's actually running from. (As it is, I'm now having to go offline for the next several days, so hopefully others can help track all this down.)