Malware popups after Opera upgrade

  • The Opera upgrade to 31 recently ran on my laptop that runs Windows 10. Nothing unusual at first, the normal upgrade seemed to go well. However, when I access webpages now, if I click anywhere on the page to scroll down, I get popups telling me that my computer has a virus and to call an 800 number, or to click and talk to someone, or download virus removal software. I run Avast!, Malwarebytes Anti-Malware, and Spybot Search & Destroy, all of which come up empty after running. I have run Adware remover, JRT, and Hitman. Hitman found items, which I removed. I even uninstalled Opera and reinstalled version 29, but the same thing is happening. Opera's the only software that is different. No other updates have run. Any suggestions?

  • By the way, I do have an AdblockPlus extension enabled, but it doesn't seem to be working on these particular popups. I have screenshots but am not sure how to embed them here.

  • Give ADWCleaner a try. Also try googling the message the malware gives you. I find the getting help for the specific issue you are having generally works better than generic 'how to remove malware' advice.

  • Well, I have run ADWCleaner, several times. The malware messages range from simply a popup advertisement to a "Warning! If you're a Charter customer, call this number to get your computer fixed!" to ads from cnet for TVs. It's the weirdest thing I've ever seen. My son wonders if it's some sort of hidden ads on the pages I'm on, but why would they only show up AFTER the latest Opera upgrade and not before? And why when I am running an ad blocker recommended by Opera? At this point I have uninstalled Opera, installed an earlier version, and it still happens. Avast! tells me that some of the popups are malware, but many seem to be ads. Some are also the annoying pages that won't let you leave until you click five or six different close buttons. At this point I'm about ready to drop Opera, which I hate to do because I love it, but Chrome is perfectly fine and isn't giving me these popups.

  • The whole "scareware" thing is really big these days. If it shows up on this forum you know it's not a "hidden ad", but some providers have been known to insert ads in regular pages. Alternatively, was there some other program you recently installed?

  • There are no other recently installed programs. A Windows Update ran a few days ago, and a couple of other programs ran updates, but they were "in the background" and nothing unusual. I don't have any weird add-ons like odd browser toolbars or anything like that. The installed programs via Control Panel were the first thing I looked at after the malware/spyware scanners ran and didn't find anything. And it's just Opera. How can I completely remove Opera and get a fresh installation without losing my settings/preferences/bookmarks? Or is that a pipe dream? i have uninstalled Opera and installed an older version but the popups are still happening.

  • Well, you could try this: http://malwaretips.com/blogs/remove-tech-support-scam-popups/

    It recommends you to:

    1. Stop the process of the browser.
    2. Start the browser without allowing it to reload the last opened page
    3. Run ADWCleaner
    4. Run Junkware Removal Tool
    5. Run Malware Bytes Antimalware
    6. Run Hitman Pro
    7. Reset internet options

    It's definitely an injected ad-extension, or so I think.

  • Ciroa, and 8, wet-wipe your computer with some strong bleach solution.;)

  • Logic dictates that malware or adware constantly reappearing in a browser can only originate from among the following places:

    1. something embedded within a browser's own cached data or saved settings (speed dial or homepage material, hijacked search engine, etc)
    2. something embedded within a website's page code which is auto-called each time the browser starts (session tabs, homepage URL, speed dial URLs, etc)
    3. something attached to or called up by the browser upon its own startup (plug-ins, extensions, etc)
    4. infected material on a computer/drive that is set to auto-activate along with the browser (malicious files, a hacked command appended to a shortcut, etc)
    5. something injected into the download data stream by a less-than-ethical ISP
    6. multiple of the above

    Generally speaking, the first thing to try in such cases is clearing all the browser's cached data and preventing the browser from auto-loading any potentially problematic website code (particularly prior sessions, speed dial selections, or even homepage). If this clears the problem, then it involves infected code from one of those sites, either stored by the browser or auto-visited upon browser startup.

    If the problem remains, then the cause lies deeper, at a browser, settings, or system level. Inspection should then be done of browser extensions or plug-ins and tests performed (trying the browser with each of them disabled), as well as doing careful inspection of the desktop browser shortcut's internal command (to make sure no URL call-up has been maliciously appended to it). Next, assuming the problem remains, well-known removal tools (Malwarebytes, Adaware, Hitman, etc) come into play, and several should be tried since each product has its own strengths and blind spots. Finally, if the problem persists, careful checkout of the system for malware infection should be performed using various AV tools. If none of that resolves the problem, then 'professional' help at a reputable free malware-removal forum (Malwarebytes, Wilders, DSLR, etc) should be sought out; that help will normally involve the downloading of some powerful analysis and removal tools which should only be used under expert guidance, but which generally resolve all manner of malware infection problems.

    In any case, be very wary of simply downloading a 'special' tool just because some run-of-the-mill website or post touts it for removing certain symptoms or problems. Reputation is everything here, because so much trust has to be extended when it comes to letting a 'tool' mess with the bowels of your computer. It's a golden field for even worse malware to be installed. So stick with the known-good reputation tools and 'helps' sites.

  • Ciroa, thanks for the info. I believe I already did all those steps but I will look over that tips section and try again just in case I missed something the first time 'round.

    Blackbird71, I did clear the cache, including running Ccleaner several times. One of the issues seemed to be that Opera didn't close properly so I forced the close and ran the cleaner. Also as I mentioned I uninstalled Opera, cleared the memory, and reinstalled, only to find the annoying scareware/malware/ads still occurring. On my startup page, I have not changed or added anything since the upgrade (in fact for a few weeks before that), so I'm not certain how to check for an infected code. Do you suggest removing everything from my speed dial and then seeing if the problem persists first? How would I inspect the desktop browser shortcut's internal command? As I said, I'm pretty computer literate (I've set up networks, de-virused computers, taken apart my own laptop and added memory, replaced hardware, screens, removed programs, etc., so I'm not a novice), I've just never run into this particular (annoying) issue before. I've never relied on "tool of the month" type websites. I always use reputable websites and have never had an issue with their removal tools so far. Thanks for your input!

  • ...
    Blackbird71 ... On my startup page, I have not changed or added anything since the upgrade (in fact for a few weeks before that), so I'm not certain how to check for an infected code. Do you suggest removing everything from my speed dial and then seeing if the problem persists first?

    Yes.

    How would I inspect the desktop browser shortcut's internal command?

    Locate the icon you use to start Opera, then right click it. Select 'Properties', then look at the command in the 'Target' box. Make sure there's not a URL appended to the end of the command line.

    As I said, I'm pretty computer literate (I've set up networks, de-virused computers, taken apart my own laptop and added memory, replaced hardware, screens, removed programs, etc., so I'm not a novice), I've just never run into this particular (annoying) issue before. I've never relied on "tool of the month" type websites. I always use reputable websites and have never had an issue with their removal tools so far. ...

    It sounds like you generally practice 'safe hex', which unfortunately can make it hard to reconstruct specifically how the problem first occurred. Sometimes merely a stray click at the wrong place of a problematic site can lead to trouble, particularly in ads or pop-ups on a page. Downloading freeware from even the 'name' freeware houses has been proven to be a leading source of adware bundling and infection, but obtaining the downloads direct from the software maker normally prevents that problem (and downloads from Opera's own website are known to be clean and free of that sort of thing). The problem is that once certain kinds of adware get onto a system, they can infect it in multiple ways which act mutually to reinstate the adware if all its modes of infection aren't removed more or less together. One of the reinstatement modes involves employing Windows processes that are auto-reinstated after several seconds if they're halted or removed by a user. These are the kinds of beasts that normal adware-removal tools are designed to remove, but not all adware lends itself to easy removal via the standard tools. In some cases, an insightful look at Task Manager's list of running processes will betray the name of a particular adware's process that's involved in the infection and give insight into searching out a particularly effective removal tool for that flavor of adware.

  • If the popups have a link address that is displayed when you hover them, you might see if there is a common part - but under no circumstances should you actually click the link. In old Presto-based Opera (12.xx and earlier) I was an expert at sniffing out the source of obnoxious code and blocking it; unfortunately Blink-based Opera is not quite so transparent.

  • Blackbird71, I did clear the cache, including running Ccleaner several times. One of the issues seemed to be that Opera didn't close properly so I forced the close and ran the cleaner. Also as I mentioned I uninstalled Opera, cleared the memory, and reinstalled, only to find the annoying scareware/malware/ads still occurring. On my startup page, I have not changed or added anything since the upgrade (in fact for a few weeks before that), so I'm not certain how to check for an infected code.

    Actually, you should (have) clean(ed) the registry (CCleaner or whatever) after you uninstall(ed) the browser. On the account of files somehow connected to the latter. The uninstall shouldn't uninstall linked malware, right?

    And if you care for settings, you might copy the profile folder onto a removable drive. But then, in case there is something in that folder/those files that isn't right, you might try, upon a reinstall and before reapplying your backed up folder or files, checking those in your back-up against the fresh bare-bone ones: some "extra" files, differences in properties where there're unlikely to be such, even maybe checking the document structure of those that are meant to be changed (your settings etc.), (and/)or uploading them for analysis.
    And (in order to learn if the above is needed anyway) you might consider trying the freshly reinstalled browser with that clean profile first. Maybe then reapplying your backed up thingies one by one (if there's nothing been found otherwise anyway).

  • Hi!
    use combofix runit and se whats hapend

  • Just to update, I ran the malware removal tips process that Ciroa recommended, and in addition I uninstalled Opera after making a backup of my preferences/profile information. Then I ran Ccleaner again, ran more malware/adware/spyware cleaners, rebooted, and reinstalled a clean version of Opera. The popups are now gone. There must have been something attached to one of the speed dial favorites, maybe? I've started reapplying items and if one of them triggers another popup problem, I'll remove it right away. So far, so good, though. Thanks for the help. Sorry I didn't get back to the forum sooner. We were out of town on vacation, which made it doubly frustrating because I didn't have the ability to really back up my data effectively. Once we got home and recuperated from vacation (!), I was able to get started and things seem to be running smoothly so far. Fingers crossed, knock on wood, etc.

Log in to reply
 

Looks like your connection to Opera forums was lost, please wait while we try to reconnect.