Malware popups after Opera upgrade

pjn0524

pjn0524 last edited by

There are no other recently installed programs. A Windows Update ran a few days ago, and a couple of other programs ran updates, but they were "in the background" and nothing unusual. I don't have any weird add-ons like odd browser toolbars or anything like that. The installed programs via Control Panel were the first thing I looked at after the malware/spyware scanners ran and didn't find anything. And it's just Opera. How can I completely remove Opera and get a fresh installation without losing my settings/preferences/bookmarks? Or is that a pipe dream? i have uninstalled Opera and installed an older version but the popups are still happening.

ciroa

ciroa last edited by

Well, you could try this: http://malwaretips.com/blogs/remove-tech-support-scam-popups/

It recommends you to:

1. Stop the process of the browser.
2. Start the browser without allowing it to reload the last opened page
3. Run ADWCleaner
4. Run Junkware Removal Tool
5. Run Malware Bytes Antimalware
6. Run Hitman Pro
7. Reset internet options

It's definitely an injected ad-extension, or so I think.

A Former User

A Former User last edited by

Ciroa, and 8, wet-wipe your computer with some strong bleach solution.

blackbird71

blackbird71 last edited by

Logic dictates that malware or adware constantly reappearing in a browser can only originate from among the following places:

1. something embedded within a browser's own cached data or saved settings (speed dial or homepage material, hijacked search engine, etc)
2. something embedded within a website's page code which is auto-called each time the browser starts (session tabs, homepage URL, speed dial URLs, etc)
3. something attached to or called up by the browser upon its own startup (plug-ins, extensions, etc)
4. infected material on a computer/drive that is set to auto-activate along with the browser (malicious files, a hacked command appended to a shortcut, etc)
5. something injected into the download data stream by a less-than-ethical ISP
6. multiple of the above

Generally speaking, the first thing to try in such cases is clearing all the browser's cached data and preventing the browser from auto-loading any potentially problematic website code (particularly prior sessions, speed dial selections, or even homepage). If this clears the problem, then it involves infected code from one of those sites, either stored by the browser or auto-visited upon browser startup.

If the problem remains, then the cause lies deeper, at a browser, settings, or system level. Inspection should then be done of browser extensions or plug-ins and tests performed (trying the browser with each of them disabled), as well as doing careful inspection of the desktop browser shortcut's internal command (to make sure no URL call-up has been maliciously appended to it). Next, assuming the problem remains, well-known removal tools (Malwarebytes, Adaware, Hitman, etc) come into play, and several should be tried since each product has its own strengths and blind spots. Finally, if the problem persists, careful checkout of the system for malware infection should be performed using various AV tools. If none of that resolves the problem, then 'professional' help at a reputable free malware-removal forum (Malwarebytes, Wilders, DSLR, etc) should be sought out; that help will normally involve the downloading of some powerful analysis and removal tools which should only be used under expert guidance, but which generally resolve all manner of malware infection problems.

In any case, be very wary of simply downloading a 'special' tool just because some run-of-the-mill website or post touts it for removing certain symptoms or problems. Reputation is everything here, because so much trust has to be extended when it comes to letting a 'tool' mess with the bowels of your computer. It's a golden field for even worse malware to be installed. So stick with the known-good reputation tools and 'helps' sites.

pjn0524

pjn0524 last edited by

Ciroa, thanks for the info. I believe I already did all those steps but I will look over that tips section and try again just in case I missed something the first time 'round.

Blackbird71, I did clear the cache, including running Ccleaner several times. One of the issues seemed to be that Opera didn't close properly so I forced the close and ran the cleaner. Also as I mentioned I uninstalled Opera, cleared the memory, and reinstalled, only to find the annoying scareware/malware/ads still occurring. On my startup page, I have not changed or added anything since the upgrade (in fact for a few weeks before that), so I'm not certain how to check for an infected code. Do you suggest removing everything from my speed dial and then seeing if the problem persists first? How would I inspect the desktop browser shortcut's internal command? As I said, I'm pretty computer literate (I've set up networks, de-virused computers, taken apart my own laptop and added memory, replaced hardware, screens, removed programs, etc., so I'm not a novice), I've just never run into this particular (annoying) issue before. I've never relied on "tool of the month" type websites. I always use reputable websites and have never had an issue with their removal tools so far. Thanks for your input!

blackbird71

blackbird71 last edited by

...
Blackbird71 ... On my startup page, I have not changed or added anything since the upgrade (in fact for a few weeks before that), so I'm not certain how to check for an infected code. Do you suggest removing everything from my speed dial and then seeing if the problem persists first?

Yes.

How would I inspect the desktop browser shortcut's internal command?

Locate the icon you use to start Opera, then right click it. Select 'Properties', then look at the command in the 'Target' box. Make sure there's not a URL appended to the end of the command line.

As I said, I'm pretty computer literate (I've set up networks, de-virused computers, taken apart my own laptop and added memory, replaced hardware, screens, removed programs, etc., so I'm not a novice), I've just never run into this particular (annoying) issue before. I've never relied on "tool of the month" type websites. I always use reputable websites and have never had an issue with their removal tools so far. ...

It sounds like you generally practice 'safe hex', which unfortunately can make it hard to reconstruct specifically how the problem first occurred. Sometimes merely a stray click at the wrong place of a problematic site can lead to trouble, particularly in ads or pop-ups on a page. Downloading freeware from even the 'name' freeware houses has been proven to be a leading source of adware bundling and infection, but obtaining the downloads direct from the software maker normally prevents that problem (and downloads from Opera's own website are known to be clean and free of that sort of thing). The problem is that once certain kinds of adware get onto a system, they can infect it in multiple ways which act mutually to reinstate the adware if all its modes of infection aren't removed more or less together. One of the reinstatement modes involves employing Windows processes that are auto-reinstated after several seconds if they're halted or removed by a user. These are the kinds of beasts that normal adware-removal tools are designed to remove, but not all adware lends itself to easy removal via the standard tools. In some cases, an insightful look at Task Manager's list of running processes will betray the name of a particular adware's process that's involved in the infection and give insight into searching out a particularly effective removal tool for that flavor of adware.

sgunhouse

sgunhouse Moderator Volunteer last edited by

If the popups have a link address that is displayed when you hover them, you might see if there is a common part - but under no circumstances should you actually click the link. In old Presto-based Opera (12.xx and earlier) I was an expert at sniffing out the source of obnoxious code and blocking it; unfortunately Blink-based Opera is not quite so transparent.

A Former User

A Former User last edited by

Blackbird71, I did clear the cache, including running Ccleaner several times. One of the issues seemed to be that Opera didn't close properly so I forced the close and ran the cleaner. Also as I mentioned I uninstalled Opera, cleared the memory, and reinstalled, only to find the annoying scareware/malware/ads still occurring. On my startup page, I have not changed or added anything since the upgrade (in fact for a few weeks before that), so I'm not certain how to check for an infected code.

Actually, you should (have) clean(ed) the registry (CCleaner or whatever) after you uninstall(ed) the browser. On the account of files somehow connected to the latter. The uninstall shouldn't uninstall linked malware, right?

And if you care for settings, you might copy the profile folder onto a removable drive. But then, in case there is something in that folder/those files that isn't right, you might try, upon a reinstall and before reapplying your backed up folder or files, checking those in your back-up against the fresh bare-bone ones: some "extra" files, differences in properties where there're unlikely to be such, even maybe checking the document structure of those that are meant to be changed (your settings etc.), (and/)or uploading them for analysis.
And (in order to learn if the above is needed anyway) you might consider trying the freshly reinstalled browser with that clean profile first. Maybe then reapplying your backed up thingies one by one (if there's nothing been found otherwise anyway).

iller77

iller77 last edited by

Hi!
use combofix runit and se whats hapend

pjn0524

pjn0524 last edited by

Just to update, I ran the malware removal tips process that Ciroa recommended, and in addition I uninstalled Opera after making a backup of my preferences/profile information. Then I ran Ccleaner again, ran more malware/adware/spyware cleaners, rebooted, and reinstalled a clean version of Opera. The popups are now gone. There must have been something attached to one of the speed dial favorites, maybe? I've started reapplying items and if one of them triggers another popup problem, I'll remove it right away. So far, so good, though. Thanks for the help. Sorry I didn't get back to the forum sooner. We were out of town on vacation, which made it doubly frustrating because I didn't have the ability to really back up my data effectively. Once we got home and recuperated from vacation (!), I was able to get started and things seem to be running smoothly so far. Fingers crossed, knock on wood, etc.