unwanted download and install
-
blackbird71 last edited by
...
I can't imagine Opera would be trying on its own to install on my system. Like most of you, I believe somehow I let the download/install sneak in with some other program. Until this started I had no connection with Opera.
I really have to thank all of you. Until I got on this forum it was beginning to look like I'd be formatting my hard drive, and starting over. Of course, I'm still not sure I've got a fix yet.The only "legitimate" instances of auto-repeating install attempts I've ever run across are when Windows attempts a user-initiated or auto-update installation and somehow things get fouled up such that the installation breaks in mid-stream. Depending on how the install fails, Windows may repeatedly attempt to continue the install but be unable to complete it. Consequently, the "stuck" install may even attempt to unsuccessfully repeat itself each time the computer is re-started or the installation of another program is attempted.
Because that seems significantly different from what you describe in your situation, because nobody has attempted an initial install of Opera on that system according to your posts, and because Opera ASA (being a reputable company) never attempts to force-install its software onto a computer that already does not have Opera installed (ie: update), the implication is that malware of one form or another is involved in your problem. The degree of maliciousness of that malware cannot be determined until it has been identified. What does seem clear is that your system has been compromised, with the degree and type of compromise remaining undetermined thus far. In such an atmosphere, I personally would not attempt to install anything new onto the system (including genuine Opera) until I had fully established the computer to be squeaky clean. In this case, 'squeaky clean' includes no longer experiencing the false Opera installation attempts, or any other abnormality. On the other hand, if you plan on reformatting the system anyhow, then of course you can do anything with it in the meantime.
As you probably know, malware can take many forms and embed itself in many ways, up to and including rootkits (which intercept the operating system's internal 'calls' to completely hide itself from a user unless he's using very specialized anti-rootkit tools - and even then, it can be difficult to detect and remove some rootkits). Until you can analyze the actual cause of your problem, you should consider the system to be compromised, and that should impact what you do and trust with the computer, especially passwords and financial transactions. If you elect a reformat of the drive and re-installation of Windows, be sure to do a low-level format to make sure that any possible malware in the Master Boot Record of the drive is also wiped out.
-
totrecal last edited by
Thanks for the input Blackbird71. Thought I was staying ahead of the criminals, but they keep making improvements.:(
-
sgunhouse Moderator Volunteer last edited by
I'll presume there isn't something else you know about that happens "every three days"? Does it always happen at the same time? (When you start up that day, 10:00 AM, etc.) Opera itself doesn't sound like something malware would install - though as suggested previously someone might include a malware extension - something to steal bank passwords or some such - or some of the fake search engines. Very strange ...
If it always installs at the same time you might try watching for some strange process that runs just before that. Other than that - scan it before you delete it, perhaps? Send a copy of the installer to your AV people for them to examine?
I have to presume whatever installer you get runs unattended - without any dialog that has buttons for Options, Install and Cancel? Presuming you're not an admin account in XP, do you get a UAC dialog (where Windows asks if the program is allowed to make changes to the computer)? Of course XP doesn't show such a dialog if you're an administrator.
-
totrecal last edited by
sgunhouse, yesterday I was checking the history in Vipre,and in the Autopatch section I found a record of Opera installs. Turns out it's not every three days, but every two to four days and not the same time each day. I also found it strange that malware would want to install Opera. My thought was maybe Opera allowed access that my browsers didn't. It looks like Opera is more secure than Chrome or Firefox. So that might not be true.
Right now we're trying to catch this process in the act so I can see what might be running then. This all happens in the background. I'm on Windows Seven. I was pleased to see Seven asks for permission to make changes to the hard drive, but whatever this is doesn't make itself known. At least not while it's running. I have installed Bitmeter, which I've used before when on XP. Since Bitmeter runs constantly, I can see a download even when my browser and email are closed.
I've manually hunted down malware that got on a network I was administering, and had shut down Norton to infect the network. So it was a fairly sophisticated program, but that was years ago. Hackers have gotten a lot more clever, and I've been out of the business for quite a while now. It's been a very long time since I've had anything like this on one of my systems. Kind of scarey really.:(
-
blackbird71 last edited by
@totrecal, have you tried using the free analysis tools like Process Explorer from Sysinternals (now part of Microsoft)? It gives a view of what has originated the various running processes. Also TCPview (also from Sysinternals/Microsoft) gives a view of what is in the TCP stack, from whence it originated, and where it might be calling out to.
-
totrecal last edited by
blackbird71, both autorun and Process Explorer have been on my system since I first set it up. I'm going to add TCP view right away. BTW, just for kicks I installed Opera 23 last night. Malware tried loading again this morning, but this time I got a box asking did I want this upgrade and I declined. Doesn't solve the problem, but at least I got the little bug to talk to me. It's actually tried twice this morning. I rejected it both times. First time it tried this morning I had no other programs running. All I could see on task manager that was not there last night was an upgrade.exe and an install.exe. I'm going to use the sysinternals stuff to see what I can monitor when it shows up again.
I've been running Process Explorer on previous systems, but never could find out what the colors were about. Do you know?
-
A Former User last edited by
Options>Configure Colors will tell you what the colours represent and of course allow you to change them if you want to.
-
totrecal last edited by
I would like to thank everyone that's been offering suggestions here. I believe I may have solved the problem. It seems Vipre may have been the culprit. They have a security "patch" on a bunch of internet programs that includes the major browsers. I'm not sure why, but it was forcing an upgrade and install of Opera. Just ran a fix that included their patch on browsers I use and got the same results I was getting before. I'll be waiting a few days to see if this is the fix, but it sure looks like it.
Thanks to a number of you I now have more security on the system, and a few more tools to work with. This is one of the better forums I've had the pleasure of commenting on. I think I'll be back.
-
A Former User last edited by
Thanks, I do hope it's now sorted!
Quite why Vipre should still be forcing an update of Opera on you when you now have the latest version installed is a bit of a mystery though!
-
blackbird71 last edited by
Apparently, Vipre has an Auto Patch Software Update tool that is supposed to automatically manage the updating of a bunch of "popular applications"... I was not aware of this feature before. From the sound of things, it appears that either something in it is not performing correctly on @totrecal's particular system or the patch software has a bug in it.
-
lovpdx last edited by
@totrecal, Have you or any one found a solution to this problem? I am having the exact same problem. I stumbled on this forum surfing for answers. I can keep up with most of whats being discussed here but I am not particularity tech savvy. I am also using Viper anti-virus and have experienced the same Opera program loading itself over and over again, after repeatedly uninstalling the program. It also seems to be interfering with other systems on my laptop as I am having computer freezes and lock-ups that I have never had before, along with my mouse/touchpad not working intermittently. I know the later is a software problem as every time I restart the computer the problem is temporarily resolved. Similarly, I have never actually opened the Opera program for the same reason that I am terrified to open something that I did not ask for or even ever permit. I am scared to use my only computer to check my bank statements or anything like that, and haven't been able to do so for months now. Any help at all will be very much appreciated as I am at a total loss for where to go from here. Thanks everyone for all the info already given.
-
totrecal last edited by
lovpdx, let me start by saying I think Vipre is good stuff. I prefer not to use more popular antivirus, since hackers look to attack that software first. As past manager of a small office network, I had malware just walk past Norton. So it seems our problem is actually the fault of Vipre. Minor fault - big headache.
Here's what fixed my problem: Open Vipre and click on "manage". Then click the "check for patches" button. Eventually you should get a list of updates. One of those should be Opera. You should be offered a choice to "hide" Opera. Mine's fixed now so I can't give you the exact directions for the "hide". Once you see the update list it should be pretty simple. Contact me again, if you have trouble; and tell me what you see when you have the update list.
I'm afraid the Vipre tech support might not be too helpful. I had to lead them to this problem. Since my experience, they may have caught up to the fix. The fix they gave me didn't work. Had to make up my own.
As I mentioned before in this thread, Vipre attempts to update browsers to prevent intrusions. It appears on some of our systems they update and install browsers we're not using.
The Opera that gets installed on you system shouldn't be harmful. You can just use Windows uninstall to get rid of it. This little episode has made me interested in Opera as one of my browsers. Now that things have settled down on my system, I plan on installing the latest Opera version. Good luck lovpdx
-
totrecal last edited by
lovpdx, just checked my history on the Opera situation. Here's what I have as the last step to "hide" the Opera install: (7. Once the scan completes, right click the offending updates and click 'Hide' The updates will be hidden from view in subsequent updates.) Apparently "hide" in Vipre language means stopping the update.
-
lovpdx last edited by
totrecal, I have followed the path you laid out and my laptop has been clean of Opera long enough to say It worked!It wasn't that difficult to fix once some light was shed onto this, but before I never even suspected the one program designed keep this from happening. That said, I agree that Vipre is a great anti-virus and have had no other problems or breaches, but I guess nothing's perfect. This is the first I have heard of Opera and suppose I should let them off the hook as well I suspected mal-ware/virus the entire time. . Thank You my friend
-
redit0 last edited by
thank you for the insights into this problem with an unwanted Opera installation. I followed the advice concerning Vipre possibly adding it while installing a patch. I have followed your advice and did the 'hide' and hope it works. Hate the thought of a program installing programs during normal protective routines. I recently had a windows up date actually remove my Vipre program and then had to have it re installed, once I made sure (at least I hope I did) it was not due to an infection. thank you again for all the helpful information here.
-
totrecal last edited by
redit0, since fixing my Opera/Vipre problem, I decided I didn't need Vipre to do any updates. The programs it updated were already updating themselves. So I've disabled that function in Vipre.
-
redit0 last edited by
thanks,'wish I knew as much as you folks do. Appreciate you sharing all the insights, helps tremendously
-
lando242 last edited by
Yandex is not a program, it is a website. Its like saying how to I remove HBO from my TV.