Do more on the web, with a fast and secure browser!

Download Opera browser with:

  • built-in ad blocker
  • battery saver
  • free VPN
Download Opera

Threat Found in Opera Cache?

  • So I was browsing the internet using Opera and I get a notification from Windows Defender:

    8f4c4b67-17f2-4561-9a5a-c0dedccd6df5-image.png

    The weird thing is, I went to go investigate this cache file "f_0022005", I could not find it in the Cache Folder. After I couldn't find it I clicked on "Actions" and removed the threat. Does anyone know what this is or how I got it? Also why was the file "f_002205" not located in the cache folder?

    From what I remember I didn't go on any sites suspicous. I believe the site I was currently on when I got this notificaion was a drop.com url that was posted in a discord channel (I checked the url and it is a legit url).

  • @hion You got it from a site you've visited. It can also be a false positive.

  • @leocg Hmm, that probably is the case. Even though I don't remembering visisting any sketchy sites, lets assume I did. Why didnt the file that was infected (f_0022005) not found when I went to go search for it (Note: this is before I took any action to remove it).

  • @hion Maybe it was already removed from the cache, since things there are temporary.
    Also some anti-virus put the problematic files in some kind of quarentine.

  • @hion said in Threat Found in Opera Cache?:

    ... Why didnt the file that was infected (f_0022005) not found when I went to go search for it (Note: this is before I took any action to remove it).

    Under Windows Security > Virus & threat protection > Current threats > Protection history, is there a listing for the incident? I'm not sure how enduring that history's memory is, so it may have already scrolled off, but perhaps not... in which case you might find some additional info. When Defender blocks some 'severe' threats, it immediately prevents them from proceeding further within the computer once it has 'trapped' them and causes their action to be suspended until you give direction. In this case, it may be possible that it also blocked or suspended manual access to the f_0022005 cache folder so that Explorer, etc. couldn't pull it up and allow infection via that route. Once you clicked in Defender to remove the threat, it would have permanently removed the folder.

  • @leocg Possibly. However, if you look at the image its Status was "Active", but maybe it was put into quarantine. I don't remember, I believe "Action" button had 3 options when pressed (Allow, remove and quarantine).

  • @blackbird71 The history of the removal is still there. To be honest I'm not entirely sure if I accidentally clicked quarantined then remoe, but here is the history of the removal:
    f87c7e64-4120-436b-80d2-7e7421df8df9-image.png

  • @hion There's some insight regarding the threat identified by Defender over at: https://stackoverflow.com/questions/43637629/backdoorphp-webshell-malware . In that case, the comments indicate a hacked site was involved. It may be possible that a hacked ad-server linked by a legitimate site could also cause running such malicious scripting, but I'm not sure about the technicalities.

    There is a Microsoft writeup about the virus here: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor%3APHP%2FWebShell.A&threatid=2147651339&enterprise=0

    Both prudence and Microsoft suggest running a full system scan just in case something leaked through.

  • @blackbird71 hmm. I've ran a full scan and everything seems fine. I still find it extremely odd that this happened.

  • @hion said in Threat Found in Opera Cache?:

    @blackbird71 hmm. I've ran a full scan and everything seems fine. I still find it extremely odd that this happened.

    I agree it seems odd, but on the other hand, if you visited an infected site or one carrying an infected ad server, I can see how Defender may have trapped the exploit as the browser was loading it into a cache folder and so it may have blocked any manual or other form of access to that file and folder until you took remedial action thru Defender... that is what an AV program is supposed to do.

    With a clean full scan under your belt, the implication would be that the nasty was successfully trapped before it could do or install anything else. Whether it could have unilaterally done damage from a cache folder even if not blocked, I don't really know... but in any case, it seems as if you're good to go now.

Log in to reply