#StandWithUkraine
Andrey “Rarst” Savchenko —  — Software — browser, hijack, malware, opera, troubleshoot

Fixing home page settings hijack in Opera

Opera

Opera is not widely targeted by malware and so I was extremely interested when encountered hijacked home page.

User complained that he couldn’t change home page – it was always pointing to page using Google custom search engine via link that looked like affiliate referral.

Nature of problem

  • browser home page was fixed to search.conduit.com/… URL;
  • it was impossible to change home page – it was immediately returning to hijacked URL.

Removing possible causes

I assumed that rollback of manual changing home page is handled by some currently running malware code.

  • Conduit is browser toolbar creating service and it seems a lot of creators love to use those toolbars in malware-like fashion. Still most of mentions were naturally about Internet Explorer and Firefox since Opera has no similar toolbar support;
  • I’ve used Revo Uninstaller to uninstall about five (!) of different toolbars present;
  • cleaned up registry with CCleaner;
  • swept for malware with CureIt (clean).

That was sure beneficial for computer but had no effect on original problem.

Dealing with Opera settings

Now I was pretty sure that no malicious code run in the system, so damage must have been executed by other means. I’ve also checked opera:plugins to see if anything unusual was added there, nothing suspicious.

In Opera settings editor I had found hijacked URL at opera:config#UserPrefs|HomeURL . Curiously option was grayed and could not be changed. This looked like registry hijack with permissions preventing user from modifying setting, except Opera doesn’t use registry for settings and doing permission trick with settings file would have broken browser for good.

I have checked settings file in user profile folder (c:\Documents and Settings\Username\Application Data\Opera\Opera\profile\opera6.ini can be looked up fast via opera:about). It had Home URL set to what I had tried to change it to.

So something bigger and meaner was overriding personal user settings. Opera installation folder had nothing fitting and I was back to googling.

Super setup file

Knowing right question is most of answer. In few queries I was reading about Opera function called super setup file.

Turns out as part as function set for system administrators placing opera6.ini file in system folder (c:\Windows\system32) will override personal user settings. Bingo.

I had promptly located and removed file, problem solved.

Overall

Super setup is sure handy functionality in corporate environment. For home users and usual running Windows under admin account this can easily be huge problem. Worst of all – it is perfectly legit function and as with executable image hijacking anti-malware software doesn’t catch the problem.

And don’t install damn toolbars unless they are from huge and trusted service. Ever.

Related Posts

11 Comments

  • Angelo R. #

    I find that the biggest problem with viruses and malware are the users themselves. I used to work as a sales rep/tech in a computer store and people always came in who seemed to know just enough about computers to get themselves into trouble. Personally, I feel a lot of malware issues arise from scareware tactics aimed specifically at these users. They know enough that anti-viruses keep them from viruses, but not enough to be considered computer savy.

  • Rarst #

    @Angelo True, those toolbars didn't install themselves in first place. :) Still issue is so not going away so we can at least try to have fun fixing.

  • Angelo R. #

    Definitely, and for us fixers, it's always best to have as much information as possible.

  • Jonny #

    Hmm, I've never seen an Opera "infection" before. Toolbars suck I've had a few nasty experiences with them - except roboform and stumble and.....

  • Rarst #

    @Jonny Yeah, Internet Explorer and Firefox are common malware targets. Still even being underdog Opera has many millions of users and this strick with super setup is easy to implement.

  • Nicbot #

    Just my 2... It may not have helped in this case, but it's always a good idea imo to have 2 anti-malware programs. There have been times when one will catch something another will not. For example, I use MAM as my first line of removal and SAS as my second. SAS has better pin-point scanning and features than MAM, but takes longer as a result.

  • Rarst #

    @Nicbot I actually have at least three (CureIt, ClamWin Portable and AVZ) anti-malware scanners with me. :) And it is definitely good idea. This time I stopped after fast CureIt scan because it works reasonably well and I was in no mood for long and complete checkup.

  • Jonny #

    I really love SAS an MalwareBytes - I've never seen anything caught by Clamwin though - Avira's boot disk is also really good.

  • Rarst #

    @Jonny ClamWin had totally saved me once with very fresh and dangerous virus that was not caught by all other scanners I tried for few days. I don't use it extensively but keep around and updated. Kepp suggestions coming, people. I like good anti-malware tools, essential in being-computer-guy line of work. :)

  • Радогор #

    Спасибо за помощь.

  • Rarst #

    @Радогор You are welcome. :)