Opera is not widely targeted by malware and so I was extremely interested when encountered hijacked home page.
User complained that he couldn’t change home page – it was always pointing to page using Google custom search engine via link that looked like affiliate referral.
Nature of problem
- browser home page was fixed to search.conduit.com/… URL;
- it was impossible to change home page – it was immediately returning to hijacked URL.
Removing possible causes
I assumed that rollback of manual changing home page is handled by some currently running malware code.
- Conduit is browser toolbar creating service and it seems a lot of creators love to use those toolbars in malware-like fashion. Still most of mentions were naturally about Internet Explorer and Firefox since Opera has no similar toolbar support;
- I’ve used Revo Uninstaller to uninstall about five (!) of different toolbars present;
- cleaned up registry with CCleaner;
- swept for malware with CureIt (clean).
That was sure beneficial for computer but had no effect on original problem.
Dealing with Opera settings
Now I was pretty sure that no malicious code run in the system, so damage must have been executed by other means. I’ve also checked opera:plugins to see if anything unusual was added there, nothing suspicious.
In Opera settings editor I had found hijacked URL at opera:config#UserPrefs|HomeURL . Curiously option was grayed and could not be changed. This looked like registry hijack with permissions preventing user from modifying setting, except Opera doesn’t use registry for settings and doing permission trick with settings file would have broken browser for good.
I have checked settings file in user profile folder (c:\Documents and Settings\Username\Application Data\Opera\Opera\profile\opera6.ini can be looked up fast via opera:about). It had Home URL set to what I had tried to change it to.
So something bigger and meaner was overriding personal user settings. Opera installation folder had nothing fitting and I was back to googling.
Super setup file
Knowing right question is most of answer. In few queries I was reading about Opera function called super setup file.
Turns out as part as function set for system administrators placing opera6.ini file in system folder (c:\Windows\system32) will override personal user settings. Bingo.
I had promptly located and removed file, problem solved.
Super setup is sure handy functionality in corporate environment. For home users and usual running Windows under admin account this can easily be huge problem. Worst of all – it is perfectly legit function and as with executable image hijacking anti-malware software doesn’t catch the problem.
And don’t install damn toolbars unless they are from huge and trusted service. Ever.