PUABundler:Win32/CandyOpen Analysis & Removal Guide

PUABundler:Win32/CandyOpen Malware Removal Guide
CandyOpen is a malware used to download unwanted software

PUABundler:Win32/CandyOpen is an unwanted program that acts as a browser hijacker and can download junk apps to your system. Specifically, it points at a thing known as OpenCandy adware, that is known for its indecent behavior. Let’s break it down and see what the PUABundler/Candyopen on a real-world example.

What is PUABundler:Win32/CandyOpen?

As I’ve said in the introduction, CandyOpen is a detection name for a specific program that spreads bundles with unwanted programs. It was developed back in the late 2000s as a way to monetize free applications by adding some advertised content along with the main installation. But as the overall functionality of the app allowed for more extensive and intrusive changes, foul actors began misusing it.

The way this misuse was happening made the major cybersecurity vendors consider OpenCandy a malicious program. It is capable of changing browser settings by itself, and the additional programs it usually installs can inject unwanted ads into pages, modify the web browser even more, and do similar dirty things. So having one to run in your system means a browser full of ads, pop-up advertisements flooding both system and browser, and unwanted programs getting installed. Not to mention potential data stealing, that the Win32/CandyOpen is capable of – read on to see the details.

To sum up, a PUABundler:Win32/CandyOpen detection means a malware that delivers unwanted programs and is capable of messing up your system on its own. But to have a more detailed look and a better understanding of this thing, let’s analyze it by running on a virtual machine.

CandyOpen Malware Analysis

Finding the appropriate CandyOpen sample was rather easy. To be clear, it does not behave like a straightforward malware on the surface. You can find it in the list of installed apps; there is even an option to disable additional installations in the menu. But the actions it does to the system once it is launched are quite unambiguous.

PUABundler:Win32/CandyOpen list of programs
“Installer” – unremarkable naming for a remarkable unwanted program

As you allow the thing to run under admin privileges, all further actions it does are done without your confirmation. You will speechlessly spectate various shortcuts to appear on your desktop, and your browser going mad with pop-ups and redirects. As soon as CandyOpen runs in the system, it starts with changing the browser properties, particularly search engine and start page. Then, it requests the list of unwanted programs to install from the command server, and proceeds with the installation.

Unwanted programs CandyOpen
Unwanted apps installed by CandyOpen

Here goes the main concern: while CandyOpen usually installs junk apps which are not outright malicious, nothing stops it from installing malware. Still, the sheer volume of troubles it already brings to your system is enough to say that this should not run in your system.

List of PUABundler:Win32/CandyOpen actions:

  • Stops Windows Update
  • Disables User Access Control (UAC)
  • Injects into other processes on your system
  • Adds a local proxy
  • Modifies boot configuration data
  • Modifies file associations
  • Track, keep records, and report an infected user’s internet browsing activity.
  • Modifies your system DNS settings
  • Change the infected user’s browser homepage and tamper with their preferences/settings.
  • Install and insert unwanted/unknown browser toolbars and browser plug-ins/extensions/add-ons.
  • Adds files that run at startup
  • Change the default search provider.
  • Display of unwanted advertisements.
  • Change the desktop background.

That is the comprehensive collection of CandyOpen actions, things done by the majority of widespread samples. The particular sample you may find can have only a part of these functions or even go beyond it. Con actors who use it for monetization can alter the CandyOpen in many ways, so it better fits their purposes.

How to remove PUABundler:Win32/CandyOpen?

Removing Win32/CandyOpen is possible manually, but I’d recommend you to use anti-malware software. This will speed up the process and make it much easier for you. Also, manual removal makes it nearly impossible to find and remove unwanted or malicious programs present in the system.

GridinSoft Anti-Malware is a program that will remove PUABundler:Win32/CandyOpen in no sweat. It will also find and remove all the additional junk CandyOpen can bring. And overall, this program is a solid addition to your system’s security.

PUABundler:Win32/CandyOpen Analysis & Removal Guide

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *