PUABundler:Win32/CandyOpen (PUA OpenCandy)

PUABundler:Win32/CandyOpen Malware Removal Guide
CandyOpen is a malware used to download unwanted software

PUABundler:Win32/CandyOpen (or OpenCandy) is an unwanted program that acts as a browser hijacker and can download junk apps to your system. Specifically, it points at a thing known as OpenCandy adware, which is known for its indecent behavior. Let’s break it down and see what the PUABundler/Candyopen in a real-world example.

What is PUABundler:Win32/CandyOpen?

PUA OpenCandy Detection
PUA OpenCandy Detection

As I’ve said in the introduction, CandyOpen is a detection name for a specific program that spreads bundles with unwanted programs. It was developed back in the late 2000s as a way to monetize free applications by adding some advertised content along with the main installation. But as the overall functionality of the app allowed for more extensive and intrusive changes, foul actors began misusing it.

The way this misuse was happening made the major cybersecurity vendors consider OpenCandy a malicious program. It is capable of changing browser settings by itself, and the additional programs it usually install can inject unwanted ads into pages, modify the web browser even more, and do similar dirty things. So having one to run in your system means a browser full of ads, pop-up advertisements flooding both system and browser, and unwanted programs getting installed. Not to mention potential data stealing, that the Win32/CandyOpen is capable of – read on to see the details.

To sum up, a PUABundler:Win32/CandyOpen detection means a malware that delivers unwanted programs and is capable of messing up your system on its own. But to have a more detailed look and a better understanding of this thing, let’s analyze it by running it on a virtual machine.

CandyOpen Malware Analysis

Finding the appropriate CandyOpen sample was rather easy. To be clear, it does not behave like straightforward malware on the surface. You can find it in the list of installed apps; there is even an option to disable additional installations in the menu. But the actions it does to the system once it is launched are quite unambiguous.

PUABundler:Win32/CandyOpen list of programs
“Installer” – unremarkable naming for a remarkable unwanted program

As you allow the thing to run under admin privileges, all further actions it does are done without your confirmation. You will speechlessly spectate various shortcuts to appear on your desktop, and your browser will go mad with pop-ups and redirects. As soon as CandyOpen runs in the system, it starts with changing the browser properties, particularly the search engine and start page. Then, it requests the list of unwanted programs to install from the command server, and proceeds with the installation.

Unwanted programs CandyOpen
Unwanted apps installed by CandyOpen

Here goes the main concern: while CandyOpen usually installs junk apps that are not outright malicious, nothing stops it from installing malware. Still, the sheer volume of troubles it already brings to your system is enough to say that this should not run in your system.

List of PUA OpenCandy actions:

  • Stops Windows Update
  • Disables User Access Control (UAC)
  • Injects into other processes on your system
  • Adds a local proxy
  • Modifies boot configuration data
  • Modifies file associations
  • Track, keep records, and report an infected user’s internet browsing activity.
  • Modifies your system DNS settings
  • Change the infected user’s browser homepage and tamper with their preferences/settings.
  • Install and insert unwanted/unknown browser toolbars and browser plug-ins/extensions/add-ons.
  • Adds files that run at startup
  • Change the default search provider.
  • Display of unwanted advertisements.
  • Change the desktop background.

That is the comprehensive collection of CandyOpen actions, things done by the majority of widespread samples. The particular sample you may find can have only a part of these functions or even go beyond it. Con actors who use it for monetization can alter the CandyOpen in many ways, so it better fits their purposes.

How to remove PUABundler:Win32/CandyOpen?

Removing Win32/CandyOpen is possible manually, but I’d recommend you use anti-malware software. This will speed up the process and make it much easier for you. Also, manual removal makes it nearly impossible to find and remove unwanted or malicious programs present in the system.

GridinSoft Anti-Malware is a program that will remove CandyOpen in no sweat. It will also find and remove all the additional junk OpenCandy can bring.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *