Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


OpenCandy detected after recent Caramava infection

  • Please log in to reply
3 replies to this topic

#1 jakeed


  • Members
  • 3 posts
  • Local time:05:00 PM

Posted 19 April 2014 - 10:02 AM

I do not need any immediate help so don't know if this is the right forum but...
Yesterday I had to rid my comp of the adware caramava and last year sometime I was infected with delta toolbar, browserprotect and babylon adwares. I picked up these malware by downloading legitimate software from the internet, in the case of caramava it was downloading Daemon Tools Lite, which I have downloaded many times and used for years, after a fresh install of windows. In the previous case I downloaded Freemake video converter to rip a DVD which, again, I have used with no problem before.
How do these malicious programmes get bundled in to legitimate software? Are these companies being duped by the makers of the adware, or are they being bundled into the packages on their servers without their knowledge? Or could I have been the victim of a man-in-the-middle attack where somewhere between clicking download on the legitimate site and retrieving the file, it has been intercepted and replaced with the bundled adware.
I am mainly just curious but the possibility of man-in-the-middle attacks worries me and I'm wondering if I am suitably protected against such attacks. I would appreciate any feedback on the likelihood of scenarios I outlined. I currently run Avast! free and Comodo Firewall.

MOD EDIT, moved to more Appropriate forum ~~ boopme


EDIT: Ignore attachments, I was just in the middle of editing post to add them and ask for advice but post was moved by mod. I will post attachments in other thread.

Attached Files

Edited by jakeed, 19 April 2014 - 10:31 AM.

BC AdBot (Login to Remove)


#2 jakeed

  • Topic Starter

  • Members
  • 3 posts
  • Local time:05:00 PM

Posted 19 April 2014 - 10:46 AM



Yesterday I had to rid my machine of the caramava adware.


I scanned the file responsible (daemon tools lite installer) for infecting my machine with caramava adware on virustotal, 4 scanners detected OpenCandy - See attachment 1


Also did a full system scan with herdprotect, 2 scanners detected OpenCandy infecting an avast file aswRec.dll - See attachment 2


Scanned aswRec.dll on virustotal - See attachment 3


Info from herdprotect knowledgebase - See attachment 4


I am unsure of what to do about these scans, anyone have any ideas? I will be deleting the infected daemon tools lite file but worried as an Avast dll seems to be infected with the same thing.

Any help is appreciated.


Attached Files

Edited by hamluis, 19 April 2014 - 11:02 AM.
Moved from Win 7 to Am I Infected - Hamluis.

#3 hamluis



  • Moderator
  • 56,565 posts
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:00 AM

Posted 19 April 2014 - 11:05 AM

OP reposted, http://www.bleepingcomputer.com/forums/t/531653/opencandy-detected-after-recent-caramava-infection/#entry3347183, which was moved to Am I Infected forum.



#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,090 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:00 AM

Posted 19 April 2014 - 04:45 PM

OpenCandy is an advertising application distributed by the OpenCandy Software Network which displays ads in other programs. The use of advertisement is a way to promote software packages and recover development costs. The OpenCandy FAQs answers many questions users may have about this product.

OpenCandy is technically not installed on a computer, does not collect personally identifiable information and in most cases allows the user to choose whether or not to install advertised software recommended by the vendor. Although no personal information is collected, the software does collect anonymous statistics about events and other data during installation. See What information does OpenCandy collect?

This is what OpenCandy has to say about their product.

OpenCandy provides a plug-in that developers include in their software to earn money by showing recommendations for other software in their installers. Developers use this money to keep their software free and invest in further software development. The installer uses the OpenCandy plug-in to present a software recommendation...during installation. You have complete control to accept the software recommendation by selecting either the Install or Do not install options on the software recommendation screen.

What is OpenCandy?

The OpenCanday network has partnered with various popular and trusted software developers who bundle their product as part of the program's software installation package. A list of such developers can be found here. Some vendors will clearly advise the use of OpenCandy before downloading their software, while others may provide confusing or no information at all. An example would be SIW (System Information for Windows) which clearly indicates on their website the use of OpenCandy.

OpenCandy is an advertising application.

OpenCandy is similar to Google AdSense, except it displays advertisements in installation program instead of websites. These advertisements promote another software packages. The advertisements are selected by providers of software being installed. When user installing a software (SIW) chooses to install promoted package, revenue is generated and shared between OpenCandy and software providers (SIW developers).

SIW Home Edition is bundled with OpenCandy

OpenCandy is not a virus or malware. However, since it is responsible for displaying advertisements, it may be detected (and sometimes removed) by various anti-virus and other security scanning tools as a Potentially Unwanted Program (PUP) (or Adware), a classification that broadly defines the term as any software package which automatically displays advertisements in any form in order to generate revenue. For example, the Microsoft Malware Protection Center (MMPC) detects the program as Adware:Win32/OpenCandy, an adware program that might be bundled with other installers.

To learn more about PUPs and how you get them, please read: About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs)

In response to these detections, OpenCandy has provided the following information:How do I uninstall OpenCandy?

Since OpenCandy does not permanently install anything on your computer, there is nothing to uninstall. Our technology was selected by a developer and runs temporarily in their downloads which you may have selected and run. The plug-in shows an app recommendation and is designed to self-delete from your computer when it has finished operating. If you are concerned that something extraordinary resulted in any remnant traces being left on your computer, you may download and run our small clean-up utility to ensure all OpenCandy traces which are regularly self-deleted, are in fact gone.

Note: The file name for the OpenCandy cleanup utility is OCCleanupTool.zip

IMO, removal of OpenCandy detections is an optional choice. I have provided the information so you can make an informed decision as whether to remove it or not.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users