OpenCandy

OpenCandy is an "Adware" module designed to install on a personal computer during software installation. Produced by SweetLabs, it consists of a Microsoft Windows library incorporated in a Windows Installer. When a user installs an application that has bundled the OpenCandy library, an option appears to install software it recommends based on a scan of the user's system and geolocation. Both the option and offers it generates are selected by default if the user simply clicks [Next] through the installation.^[1]^[2]

OpenCandy's various undesirable side-effects include changing your homepage, desktop background or search provider, and inserting unwanted toolbars or plug-in/extension add-ons in your browser. It also collects and transmits various information about the user and his surfing habits to third parties without notification or consent.

It has been reported that a number of anti-virus vendors flag OpenCandy as malware.^[3]

Development

The software was originally developed for the DivX installation, by CEO Darrius Thompson. When installing DivX, the user was prompted to optionally install the Yahoo! Toolbar. DivX received $15.7 million during the first nine months of 2008 from Yahoo and other software developers, after 250 million downloads.^[2]

Chester Ng, the former DivX business development director, is chief business officer and Mark Chweh, former DivX engineering director, is chief technology officer.^[2]

Windows components

Components of the program may have differing but similar names based on version.

Files dropped

Note that files dropped by this program usually have the 'hidden' and 'system' attributes set. In order to see or search for them, folder settings for "hide operating system files" will need to be unchecked, and "show hidden files and folders" will need to be checked.

OCSetupHlp.dll

Processes

Note: additional processes associated with any accepted offers may also run.

spidentifier.exe
rundll32.exe

Registry keys

Registry keys have varying names, so that a search of the registry for "*opencandy*" will need to be done to find and delete them.

DNS and HTTP queries

tracking.opencandy.com.s3.amazonaws.com
media.opencandy.com
cdn.opencandy.com
tracking.opencandy.com
api.opencandy.com
www.arcadefrontier.com

Counter measures

select "Custom installation (advanced)" and uncheck all options boxes^[4]
run software installer offline, or from command line with option /NOCANDY^[5]
block OpenCandy IP addresses in Windows HOSTS file with entries like: 0.0.0.0 api.opencandy.com^[6]

run anti-malware such as Malwarebytes after software installation to clean system^[7]
use an active anti-virus to detect and block adware/malware on-the-fly

Software download sites known to host OpenCandy infected software

In addition to individual company/vendor sites distributing their own freeware/shareware, commercial depository type download sites also host OpenCandy infected software.

Brothersoft
CNET
Softpedia
SourceForge
Softonic
μTorrent

Applications known to use or have used OpenCandy

aMSN
Any Video Converter
AOL Instant Messenger
ApexDC++
Auslogics Disk Defrag^[8]
AxCrypt (Except Portable Edition)
BitTorrent
BurnAware CD-DVD burning software
CDBurnerXP (depending on version)(Confirmed on Web Site,alternate download available without OpenCandy. Confirmed 10-24-2015) ^[9]
CDex
Cheat Engine (depending on version)
Citrio
ClipGrab (depending on version)
Connectify
CrystalDiskInfo (not bundled with Portable Edition or Shizuka edition. Confirmed 10-24-2015) ^[10]
CutePDF
Daemon Tools
Darkwave Studio
DoNotSpy10
doubleTwist
DVDStyler (1.8.4.2 & dropped since 2.9.2)
DVDVideoSoft
EaseUS Partition Master Free 10.1^[11]
Format Factory
Frostwire (doesn't affect on Linux version)
Foxit Reader (6.1.4 – 6.2.1)^[12]
FL Studio
FreeFileSync^[13]
Freemake Audio Converter (1.1.0.63, 1.1.7, confirmed via in-program update popup)
Freemake Video Converter
Freemake Video Downloader(confirmed 10/24/15 direct download from Freemake website)
Free Video Dub
Free Video To Flash Converter (5.0.6.221, according to terms of use)
GameHouse
GOM Player
IE7Pro
ImgBurn (from version 2.5.8.0,)^[14]
JDownloader
KMPlayer
Launchy (when not downloaded from SourceForge)
MediaCoder
Magical Jelly Bean (confirmed 11/12/2015 direct download from https://www.magicaljellybean.com/keyfinder/ )
MediaInfo(confirmed 1/12/15 direct download from mediainfo and sourforge websites)
MP3 Rocket^[15]
mIRC^[16]
Miro
MyPhoneExplorer (dropped March 2015^[17])
Nero Burning ROM
Novaroma
Orbit Downloader(Confirmed 10-24-2015) ^[18]
PDFCreator^[19]
PeaZip (5.2.2 & older Except "PeaZip Plain" & dropped with version 5.3 & newer)
PhotoScape(Except 3.7 version)
PrimoPDF^[16]
RealArcade
RIOT (doesn't effect portable version)^[20]
Soldat
StepMania
SMPlayer(When download from sourceforge.net)
Veoh Web Player
Sigil (dropped with version 0.5.0 and later)^[21]
SUPER
Trillian^[16] (dropped 5 May 2011)
Unlocker
uTorrent (version 3.x.x and above)
Winamp (not version 2.x. version 5.2 and newer & dropped with version 5.66)
WinSCP (through August 2012)^[22]
Xfire

References

↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^2.0 ^2.1 ^2.2 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ [1]
↑ [2](Click More download options)
↑ [3] Multiple Packages available
↑ End User License Agreement, retrieved September 2014
↑ Foxit Forum
↑ FreeFileSync FAQ
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ http://www.herdprotect.com/signer-mp3-support-146c2e323177663b9df87fff1b9c31d8.aspx
↑ ^16.0 ^16.1 ^16.2 Lua error in package.lua at line 80: module 'strict' not found.
↑ http://www.fjsoft.at/en/news.php
↑ [4] On the Help/Facts page
↑ Discussions on pdfforge Forums
↑ http://alternativeto.net/software/riot---radical-image-optimization-tool/comments/
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.

[CNETOpenCandy-1] Lua error in package.lua at line 80: module 'strict' not found.

[venture-2] 2.0 ^2.1 ^2.2 Lua error in package.lua at line 80: module 'strict' not found.

[TFuTorrent-3] Lua error in package.lua at line 80: module 'strict' not found.

[4] Lua error in package.lua at line 80: module 'strict' not found.

[5] Lua error in package.lua at line 80: module 'strict' not found.

[6] Lua error in package.lua at line 80: module 'strict' not found.

[7] Lua error in package.lua at line 80: module 'strict' not found.

[8] [1]

[9] [2](Click More download options)

[10] [3] Multiple Packages available

[11] End User License Agreement, retrieved September 2014

[12] Foxit Forum

[13] FreeFileSync FAQ

[ImgBurn20130616-14] Lua error in package.lua at line 80: module 'strict' not found.

[15] ttp://www.herdprotect.com/signer-mp3-support-146c2e323177663b9df87fff1b9c31d8.aspx

[Gizmo20140208-16] 16.0 ^16.1 ^16.2 Lua error in package.lua at line 80: module 'strict' not found.

[17] ttp://www.fjsoft.at/en/news.php

[18] [4] On the Help/Facts page

[19] Discussions on pdfforge Forums

[20] ttp://alternativeto.net/software/riot---radical-image-optimization-tool/comments/

[21] Lua error in package.lua at line 80: module 'strict' not found.

[WinSCP-22] Lua error in package.lua at line 80: module 'strict' not found.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

OpenCandy

Contents

Development

Windows components

Files dropped

Processes

Registry keys

DNS and HTTP queries

Counter measures

Software download sites known to host OpenCandy infected software

Applications known to use or have used OpenCandy

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools