Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why did this Win32/OpenCandy malware come back, and how do I really get rid of it?


I have Microsoft Security Essentials (MSE) installed on my PC. And I also
have Automatic Update for this and run a weekly scan.

I keep getting a message from MSE informing that “Security Essentials
detected a potential threat on your PC.” This particular threat is
“Adware: Win32/Open Candy.” Alert level is given as “low.” I have done
everything they have suggested: I have “removed” this unwanted intruder, I have
quarantined it. But no longer than two minutes after I restart the computer,
the MSE icon yet again turns from initially green (computer protected) to
orange (potentially unprotected).

Leo, could you please (if it is at all possible to do so remotely) tell me
WHY this is and please help? Even though, according to MSE, it’s threat is low,
to me a threat is a threat, and I do not like being threatened. I want it out
of my computer. Period.

Surely, if MSE is functioning optimally (as it SHOULD be), this adware would
not find an entry into the machine in the first place. According to MSE, the
security’s real-time protection is ON, and virus and spyware definitions are
up-to-date. So, I cannot see where the problem is.

Or am I being too simplistic about this?

I wouldn’t say that you’re being too simplistic, because many of your
assumptions are reasonable – even if slightly inaccurate.

But I will say that malware, malware prevention, and malware detection are
significantly more complex than most people realize.



Let’s address the specific threat first.

According to Microsoft’s own page on the topic, Win32/OpenCandy is basically adware – something that is advertising related. The “threat” is simply that it will share information with the malware source without your permission. The reason the threat is low, I believe, is that it’s the “without your permission” part that makes it malware – the type of information shared is information that many people share with legitimate advertisers – but usually after giving permission.

To quote Microsoft:

Some versions of this program may send user-specific information, including a unique machine code, operating system information, locale (country), and certain other information to a remote server without obtaining adequate user consent.

So, while it is malware and it is technically a threat, it’s not a threat that seems particularly … well … threatening.

Green versus orange shield

Microsoft Security Essentials - All Is Well

I want to quickly touch on the Microsoft Security Essentials notification icon in the taskbar.

Green, as you might expect, is MSE’s indication that all is well and operating as it should be.

Orange, on the other hand, doesn’t always mean that you are infected.

The orange “potentially unprotected” indication doesn’t actually mean that you are, in fact, infected. The icon will go orange for a variety of reasons – one of the most common that I see is that I haven’t run a scan in a while or that the database of malware definitions is significantly out of date. There’s no malware and I’m not infected. Microsoft Security Essentials is simply pointing out something that might be interfering with its ability to fully protect me.

From my perspective, the orange shield means “open up Microsoft Security Essentials to see what it’s complaining about.” Smile

It might be an malware infection, but it might not. I believe it actually turns red in the face of an actual infection.

About that real-time protection

Just because you have real-time protection enabled that doesn’t mean that malware can’t still reach your machine.

Having that on improves security and prevents many things from reaching your machine, but it’s critical to realize that when it comes to security, there are no absolutes. There is no such thing as perfect security.

As it turns out, reading the Microsoft article on this threat, you’ll find that it often arrives in the form of a hidden download in software you are installing – most frequently, a toolbar you didn’t ask for.

The problem is “you didn’t ask for” is actually wrong. You very probably did ask for it, you just didn’t know that you did. (Check out Why do I suddenly have another toolbar in my browser? for how this evil practice happens.)

That actually puts anti-malware tools in a difficult spot. Whether you realized it or not, that toolbar complete with its low-threat adware was something that you asked for.

I could easily see anti-malware tools effectively saying, “Well, the user asked for it. It’s low threat, so they must know what they’re doing.”

More practically, that’s why scheduled scans exist – real-time protection simply can’t catch everything in all the different ways that malware can make it to your machine.

Speaking of can’t catch everything

There’s a common misconception that a good anti-malware solution will protect you from absolutely everything.

That’s simply not the case.

All anti-malware tools miss some malware.

There are various reasons – some technical (different detection technologies have different weak spots), some procedural (some companies may respond to new threats and update their databases more quickly than others), and some for reasons I haven’t even thought of.

Regardless of the reasons, it’s a fact. Just as there is no such thing as perfect security, there’s no such thing as the perfect anti-malware solution.

Sometimes, malware is not detected; sometimes, malware is detected, but can’t be reliably removed.

Obviously, it’s important to use anti-malware tools in the right combination, and with the good track records, but there’s still no substitute for user vigilance on top of everything else.

What I would do

OK, enough with the preaching and the whys and wherefores … let’s get rid of this thing.

My guess is that MSE is in fact removing it, but that it’s immediately coming back for some reason – since it appears to associate with a toolbar, perhaps it comes back when you fire up your browser.

Here’s how I’d proceed:

  • I’d back up first. It’s the safest thing in case there’s a problem below.

  • Look for unexpected add-ons in the My Browser; particularly, any that are associated with any software that I’ve recently installed and of course, any that display the “OpenCandy” moniker. I’d at least disable and perhaps completely remove any such add-ons.

  • Similarly, I’d look for unexpected entries in Control Panel -> [Add/Remove] Programs and uninstall any that claim they’re adding toolbars or are labeled “OpenCandy.”

  • I’d download and run the free version of Malwarebytes Anti-malware. This tool has a good track record of removing a wide variety of malware that other tools either miss or unable to remove.

  • If the malware still remains, I’d download and run Windows Defender Offline, which is basically a stand-alone version of Microsoft Security Essentials that runs from a bootable CD.

  • If the malware still remains, I’d download and run another free tool: Spybot Search and Destroy, one of the internet’s oldest anti-spyware tools that remains a solid and useful utility today.

  • If the malware still remains … well, at this point, I’d seek professional help for the machine. But I’m very confident that the malware would have been removed several steps earlier.

Because this particular malware appears to arrive as an unwanted companion to a software install, I have to reinforce the importance of paying attention to all of the options offered by any software setup program you might run. That means never taking the default options and always choosing the “Custom” or “Advanced” path through every setup. It also means making sure to scroll down through any list of options that the installation program might offer to see if there’s something hidden at the bottom of the list.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

13 comments on “Why did this Win32/OpenCandy malware come back, and how do I really get rid of it?”

  1. I agree that this is one of those “gray area” types of malware, propagated by some slimy, but not quite criminal, marketing company.

    I would venture a guess that the asker has downloaded some free application that includes a little tag-along. Trying to keep the free software without the adware will probably be extremely challenging.

    I might suggest figuring out what free software came with this bonus, and try removing that.

  2. Leo, this a most complete answer to my query. Thank you so very much for your faster-than-speed-of-light response.
    Simply put…..just brilliant. Thank you.

  3. Open Candy attaches to toolbars downloaded from game sites where you can play trial versions of new games.
    I see it almost everywhere, and when downloading the game, there is a checkbox (checked) for you saying it is ok to install their toolbar. If you Uncheck that box, it will not install at all.
    In going thru google and reading the terms and conditions for their cookies, etc, it states that they do in fact track all you do and use that info and send that info to 3rd parties.
    The T&C’s also state that if you uninstall it, there is still a tracking cookie left to track you but it will not tell you how to rid your computer of that cookie.
    I use iobit’s Advanced System Care PRO and it does an excellent job in keeping all tracking cookies out .

  4. You can also use REVO Uninstaller (Free Version) to remove this delectable piece of software and then run the aforementioned anti-malware scanners to check for it’s presence if any – – then simply Delete for good!!!

  5. As Leo mentions, the MSE icon turns orange when it’s possible to BECOME infected, and it does turn red when MSE discovers that you ARE infected. I know this, because I’ve inadvertently invited an infection into my computer, and MSE quickly let me know, and asked to take over to remove it. Running a few different kinds of anti-malware engines afterwards helped reassure me that it was successful.

  6. The sad truth is very few users of shareware/freeware actually contribute to the software author, forcing the author to seek any possible source of revenue. If more users of shareware/freeware would send a contribution to the author of the shareware/freeware, OpenCandy would probably go away.

  7. Try using a little app called “Toolbar Cleaner” – it shows all the BHO’s and extra toolbars installed.
    Then gives you the option to remove the ones you don’t want.

  8. This was an interesting article, and this explains one of the reasons why I upgraded from MSE to ESET Smart Security. Ever since I started using Eset, the second I click to download and install a program with open candy or the ask toolbar hidden, Eset will instantly warn me that I am about to download a program with OpenCandy included or the Ask Toolbar (APN Stub), so just in case you miss the checkbox at the beginning of the install, you will know from Esets warning that you are about to download software that is hiding some type of toolbar/malware along with it, and you have a choice to disconnect or to download it anyway. My favorite part of Eset Smart Security is actually the HIPS (host intrusion prevention system) which notifies me before any type of change is made to my computer’s registry or if an application tries to phone home. I have even caught a couple of Microsoft’s Host Process for Windows Services try to sneak an incoming connection from the Internet in (which came right by Windows Firewall) and were stopped by Eset. I have done extensive testing on Malware detection and the best tools for the job are Malware Bytes, Comodo’s KillSwitch, and Eset’s Smart Security. Microsoft’s Security Essentials is good for the price, but if you want to really stop and prevent MOST toolbars and malware before they get on your system, I would recommend paying for ESET Smart Security.

  9. One caution for the novice running multiple antimalware programs: The later program may find malware already quarantined by a previous program and report it like a new infection. Pay close attention to where any infection reported by the last antimalware program you run is located. The path should tell you if it was found in the quarantine file of another antimalware or antivurus product. If so, you’re not really infected by that threat. Quarantined files are treated like any other file that the antimalware software needs to scan. When it sees the signatures of a malware within the quarantine file, it will flag them as a threat even though it was already neutralized by another program earlier.

    Something similar can happen when one antimalware program detects another as a possible malware. Some of the antimalware programs don’t play well together when both are active at the same time. You may need to disable or uninstall one in order to run another.

  10. Excellent advice, as ALWAYS. One thing I might add that standard users may find helpful is something you could include in your admonition contained in the paragraph beginning “That means never taking the default options …” I find that, usually, installers of this type include the parenthetical “(Recommended)” for the default options; I believe that should you point out this detail, perhaps w/ some of your typical insight on why users should NOT consider such recommendation as their own default action in such circumstances, many folks’ll be helped thereby…

  11. Good and informative article Leo!

    I use MSE and on a regular basis, it will turn orange.
    I know it’s only a scan because I download quite a bit. I just run a Quick scan and it turns back green. (only takes a minute or so). Keeps it satisfied and green.

    When I download a program, I would always look for additional check boxes. They usually mean added stuff and not always adware or tool bars. They could be asking you if you want to have a shrotcut on your desktop to the program.

    As for the uninstallation of those unwanted tool bars , I would recommend using HijackThis to run a scan and upload the scan to either :

    Either of these sites will tell you whether or not your PC has any unwanted programs installed.

    One little program I use after using CCleaner for unwanted cookies is : FlashCookiesCleaner.

    And I would also recommend the use of the Portable SUPRAntiMalware program:
    This does an excellent job of scanning a PC in Safe Mode.

    But, as always, the best defense against Malware is
    common sense. Look carefully at what you are about to either download or install. Look it up on Google or Malware Sites like , MajorGeeks :

    Nice to hear you are still caring Leo.

  12. Never install any add-on tool bar. Never. If you find you’ve inadvertently done so, uninstall said add-on immediately. As advised, it’s well worth disabling any unknown add-on by accessing the menu option under Tools > Manage Add-ons. I’d also recommend running Super Antispyware (free version will do the job). If the infection is particularly persistent, I’d up the ante and run ComboFix. The easiest way to avoid problems is to make sure that you never install any add-on tool bar. Never.

  13. While I agree completely with most of what people are saying, I want to point out that I have also been “attacked” by this annoying OpenCandy adware. I have not installed/downloaded anything on my computer for quite some time and this little annoyance has started popping up every day 2 or 3 times a day for the past two weeks. How did it get there? I have run AdAware & Spybot Search & Destroy. MSE still keeps telling me I have OpenCandy on my computer. I still keep saying Remove and it says it has completed the action.

    According to the Open Candy website, it is embedded in software you have chosen to download. You are not given an option to not install (or uninstall) Open Candy. This is, according to Microsoft, the reason it is being flagged as a threat by MSE. My problem is that I have NOT recently downloaded any software, so HOW did this find its way onto my laptop and WHY can I not get rid of it?

    I’ll try some of the other tools mentioned here and see what happens, but at this point I don’t have a lot of hope for it truly being gone and staying gone. There is just no way to know where it is coming from. If it did come from something I downloaded, then why would it lay dormant for months without being found when I have read stories of MSE flagging this adware as far back as 2009? I only began getting warnings of its existence a couple of weeks ago. Thanks for the other tips on removal. I hope one of them actually works for me.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.