Helping people with computers... one answer at a time.
The world of malware and malware removal is complex. Occasionally, malware can't be removed by some tools. Occasionally, it will return quickly. I'll look at why and my approach to dealing with persistent pests.
I have Microsoft Security Essentials (MSE) installed on my PC. And I also have Automatic Update for this and run a weekly scan.
I keep getting a message from MSE informing that "Security Essentials detected a potential threat on your PC." This particular threat is "Adware: Win32/Open Candy." Alert level is given as "low." I have done everything they have suggested: I have "removed" this unwanted intruder, I have quarantined it. But no longer than two minutes after I restart the computer, the MSE icon yet again turns from initially green (computer protected) to orange (potentially unprotected).
Leo, could you please (if it is at all possible to do so remotely) tell me WHY this is and please help? Even though, according to MSE, it's threat is low, to me a threat is a threat, and I do not like being threatened. I want it out of my computer. Period.
Surely, if MSE is functioning optimally (as it SHOULD be), this adware would not find an entry into the machine in the first place. According to MSE, the security's real-time protection is ON, and virus and spyware definitions are up-to-date. So, I cannot see where the problem is.
Or am I being too simplistic about this?
•
I wouldn't say that you're being too simplistic, because many of your assumptions are reasonable – even if slightly inaccurate.
But I will say that malware, malware prevention, and malware detection are significantly more complex than most people realize.
•
Win32/OpenCandy
Let's address the specific threat first.
According to Microsoft's own page on the topic, Win32/OpenCandy is basically adware – something that is advertising related. The "threat" is simply that it will share information with the malware source without your permission. The reason the threat is low, I believe, is that it's the "without your permission" part that makes it malware – the type of information shared is information that many people share with legitimate advertisers – but usually after giving permission.
To quote Microsoft:
Some versions of this program may send user-specific information, including a unique machine code, operating system information, locale (country), and certain other information to a remote server without obtaining adequate user consent.
So, while it is malware and it is technically a threat, it's not a threat that seems particularly ... well ... threatening.
Green versus orange shield
I want to quickly touch on the Microsoft Security Essentials notification icon in the taskbar.
Green, as you might expect, is MSE's indication that all is well and operating as it should be.
Orange, on the other hand, doesn't always mean that you are infected.
The orange "potentially unprotected" indication doesn't actually mean that you are, in fact, infected. The icon will go orange for a variety of reasons – one of the most common that I see is that I haven't run a scan in a while or that the database of malware definitions is significantly out of date. There's no malware and I'm not infected. Microsoft Security Essentials is simply pointing out something that might be interfering with its ability to fully protect me.
From my perspective, the orange shield means "open up Microsoft Security
Essentials to see what it's complaining about." 
It might be an malware infection, but it might not. I believe it actually turns red in the face of an actual infection.
About that real-time protection
Just because you have real-time protection enabled that doesn't mean that malware can't still reach your machine.
Having that on improves security and prevents many things from reaching your machine, but it's critical to realize that when it comes to security, there are no absolutes. There is no such thing as perfect security.
As it turns out, reading the Microsoft article on this threat, you'll find that it often arrives in the form of a hidden download in software you are installing – most frequently, a toolbar you didn't ask for.
The problem is "you didn't ask for" is actually wrong. You very probably did ask for it, you just didn't know that you did. (Check out Why do I suddenly have another toolbar in my browser? for how this evil practice happens.)
That actually puts anti-malware tools in a difficult spot. Whether you realized it or not, that toolbar complete with its low-threat adware was something that you asked for.
I could easily see anti-malware tools effectively saying, "Well, the user asked for it. It's low threat, so they must know what they're doing."
More practically, that's why scheduled scans exist – real-time protection simply can't catch everything in all the different ways that malware can make it to your machine.
Speaking of can't catch everything
There's a common misconception that a good anti-malware solution will protect you from absolutely everything.
That's simply not the case.
All anti-malware tools miss some malware.
There are various reasons – some technical (different detection technologies have different weak spots), some procedural (some companies may respond to new threats and update their databases more quickly than others), and some for reasons I haven't even thought of.
Regardless of the reasons, it's a fact. Just as there is no such thing as perfect security, there's no such thing as the perfect anti-malware solution.
Sometimes, malware is not detected; sometimes, malware is detected, but can't be reliably removed.
Obviously, it's important to use anti-malware tools in the right combination, and with the good track records, but there's still no substitute for user vigilance on top of everything else.
What I would do
OK, enough with the preaching and the whys and wherefores ... let's get rid of this thing.
My guess is that MSE is in fact removing it, but that it's immediately coming back for some reason – since it appears to associate with a toolbar, perhaps it comes back when you fire up your browser.
Here's how I'd proceed:
-
I'd back up first. It's the safest thing in case there's a problem below.
-
Look for unexpected add-ons in the My Browser; particularly, any that are associated with any software that I've recently installed and of course, any that display the "OpenCandy" moniker. I'd at least disable and perhaps completely remove any such add-ons.
-
Similarly, I'd look for unexpected entries in Control Panel -> [Add/Remove] Programs and uninstall any that claim they're adding toolbars or are labeled "OpenCandy."
-
I'd download and run the free version of Malwarebytes Anti-malware. This tool has a good track record of removing a wide variety of malware that other tools either miss or unable to remove.
-
If the malware still remains, I'd download and run Windows Defender Offline, which is basically a stand-alone version of Microsoft Security Essentials that runs from a bootable CD.
-
If the malware still remains, I'd download and run another free tool: Spybot Search and Destroy, one of the internet's oldest anti-spyware tools that remains a solid and useful utility today.
-
If the malware still remains ... well, at this point, I'd seek professional help for the machine. But I'm very confident that the malware would have been removed several steps earlier.
Because this particular malware appears to arrive as an unwanted companion to a software install, I have to reinforce the importance of paying attention to all of the options offered by any software setup program you might run. That means never taking the default options and always choosing the "Custom" or "Advanced" path through every setup. It also means making sure to scroll down through any list of options that the installation program might offer to see if there's something hidden at the bottom of the list.
Article C5391 - May 27, 2012 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
May 29, 2012 4:07 PM
To Zachelect Where can I find Toolbar Cleaner?
May 29, 2012 7:26 PM
here's a tip for free professional technical support. Go to GeeksToGO.com. Their instructions a simple and straightforward. It will take a few round trips to their sire to clean up your machine but in the end it will squeek it's so clean. I had a friend's machine so locked up from her son's download of a game he saw that no work could be done. Very clever takeover but until you paid $35 to remove the list of viruses (so they said) they found, you were hosed.
There are a couple of other sites like this too but I do not have the references. IF you Google "geekstogo" you might find synonym sites.
Mike
May 30, 2012 1:52 PM
Good and informative article Leo!
I use MSE and on a regular basis, it will turn orange.
I know it's only a scan because I download quite a bit. I just run a Quick scan and it turns back green. (only takes a minute or so). Keeps it satisfied and green.
When I download a program, I would always look for additional check boxes. They usually mean added stuff and not always adware or tool bars. They could be asking you if you want to have a shrotcut on your desktop to the program.
As for the uninstallation of those unwanted tool bars , I would recommend using HijackThis to run a scan and upload the scan to either :
https://www.virustotal.com/
or
http://www.hijackthis.de/
Either of these sites will tell you whether or not your PC has any unwanted programs installed.
One little program I use after using CCleaner for unwanted cookies is : FlashCookiesCleaner.
http://forums.lunarsoft.net/topic/4214-flash-cookies-cleaner/
And I would also recommend the use of the Portable SUPRAntiMalware program:
http://www.superantispyware.com/portablescanner.html
This does an excellent job of scanning a PC in Safe Mode.
But, as always, the best defense against Malware is
common sense. Look carefully at what you are about to either download or install. Look it up on Google or Malware Sites like , MajorGeeks :
http://forums.majorgeeks.com/
or
http://www.bleepingcomputer.com/
Nice to hear you are still caring Leo.
May 31, 2012 3:08 AM
Never install any add-on tool bar. Never. If you find you've inadvertently done so, uninstall said add-on immediately. As advised, it’s well worth disabling any unknown add-on by accessing the menu option under Tools > Manage Add-ons. I'd also recommend running Super Antispyware (free version will do the job). If the infection is particularly persistent, I'd up the ante and run ComboFix. The easiest way to avoid problems is to make sure that you never install any add-on tool bar. Never.
July 23, 2012 12:51 PM
While I agree completely with most of what people are saying, I want to point out that I have also been "attacked" by this annoying OpenCandy adware. I have not installed/downloaded anything on my computer for quite some time and this little annoyance has started popping up every day 2 or 3 times a day for the past two weeks. How did it get there? I have run AdAware & Spybot Search & Destroy. MSE still keeps telling me I have OpenCandy on my computer. I still keep saying Remove and it says it has completed the action.
According to the Open Candy website, it is embedded in software you have chosen to download. You are not given an option to not install (or uninstall) Open Candy. This is, according to Microsoft, the reason it is being flagged as a threat by MSE. My problem is that I have NOT recently downloaded any software, so HOW did this find its way onto my laptop and WHY can I not get rid of it?
I'll try some of the other tools mentioned here and see what happens, but at this point I don't have a lot of hope for it truly being gone and staying gone. There is just no way to know where it is coming from. If it did come from something I downloaded, then why would it lay dormant for months without being found when I have read stories of MSE flagging this adware as far back as 2009? I only began getting warnings of its existence a couple of weeks ago. Thanks for the other tips on removal. I hope one of them actually works for me.