Question About Two Avira Detections

Last night (4 Feb 2016) I ran a scan with Malwarebytes Anti-Malware Free. It found nothing.

Then I ran a scan with Avira Free Antivirus. When I returned after it ran there was a warning that if found YouTube Downloader HD. It gave me the opportunity to quarantine it. I had downloaded it from MG, so I trust it, and to my knowledge it's never caused me the slightest bit of trouble, so I declined.

This is interesting though because on 27 Jan, after I was unable to resolve an issue at MG (see my thread "Pups Apparently Associated With Unknown Temp Users" ), I presented the same issue at BC, and upon running JRT (Malwarebytes' Junkware Removal Tool) at their direction, the earlier non-HD version of the program YouTube Free Downloader was uninstalled.

Understand that I have no complaint about YouTube Downloader; I like it, but for some reason it appears to be triggering false positives.

Anyway, after I declined to quarantine it, Avira said that actually TWO warnings had been raised in that session. The other was for PUA/OpenCandy.Gen. I find this odd since I wasn't asked if I wanted to quarantine it.

Looking at the Avira quarantine log, I found the following entry relating to PUA/OpenCandy.Gen. Oddly, it's dated from 8 Jan, not 27 Jan.


Type: File
Source: C:\_OTM\MovedFiles\10272015_130003\C_Program Files\Dondox\packages\ecdb7407-ea6c-4c57-a569-2083c01b5a22\setup\QuickTime_Update.7.77.80.95.exe
Status: Infected
Quarantine object: 505d5823.qua
Restored: NO
Uploaded to Avira: NO
Operating system: Windows XP/VISTA Workstation/Windows 7
Search engine: 8.03.34.118
Virus definition file: 8.12.44.80
Detection: PUA/OpenCandy.Gen
Date/Time: 1/8/2016, 12:50


As you can see, it relates to a Quicktime update.

I see online that a PUA is a Potentially Unwanted Application (in other words, a PUP). I also see that expert Sidney Martins at Avira's Answers by Experts says in Avira thread "what is pua/opencandy.gen detection"
that 'OpenCandy detection is usually a "good" program that brings a "bad" program inside it.' He recommended deleting it.

Here's Avira's Virus Lab description of PUA/OpenCandy.Gen|0.

I wonder if this PUA is part and parcel with YouTube Downloader, or if it was unrelated, and for some reason Avira simply didn't ask me if I wanted to quarantine it.

Any thoughts on this?

 

https://www.reasoncoresecurity.com/...10745fe27e90439d1625ea823917ad96080a8600.aspx

Hey Skull. I searched for that QT update and it shows in several listing as having the OpenCandy ride-along. It happens in several other programs I use and since I know it's there I usually clean the OpenCandy part and retain the program I wanted. The two are usually separate. I've learned to find 'OCsetup.dll' or something similar in the User\ appdata folder, which I delete right after install. Then I search 'program and features' and delete Open Candy if it's there. Then look in 'Program Files' or 'Program Files x86' to see there also. Finally a regedit search.

After that a scan with an anti-malware to be sure.

It's a shame we have to go through this stuff to get some decent programs but that's what some software has started doing.

 

Open Candy itself is not a software program as such, but a software developer utility that offers optional add on software programs to users of some freeware programs. A user can uncheck any option box for added programs and nothing then is installed. But if a user goes quite quickly through an install process they can - and many many users do - miss those optional pre-checked boxes. It is not different to IoBit always including a tiny, not always easy to see, pre-checked install box for extra programs, or Adobe having pre-checked install option boxes for Chrome and Google search or what many other reputable freeware makers do.
Eyes open wide and don't rush freeware installs is the answer. It isn't malicious and it's about funding development because very few people 'donate' to a freeware developer.

 

My response was to @Skull. I have no OC problems. I do consider it malware. As for money some are making plenty maybe even more than devs that don't use OC. I do buy and contribute to software I use on a regular basis.

https://en.wikipedia.org/wiki/OpenCandy
Here a partial list of software with this ride-along. And other info too.

 

I don't disagree with you that OC is an annoyance, I've seen it described in the MR forum as 'undesirable'. But it is not a software program itself and any additional software it offers has check boxes that can be unchecked and OC then just goes away. It's no more annoying than any of the freeware programs on MG that are labelled 'Bundleware'. If a user just clicks 'ok' and 'next' with all installations (as many do) they'll get things they didn't necessarily want with a long long list of well known programs. That is not going to change so a productive focus is to advise people to take extra care and diligence when installing freeware.