The Should I Remove It? - Coolyou page notes:
What is Coolyou?
From the app's privacy policy: "We may collect certain information about your web usage and websites you have visited, which may be shared with third parties and used for advertising."
Of course, the user has no recollection of agreeing to the installation of the software on his system.
The Should I Remove It? page also notes:
Scheduled Task
CoolYou.exe is scheduled as a task named 'OptimizerProUpdaterRefreshTask' (runs daily at 3:35 PM).
I checked the tasks scheduled via the Task Scheduler, which can be done via the following steps on a Windows 7 system:
I found the scheduled task listed as
CoolYouUpdaterTask{1168C92C-8102-4417-BC40-19EC761CC49A}
in the Task Scheduler Library. When I clicked on the Triggers
tab after selecting the CoolYouUpdaterTask by clicking on it, I saw that
it would start any time a user logged into the laptop - see
image.
Trigger | Details |
---|---|
At log on | At log on of any user |
When I clicked on the Actions tab, I saw that when a user logged in, that CoolYou.exe would run with the parameter shown below passed to it (image).
C:\ProgramData\CoolYou\CoolYou.exe /schedule /profilepath "C:\ProgramData\CoolYou\profile.ini
I had Malwarebytes Anti-Malware quarantine everything it found and then under "Uninstall or change a program" within the Control Panel, I uninstalled the 3 entries I saw for CoolYou (image):
Coolyou
CoolYou Gadget
CoolYou Updater
The user reported the system had been running slowly for quite some time. The CoolYou software was installed on August 5, 2012 according to the information provided for "Uninstall or change a program" and was undoubtedly not the sole, and perhaps not even primary, reason why the system was performing so slowly, since Malwarebytes Anti-Malware found other stuff as well (xml report) as well, but, since it appeared to be adware at best, I didn't want to leave it on the system.
I noticed that the CoolYou directory was still present, with the
application still within it, under C:\ProgramData
. I tried
to delete directory, but saw a "File In Use" window with "The action
can't be completed because the file is open in CoolYou.exe.
I killed the program from a command prompt (right-click on cmd.exe
and choose "run as administrator", if you aren't logged into an
administrator account.)
C:\windows\system32>taskkill /f /fi "imagename eq coolyou.exe" INFO: No tasks running with the specified criteria. C:\windows\system32>taskkill /f /fi "imagename eq CoolYou.exe" SUCCESS: The process with PID 4064 has been terminated.
I also found that the CoolYou task was still present in the Task Scheduler even after Malwarebytes Anti-Malware removed what it found and after I ran the software uninstall process through the Control Panel. I manually deleted it from the Task Scheduler by right-clicking on it and choosing "Delete". Before doing so, I exported the information on the task to an XML file, which can be viewed here.
Before removing the CoolYou software from the system, I uploaded
Coolyou.exe, which has a SHA256
hash value of
31486eb4bf87f2f2dc29d56fc4fc68b7c2790342abb85796b9f7bb113eacb43f
and an MD5 hash value of
2096b76b1a5d4e5ce2bcb19c0fada911
,
to Google's VirusTotal website for analysis. That site checks uploaded files
for malware with multiple antivirus programs. Someone else had uploaded the
file yesterday; I had VirusTotal reanalyze it. VirusTotal reported that
11 of the 54 (20.37%) antivirus programs with which it checked the file
identified the file as being a problematical one - see
VirusTotal report.
Designations for the file by those antivirus program that flagged it as concerning are shown below:
Antivirus | Result | Update |
---|---|---|
AVware | BPX.Trojan.Generic | 20141221 |
Agnitum | Riskware.GenUpdater! | 20141221 |
Antiy-AVL | Trojan/Win32.SGeneric | 20141221 |
CMC | Trojan.Win32.Heuristic!O | 20141218 |
DrWeb | Program.Unwanted.6 | 20141221 |
ESET-NOD32 | Win32/GenUpdater | 20141221 |
K7AntiVirus | Trojan ( 0048e3021 ) | 20141219 |
K7GW | Trojan ( 0048e3021 ) | 20141220 |
Malwarebytes | Trojan.Dropper | 20141221 |
NANO-Antivirus | Riskware.Win32.Unwanted.deawxi | 20141221 |
Sophos | MultiPlug | 20141221 |
I've placed the contents of the C:\ProgramData\CoolYou
directory in a zip file here
for anyone who may wish to further analyze it or who may wish to
determine if it is detectable by other antivirus software. To prevent
any inadvertent downloads, the page is password protected; the userid
is zoo and the password malware.
Created: Sunday December 21, 2014