CoolYou

Malwarebytes Anti-Malware
A friend was complaining that his laptop, which runs Microsoft Windows 7 Home Premium, was very slow, so he was considering purchasing another laptop. I suggested he download and install Malwarebytes Anti-Malware 1 x 1 px and scan the system with that software. One of the items it detected was CoolYou (image), which it classified as Trojan.Dropper.

The Should I Remove It? - Coolyou page notes:

What is Coolyou?

From the app's privacy policy: "We may collect certain information about your web usage and websites you have visited, which may be shared with third parties and used for advertising."

Of course, the user has no recollection of agreeing to the installation of the software on his system.

The Should I Remove It? page also notes:

Scheduled Task

CoolYou.exe is scheduled as a task named 'OptimizerProUpdaterRefreshTask' (runs daily at 3:35 PM).

I checked the tasks scheduled via the Task Scheduler, which can be done via the following steps on a Windows 7 system:

  1. Click on the Windows Start button.
  2. Select Control Panel
  3. Select System and Security
  4. Select Administrative Tools
  5. Right-click on Task Scheduler and select "Run as administrator". Provide the administrator login credentials, if prompted to do so.

I found the scheduled task listed as CoolYouUpdaterTask{1168C92C-8102-4417-BC40-19EC761CC49A} in the Task Scheduler Library. When I clicked on the Triggers tab after selecting the CoolYouUpdaterTask by clicking on it, I saw that it would start any time a user logged into the laptop - see image.

TriggerDetails
At log onAt log on of any user

When I clicked on the Actions tab, I saw that when a user logged in, that CoolYou.exe would run with the parameter shown below passed to it (image).

C:\ProgramData\CoolYou\CoolYou.exe /schedule /profilepath "C:\ProgramData\CoolYou\profile.ini

I had Malwarebytes Anti-Malware quarantine everything it found and then under "Uninstall or change a program" within the Control Panel, I uninstalled the 3 entries I saw for CoolYou (image):

Coolyou
CoolYou Gadget
CoolYou Updater

The user reported the system had been running slowly for quite some time. The CoolYou software was installed on August 5, 2012 according to the information provided for "Uninstall or change a program" and was undoubtedly not the sole, and perhaps not even primary, reason why the system was performing so slowly, since Malwarebytes Anti-Malware found other stuff as well (xml report) as well, but, since it appeared to be adware at best, I didn't want to leave it on the system.

I noticed that the CoolYou directory was still present, with the application still within it, under C:\ProgramData. I tried to delete directory, but saw a "File In Use" window with "The action can't be completed because the file is open in CoolYou.exe.

I killed the program from a command prompt (right-click on cmd.exe and choose "run as administrator", if you aren't logged into an administrator account.) 

C:\windows\system32>taskkill /f /fi "imagename eq coolyou.exe"

INFO: No tasks running with the specified criteria.

C:\windows\system32>taskkill /f /fi "imagename eq CoolYou.exe"
SUCCESS: The process with PID 4064 has been terminated.

I also found that the CoolYou task was still present in the Task Scheduler even after Malwarebytes Anti-Malware removed what it found and after I ran the software uninstall process through the Control Panel. I manually deleted it from the Task Scheduler by right-clicking on it and choosing "Delete". Before doing so, I exported the information on the task to an XML file, which can be viewed here.

Before removing the CoolYou software from the system, I uploaded Coolyou.exe, which has a SHA256 hash value of 31486eb4bf87f2f2dc29d56fc4fc68b7c2790342abb85796b9f7bb113eacb43f and an MD5 hash value of 2096b76b1a5d4e5ce2bcb19c0fada911, to Google's VirusTotal website for analysis. That site checks uploaded files for malware with multiple antivirus programs. Someone else had uploaded the file yesterday; I had VirusTotal reanalyze it. VirusTotal reported that 11 of the 54 (20.37%) antivirus programs with which it checked the file identified the file as being a problematical one - see VirusTotal report.

Designations for the file by those antivirus program that flagged it as concerning are shown below:

Antivirus Result Update
AVware BPX.Trojan.Generic 20141221
Agnitum Riskware.GenUpdater! 20141221
Antiy-AVL Trojan/Win32.SGeneric 20141221
CMC Trojan.Win32.Heuristic!O 20141218
DrWeb Program.Unwanted.6 20141221
ESET-NOD32 Win32/GenUpdater 20141221
K7AntiVirus Trojan ( 0048e3021 ) 20141219
K7GW Trojan ( 0048e3021 ) 20141220
Malwarebytes Trojan.Dropper 20141221
NANO-Antivirus Riskware.Win32.Unwanted.deawxi 20141221
Sophos MultiPlug 20141221

I've placed the contents of the C:\ProgramData\CoolYou directory in a zip file here for anyone who may wish to further analyze it or who may wish to determine if it is detectable by other antivirus software. To prevent any inadvertent downloads, the page is password protected; the userid is zoo and the password malware.

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Sunday December 21, 2014