Questions about YouTube and A.exe

Avast Home, Dell Optiplex 320, Vista Home Basic, UAC.

I searched for previous posts on the above subjects and couldn’t find anything:

When I try to watch a video on YouTube type sites I get frequent interruptions and the “loading video” message. Recently I discovered that whenever a video is interrupted is just after the Avast ball on the icon area starts spinning, and video is resumed when the blue ball stops. Is there a way I can avoid this?

Also, recently I got an Avast notification that a site had downloaded a virus/worm with the request for action to be taken. I clicked on eliminate and got no more notices. However, a new process appeared on my task manager: a.exe, which I later found out came from CoolSearch. I started getting small DOS windows when running Firefox and the PC slowed down. Ran a pre-boot scan and got nothing. Also ran Ad-Aware and Spybot…nothing. Finally, I removed a.exe from the start up programs using MsConfig and that took care of it. But I’m wondering if the virus is still there and why avast did not detect it during the pre-boot scan.

Thanks in advance.

YouTube is becoming a malware minefield and the reason avast’s icon rotates is when a file is being scanned, now that file may have nothing to do with the video but is downloaded in the background. So it is important to keep up your defences as you have found.

The coolwebsearch (CWS) will be trying to monitor your activity and try to present sites or ads according to your activity. CWS can be a bit of a pig to remove so I don’t think it is quite as simple as you mentioned. There used to be a tool specifically designed to get rid of this (CWShredder) but it has been bought out by Trend micros and is no longer free.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.

  2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Thanks for the response.
I’m beginning to suspect Avast has nothing to do with the delays, especially considering that when I ask to view videos in YT’s High Quality Mode the loading notices disappear and the vids play smoothly…may have to do with the way the site sends the information.
Will try the suggested software and advice of findings.
Regards.

Both of those tools should produce reports, run one, post the results before proceeding to the next.

Ran the two programs in safe mode. SuperAntiSpyware only found 14 tracking cookies that were deleted, but Malwarebytes DID find a trojan.

Here’s the log:

Malwarebytes’ Anti-Malware 1.29
Versión de la Base de Datos: 1279
Windows 6.0.6001 Service Pack 1

17/10/2008 14:59:05
mbam-log-2008-10-17 (14-59-05).txt

Tipo de examen : Examen Completo (C:|D:|)
Objetos examinados: 158528
Tiempo transcurrido: 25 minute(s), 34 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 1
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 0

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) → Quarantined and deleted successfully.

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
(No se han detectado elementos maliciosos)

The highlighted item title (Spanish) means “Infected Registry Keys”. No other issues found.
MSFox is the way A.exe was identified by the Windows Task Manager before being deactivated.

Again, MUCHAS GRACIAS for the help.

You’re welcome, without a registry key to start it even if the file were there it would be inert (non-active).

If you happen to have saved a.exe somewhere (probably not) you could have sent the sample to avast. There is a section in the chest for this purpose, User Files and you can add suspect files (undetected by avast).

You can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm. A copy of the file would remain in the original location, so you would need to remove that.

You can send it from there (select the file, right click, email to Alwil Software) as an undetected malware sample. No need to zip and PW protect when the sample is sent from chest.

Unfortunately I didn’t save the file and it’s no longer at the locations it’s supposed to be at, probably the antispy scans deleted it. Sorry.

It is hard to remember when up to your ass in alligators that your intention was to drain the swamp. Or in this case to submit samples to improve avast detections ;D

I thought we only said “up to your ass in alligators” in Texas!
Globalization is great!

I somehow got this a.exe recently. Avast didn’t seem to recognize it as a virus. I even told avast to scan it and it didn’t flag it as anything. I recently put it in my chest and sent it to you.

I was on facebook and suddenly noticed my harddrive was going crazy. I saw this process and it was scanning all my files. I quickly killed it.

Well if it is related to or a new variant of coolwebsearch it may not detect it.

However, there is no guarantee that a.exe is one an the same file as originally mentioned. You should try the suggested tools and see if there are any other elements associated with this.