![Cheile Gradistei [Mobile upload 2007/12/20 15:40:54]](/images/upload/1/1048.jpg)
![Salina Praid [Mobile upload 2007/09/22 04:23:46]](/images/upload/1/1047.jpg)
![Transfagarasan [Mobile upload 2007/07/23 06:14:13]](/images/upload/1/1031.jpg)
![Balea Lac 2 [Mobile upload 2007/07/23 05:16:33]](/images/upload/1/1030.jpg)
![Voineasa [Mobile upload 2007/07/21 12:42:12]](/images/upload/1/1029.jpg)
![Omg [Mobile upload 2007/07/20 10:18:23]](/images/upload/1/1028.jpg)
![Krka National Park [Mobile upload 2007/06/15 11:02:18]](/images/upload/1/1022.jpg)
![Fia Gt3 [Mobile upload 2007/06/01 10:48:18]](/images/upload/1/1021.jpg)
![In Drum Spre Bulgaria [Mobile upload 2007/06/01 10:47:26]](/images/upload/1/1020.jpg)
Posted on 06/03/2006
Yesterday I got infected my mistake with CoolWebSearch. First I tried removing it with Microsoft Antispyware, Lavasoft Ad-Aware, CWShredder, Bitdefender and Norton Antivirus.
Microsoft Antispyware, CWShredder, Bitdefender and Norton Antivirus did not even recognized it.
Lavasoft Ad-Aware is the only one that recongized it, but it was unsuccesfull removing it.
CoolWebSearch has one primary file e2020cdoef0c0.dll (random name, ~ 231 KB in my case) in Windows/System32
This random named DLL is started by winlogon.exe every windows startup, so the file can't be deleted.
If you try to delete the registry keys in HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Notify/App Management and HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Notify/Welcome
it will write them back almost instantly. The same thing happens in normal mode/save mode/save mode, command prompt.
The only way to remove it is to run Lavasoft Ad-Aware to identify the file name, then simply shut down the computer by removing the back AC plug.
Then remove the hard disk and insert it into another computer as slave. Browse to Windows/System32 and delete the DLL file identified by Ad-Aware.
I also found a file named guard.tmp in Windows/System32. Search for it and if you find it, remove it.
If you have deleted the file(s), then is safe to install back the hard disk and reboot.
If you know another way to remove it, please contact me using the form below.
