PC Hell: How to Remove Only The Best popups and homepage changing to res://random.dll/index.html

Homepage set to res://random.dll/index.html#randomnumber
Removal Instructions and Help

How did my homepage get set to res://random.dll/index.html#96676 or something similar?

This is a hijack I have seen for about a month and still have read so many variations of it that its hard to understand everything it does. It appears to be a brand new variation of the CoolWebSearch homepage hijacker, although CWShredder isnt updated to handle it and wont be, so there are only manual methods on the web. The homepage is set to "Home Search" when this hijacker takes over.

The hijacker looks similar to this:

onlythebest.jpg (35294 bytes)

If you think you have modifications to the instructions to help, then email me and I'll update the page.

How do I Remove "Only The Best" popups and Home Search "random.dll" homepage hijacker?

1) First, create a new folder on your desktop and download and save HijackThis and About:Buster to it in order to analyze and help remove problems. Unzip the About:Buster file and and leave both programs in this folder for use later. A tutorial for HijackThis can be found here.

2) Start Windows in Safe Mode by pressing F8 as the computer is booting and choosing Safe Mode, then Turn off System Restore for Windows ME and Windows XP.

3) Open My Computer and choose Tools, then click on Folder Options, click on the View tab and under Advanced Setting, choose Show Hidden Files and Folders, then click on OK and close My Computer. In Windows XP/2000, you may also want to uncheck the options for "Hide extensions for known file types" and "hide protected operating system files".

4) In Windows XP/2000 ** See Notes at bottom regarding this step.

Right-click on My Computer
Choose Manage
Double-click on Services and Applications
Click on Services
In the righthand column find "Network Security Service", and double-click on it
(in Safe Mode this may already be stopped)
Choose Stop and then write down the name and path of the file in the "Path to Executable" section
Set the Startup Type to Disabled
Click Ok
Repeat this procedure for a Service called "Workstation NetLogon Service" double-click on this service, stop it, and set it to Disabled as well.
Repeat this procedure for a Service called "Remote Procedure Call (RPC) Helper" double-click on this service, stop it, and set it to Disabled as well. There are two other RPC services that should be left alone.
Close the Computer Management window

5) Run HiJackThis and note the DLL that is taking over the homepage, you'll see it in this section of HiJackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sftzv.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://sftzv.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://sftzv.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sftzv.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://sftzv.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\sftzv.dll/sp.html#96676

The DLL will be random DLL name - I have seen a variety of names, all about 5-6 letters long. We arent going to fix these R0 and R1 entries in HijackThis, just the problem BHO and Registry Entries. BHO's are Browser Helper Objects, small programs that run automatically when you start Internet Explorer.

Fix any entries for the BHO section that relates to this entry
(like the following although the DLL file will be a different name)

O2 - BHO: (no name) - {4AA2D3C2-CDCA-6838-276F-C2B2B1BA44BE} - C:\WINDOWS\system32\atlgr.dll

as well as fixing any randomly named .exe files running from the Run or RunOnce lines. These lines will look similar to the following (although the exe file name will be different)

O4 - HKLM\..\RunOnce: [apigo.exe] C:\WINDOWS\apigo.exe

** If you try to run HijackThis and receive an error similar to **
"A required .DLL file, MSVBVM60.DLL, was not found."
you'll need to download the Microsoft Visual Basic 6 runtime files located here

6) Close HiJackThis and run About:Buster. Follow the directions and have the program search the system for offending files and remove them. This program will also reset your homepage (so you'll have to set it back later). About:Buster will also search for the Network Security Service, _NS_Service_3 registry entries and temp files talked about in this article.

**Update: RubbeRDuckY, the creator of About:Buster emailed me and let me know that his latest version is 6 times faster and fixes more items.

If you run About:Buster and receive an error about a missing MSCOMCTL.OCX file, click on the following link to download a program to restore the file.

http://www.javacoolsoftware.net/downloads/missingfilesetup.exe

7) Remove the __NS_Service if it exists in the Registry (for Windows XP/2000)
This may have already been removed with About:Buster, but check for it anyway.

Click on Start, Run and type REGEDIT and press Enter
Warning: (do not delete items in the registry unless you are comfortable, deleting wrong items can render your computer unbootable)

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3 (or another number)

If __NS_Service_ exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3 (or another number)

If LEGACY___NS_Service_
exists then right click on it and choose delete from the menu.

If you cannot remove it, then right click on it and choose Permissions, check Full Control and click OK and try to delete it again. If you are using Windows 2000, open the Registry with REGEDT32, highlight the Legacy_NS_SERVICE_3 folder, click on the Security menu at the top, select permissions and proceed to change the permissions to Full Control, then try to delete the key.
Search the registry by clicking on Edit, Find and typing the name of the executable file found in Step 4 above. Delete any registry entries regarding this executable. Most likely they will be a random string of characters as the name of the folder. Similar to:

Legacy_O?4478F89OG823R748J2T34J8K76D4836576
Close the Registry Editor

8) Delete the infected files

Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and paste, the dll filename you found in Step 4. If its there, delete it

9) Next, delete or clean up your hosts file. If your system does not have a hosts file, just skip this step.

Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts

10) Reset Internet Explorer Homepage and Search Page

Close all Internet Explorer windows.
Open Control Panel. Click Start>Settings>Control Panel.
Double-click the Internet Options icon.
In the Internet Properties window, click the General tab and enter in the homepage URL you want
Under the "Temporary Internet Files" section click on Delete Files, then check the box for "delete all offline content" and Click Ok.
Once the Temporary Internet Files have been deleted (it may take a few minutes), Click OK and close Internet Options and then close the Control Panel.

11) Reboot your computer into Normal Mode, and before opening Internet Explorer, run HiJackThis again to see if the hijack has reappeared. Remove any leftover R0 and R1 entries. If after opening Internet Explorer, the files have reinfected your browser again, run through the steps again or send me a Hijackthis log so I can review it. Also if you have multiple user profiles setup on a Windows XP or other operating system, you may have to run these steps in each profile to destroy the pest.

12) If you have more instructions, experienced different results, or have more to add to this method, send me an email along with a HiJackThis log and I'll revise this page. As I stated above, these instructions will be a work in progress as we learn more about this hijack.

Revision History:

6/28/2004: Reorganized steps according to a first-hand example of this hijack.
6/29/2004: Added screenshot and more info describing hijack. Added information about changing permissions on Legacy_NS_Service_3 registry key to help delete it.
6/30/2004: On systems with Microsoft Office products installed, the system appears to want to run the windows installer window when office applications are opened. Go to the Office Update page online and check for new updates to your software.

http://office.microsoft.com/OfficeUpdate/default.aspx

7/01/2004: Still researching a problem with a missing shell.dll on some applications after removal of the pest.

You can extract individual files from the cabinet files to replace missing or corrupted files. To extract information from a .cab file in Windows XP:

1. Click Start, and then click Run.
2. In the Open box, type msconfig, and then click OK.
3. Click Expand File.
4. In the File to restore box, type the name of the file that you want to restore.
5. In the Restore from box, type the path to the Windows XP .cab file from which you want to restore the file, or click Browse From to locate the Windows XP .cab file.

NOTE: The Windows XP .cab files are stored in the I386 folder on the Windows XP compact disc (CD).

6. In the Save file in box, type the path to which you want the new file extracted, or click Browse To locate the folder that you want.
7. Click Expand.
8. In the System Configuration Utility dialog box, click OK. If you are prompted to restart the computer, click Restart.

Example: expand d:\i386\shell.dl_ c:\Windows\system\shell.dll

Expand or copy the shell.dll file into the c:\windows\system and c:\windows\system32 directories seems to solve the error message.

Note: *** Please be patient with me on returning emails, I have received over 200 emails about this page in the last 48 hours. I'll try to get to everyone but its going to take me awhile to examine each hijackthis log.

7/02/2004: Added information about saving HiJackThis into its own folder when downloading, as well as revised the procedure and added information about cleaning up or deleting the HOSTS file and deleting temporary internet files.

7/03/2004: Updated link for About:Buster
7/5/2004: Revised step 10 to run HijackThis before opening Internet Explorer. Added information on using REGEDT32 in Windows 2000 to change permissions on LEGACY_NS_SERVICE_3 key and remove it.

7/6/2004: Fixed minor typos
7/7/2004: Added definition for BHO, Browser Helper Object and changed step 8 slightly.
7/29/2004: Made changes to step 4 regarding disabling the "Network Security Service". In some cases, this service is not there but is named as "Workstation NetLogon Service". Disable both of these services. If you find another service pointing to an infected file, please email me and let me know about it so I can add it to the list.

8/4/2004: Added link to program to restore missing MSCOMCTL.OCX file that some people are experiencing when trying to run About:Buster

8/17/2004: Revised several steps including Step 7 to find any randomly named executable files still left.

8/18/2004: Added link to Microsoft Visual Basic 6 Runtime files needed by HijackThis

8/28/2004: Added information about another running Service in Step 4 that is added by this hijacker

9/11/2004: Revised several steps to make the procedure more clear.

Printer Friendly Version of This Page