Remove TinyBar

What is TinyBar ?

TINYBAR is an Internet Explorer toolbar that adds registry entries that use the Windows system file shdocvw.dll to display a web page as a toolbar. It also may perform a DoS attack against a reputable Internet resource. The parasite causes Internet Explorer slowdowns and frequent crashes. It also severely degrades Internet connection speed. TinyBar can be silently installed by some insecure web sites. The parasite automatically runs on every Windows startup.

TinyBar variants

n/a

TinyBar behavior

• Shows ads
  
• Changes browser
  
• Stays Resident
  
• Connects to the internet

TinyBar Removal Instructions:

Disclaimer: Modifying the registry or system files can cause serious problems that may require you to reinstall your operating system. We cannot guarantee that problems resulting from modifications to the registry can be solved. Use the information provided at your own risk.

Open the registry editor (click Start > Run and enter 'regedit').

For TinyBar/A, delete these keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\>>> Search The Web <<<

For TinyBar/B, delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\
HKEY_CLASSES_ROOT\CLSID\

For TinyBar/C:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\
HKEY_CLASSES_ROOT\CLSID\

For TinyBar/D:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\
HKEY_CLASSES_ROOT\CLSID\

For the TinyBar/D variant, also go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and delete entries pointing to '.hta' files. You may see a 'system' entry pointing to systemsearch.hta and/or a name made of random characters pointing to a '.hta' file in the System folder with a random-character filename.

Restart IE and the toolbar should be gone. On variants that store the toolbar page locally, you may find this under the name 'tinybar.html' or 'hb.html' inside the System folder (which is inside the Windows folder, called 'System32' in Windows NT, 2000 and XP, or just 'System' under Windows 95, 98 and Me). This file can be deleted, along with 'hb.reg', 'br.reg' or 'br.dll'.
Use Internet Options->Programs->Reset Web Settings to restore the normal search page.
Hijacker removal
Before the settings can be restored you must remove the hijacker that is run on every restart. Open the registry editor(Start->Run->regedit), find the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and remove any entries of the form 'regedit /s C:\Windows\System\sp.dll'. Then delete sp.dll (or sp.reg) in the System folder. Then use Reset Web Settings to get the normal search page back.

Denial of Service removal
Open the Windows folder and check the 'System' (on Windows 95/98/Me) or 'System32' (on Windows NT/2K/XP) folder for a file called 'atk.vbs'. If you have it, open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. There should be a value here, possibly called 'Messenger', pointing at the atk.vbs file. Remove it and restart the machine; you should then be able to delete the atk.vbs file.

Copyright © SpywareDot 2002-2005| spywaredot.com.  All rights reserved.