Remove TinyBar

What is TinyBar ?

TINYBAR is an Internet Explorer toolbar that adds registry entries that use the Windows system file shdocvw.dll to display a web page as a toolbar. It also may perform a DoS attack against a reputable Internet resource. The parasite causes Internet Explorer slowdowns and frequent crashes. It also severely degrades Internet connection speed. TinyBar can be silently installed by some insecure web sites. The parasite automatically runs on every Windows startup.

TinyBar variants

TinyBar/A is the original variant, hijacking to tinybar.com.

TinyBar/B is most widespread, having been used by many of the above domains.

TinyBar/C is a new variant that also hijacks to tinybar.com

TinyBar/D is another new variant including a floating search box in the corner of the screen.

TinyBar/sp is a simple homepage/search-hijacker aimed at one of the above sites. It does not feature the toolbar component and is not detected by the script at this site. (See Hijacker removal.)

TinyBar/atk is a VBScript denial of service attack against DOX desk (the site hosting this information page), installed with TinyBar/B around 6 th November 2002. (See DoS attack removal).

Some variants of TinyBar/B are detected as JS_TRAFFICHBAR.A by Trend Micro, or Trojan.WinREG.STW by Kaspersky anti-virus. Many AV tools also recognise the Java/ActiveX exploit often used to load TinyBar as JS.Exception, HTML.VmExploit, Exploit.Applet.ActiveXComponent or Trojan.AppActXComp.

TinyBar behavior

• Shows ads
  
• Changes browser
  
• Stays Resident
  
• Connects to the internet

TinyBar Removal Instructions:

Open the registry editor (click Start > Run and enter 'regedit').

For TinyBar/A, delete these keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\
HKEY_CLASSES_ROOT\CLSID\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\>>> Search The Web <<<

For TinyBar/B, delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\
HKEY_CLASSES_ROOT\CLSID\

For TinyBar/C:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\
HKEY_CLASSES_ROOT\CLSID\

For TinyBar/D:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\
HKEY_CLASSES_ROOT\CLSID\

For the TinyBar/D variant, also go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and delete entries pointing to '.hta' files. You may see a 'system' entry pointing to systemsearch.hta and/or a name made of random characters pointing to a '.hta' file in the System folder with a random-character filename.

Restart IE and the toolbar should be gone. On variants that store the toolbar page locally, you may find this under the name 'tinybar.html' or 'hb.html' inside the System folder (which is inside the Windows folder, called 'System32' in Windows NT, 2000 and XP, or just 'System' under Windows 95, 98 and Me). This file can be deleted, along with 'hb.reg', 'br.reg' or 'br.dll'.
Use Internet Options->Programs->Reset Web Settings to restore the normal search page.
Hijacker removal
Before the settings can be restored you must remove the hijacker that is run on every restart. Open the registry editor(Start->Run->regedit), find the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and remove any entries of the form 'regedit /s C:\Windows\System\sp.dll'. Then delete sp.dll (or sp.reg) in the System folder. Then use Reset Web Settings to get the normal search page back.

Denial of Service removal
Open the Windows folder and check the 'System' (on Windows 95/98/Me) or 'System32' (on Windows NT/2K/XP) folder for a file called 'atk.vbs'. If you have it, open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. There should be a value here, possibly called 'Messenger', pointing at the atk.vbs file. Remove it and restart the machine; you should then be able to delete the atk.vbs file.

Copyright © SpywareDot 2002-2005| spywaredot.com.  All rights reserved.