TinyBar Description:
An Internet Explorer toolbar. TinyBar installs
no actual software, but adds registry entries
that use the Windows system file shdocvw.dll to
display a web page as a toolbar. This page may be
stored locally or fetched from the internet every
time an IE window is opened; it generally
contains a search feature and/or link buttons,
pointed at a generic portal such as:
- tinybar.com
- allcybersearch.com
- gocybersearch.com
- clickyestoenter.net
- topsearcher.com
- jethomepage.com
- jetseeker.com
- znext.com
- traffic4sure.com
- errorpage404.com
- searchaccurate.com
- ourlinklist.com
- topclicks.net
- iseekresults.com
- wowsearch.com
- ysearchus.com
Address bar search settings are also hijacked
to point to the same domain.
TinyBar/A is the original variant, hijacking
to tinybar.com.
TinyBar/B is most widespread, having been used
by many of the above domains.
TinyBar/C is a new variant that also hijacks
to tinybar.com
TinyBar/D is another new variant including a
floating search box in the corner of the screen.
TinyBar/sp is a simple
homepage/search-hijacker aimed at one of the
above sites. It does not feature the toolbar
component and is not detected by the script at
this site. (See Hijacker removal.)
TinyBar/atk is a VBScript denial of service
attack against DOX desk (the site hosting this
information page), installed with TinyBar/B
around 6 th November 2002. (See DoS attack
removal).
Also known as: Some variants of TinyBar/B
are detected as JS_TRAFFICHBAR.A by Trend Micro,
or Trojan.WinREG.STW by Kaspersky anti-virus.
Many AV tools also recognise the Java/ActiveX
exploit often used to load TinyBar as
JS.Exception, HTML.VmExploit,
Exploit.Applet.ActiveXComponent or
Trojan.AppActXComp, JS_TRAFFICHBAR.A
TrojanDownloader.Win32.IstBar.ae
TinyBar Automatic Removal:
Using Spyware Doctor
to detect and remove TinyBar AUTOMATICALLY!
Sponsored Links:
TinyBar Manual Removal:
Open the registry (click 'Start', choose 'Run'
and enter 'regedit'). For TinyBar/A, delete these
keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Explorer
Bars\{69555BE2-9A78-11D2-BA91-00600827878D}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Toolbar\{69555BE2-9A78-11D2-BA91-00600827878D}
HKEY_CLASSES_ROOT\CLSID\{69555BE2-9A78-11D2-BA91-00600827878D}
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\MenuExt\>>> Search The Web <<<
For TinyBar/B, delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Explorer
Bars\{69550BE2-9A78-11D2-BA91-00600827878D}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Toolbar\{69550BE2-9A78-11D2-BA91-00600827878D}
HKEY_CLASSES_ROOT\CLSID\{69550BE2-9A78-11D2-BA91-00600827878D}
For TinyBar/C:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Explorer
Bars\{8FB0F3E2-5193-11D7-9F88-0050FC5441CB}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Toolbar\{8FB0F3E2-5193-11D7-9F88-0050FC5441CB}
HKEY_CLASSES_ROOT\CLSID\{8FB0F3E2-5193-11D7-9F88-0050FC5441CB}
For TinyBar/D:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Explorer
Bars\{82599E0A-8C81-11D7-9F97-0050FC5441CB}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Toolbar\{82599E0A-8C81-11D7-9F97-0050FC5441CB}
HKEY_CLASSES_ROOT\CLSID\{82599E0A-8C81-11D7-9F97-0050FC5441CB}
For the TinyBar/D variant, also go to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,
and delete entries pointing to '.hta' files. You
may see a 'system' entry pointing to
systemsearch.hta and/or a name made of random
characters pointing to a '.hta' file in the
System folder with a random-character filename.
Restart IE and the toolbar should be gone. On
variants that store the toolbar page locally, you
may find this under the name 'tinybar.html' or 'hb.html'
inside the System folder (which is inside the
Windows folder, called 'System32' in Windows NT,
2000 and XP, or just 'System' under Windows 95,
98 and Me). This file can be deleted, along with
'hb.reg', 'br.reg' or 'br.dll'.
Finally use Internet Options->Programs->Reset
Web Settings to restore the normal search page.
Hijacker removal
Before the settings can be restored you must
remove the hijacker that is run on every restart.
In the registry (Start->Run->regedit), find the
key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and remove any entries of the form 'regedit /s
C:\Windows\System\sp.dll'. Then delete sp.dll (or
sp.reg) in the System folder. Then use Reset Web
Settings to get the normal search page back.
DoS attack removal
Open the Windows folder and check the 'System'
(on Windows 95/98/Me) or 'System32' (on Windows
NT/2K/XP) folder for a file called 'atk.vbs'. If
you have it, open the registry (Start->Run->regedit)
and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
There should be a value here, possibly called 'Messanger',
pointing at the atk.vbs file. Remove it and
restart the machine; you should then be able to
delete the atk.vbs file.
More
Removal Instructions for Adware/Spyware Programs -
'T'
| 
