allentech.net

Home > Browser Parasites > Parasite Database > TinyBar

About Us

Online Stores

TQ Support

Web Services

Database Help

Tech Links

Projects

Online Manual

Browser Parasites

Privacy Policy

Contact us

Send Page

Limited Time!
Totally FREE Web Design!
Click here!

Blue Host

Parasite: TinyBar

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

An Internet Explorer toolbar. TinyBar installs no actual software, but adds registry entries that use the Windows system file shdocvw.dll to display a web page as a toolbar. This page may be stored locally or fetched from the internet every time an IE window is opened; it generally contains a search feature and/or link buttons, pointed at a generic portal such as:

  • tinybar.com
  • allcybersearch.com
  • gocybersearch.com
  • clickyestoenter.net
  • topsearcher.com
  • jethomepage.com
  • jetseeker.com
  • znext.com
  • traffic4sure.com
  • errorpage404.com
  • searchaccurate.com
  • ourlinklist.com
  • topclicks.net
  • iseekresults.com
  • wowsearch.com
  • ysearchus.com

Address bar search settings are also hijacked to point to the same domain.

Variants

TinyBar/A is the original variant, hijacking to tinybar.com.

TinyBar/B is most widespread, having been used by many of the above domains.

TinyBar/C is a new variant that also hijacks to tinybar.com

TinyBar/D is another new variant including a floating search box in the corner of the screen.

TinyBar/sp is a simple homepage/search-hijacker aimed at one of the above sites. It does not feature the toolbar component and is not detected by the script at this site. (See Hijacker removal.)

TinyBar/atk is a VBScript denial of service attack against DOXdesk (the site hosting this information page), installed with TinyBar/B around 6th November 2002. (See DoS attack removal).

Also known as

Some variants of TinyBar/B are detected as JS_TRAFFICHBAR.A by Trend Micro, or Trojan.WinREG.STW by Kaspersky anti-virus. Many AV tools also recognise the Java/ActiveX exploit often used to load TinyBar as JS.Exception, HTML.VmExploit, Exploit.Applet.ActiveXComponent or Trojan.AppActXComp.

Distribution

Installed by exploitation of an security hole in the Microsoft Java Virtual Machine through Internet Explorer, when visiting one of the named sites or pop-up advertisements routed to them through various ad networks.

A TinyBar/B variant which gets its toolbar page from public.searchbarcash.com is also installed by the ISTBar/AUpdate parasite.

What it does

Advertising

Yes, depending on what’s the in HTML file used as the toolbar interface. TinyBar/C and many B variants include a script that triggers pop-up ads whilst the toolbar is visible.

Privacy violation

No.

Security issues

No, though if it has managed to install by exploitation of the security hole you need to download some patches to stop it happening again.

Stability problems

Variants that fetch the toolbar page from the Internet will cause IE startup to be slow. The installation exploit itself may also cause IE to crash in some versions.

TinyBar/atk also eats a large amount of bandwidth, which may make modem connections so slow as to be unusable.

Removal

Spybot S&D can remove A and B variants.

Manual removal

Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’). For TinyBar/A, delete these keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\{69555BE2-9A78-11D2-BA91-00600827878D}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{69555BE2-9A78-11D2-BA91-00600827878D}
HKEY_CLASSES_ROOT\CLSID\{69555BE2-9A78-11D2-BA91-00600827878D}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\>>> Search The Web <<<

For TinyBar/B, delete:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\{69550BE2-9A78-11D2-BA91-00600827878D}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{69550BE2-9A78-11D2-BA91-00600827878D}
HKEY_CLASSES_ROOT\CLSID\{69550BE2-9A78-11D2-BA91-00600827878D}

For TinyBar/C:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\{8FB0F3E2-5193-11D7-9F88-0050FC5441CB}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{8FB0F3E2-5193-11D7-9F88-0050FC5441CB}
HKEY_CLASSES_ROOT\CLSID\{8FB0F3E2-5193-11D7-9F88-0050FC5441CB}

For TinyBar/D:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\{82599E0A-8C81-11D7-9F97-0050FC5441CB}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{82599E0A-8C81-11D7-9F97-0050FC5441CB}
HKEY_CLASSES_ROOT\CLSID\{82599E0A-8C81-11D7-9F97-0050FC5441CB}

For the TinyBar/D variant, also go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and delete entries pointing to ‘.hta’ files. You may see a ‘system’ entry pointing to systemsearch.hta and/or a name made of random characters pointing to a ‘.hta’ file in the System folder with a random-character filename.

Restart IE and the toolbar should be gone. On variants that store the toolbar page locally, you may find this under the name ‘tinybar.html’ or ‘hb.html’ inside the System folder (which is inside the Windows folder, called ‘System32’ in Windows NT, 2000 and XP, or just ‘System’ under Windows 95, 98 and Me). This file can be deleted, along with ‘hb.reg’, ‘br.reg’ or ‘br.dll’.

Finally use Internet Options->Programs->Reset Web Settings to restore the normal search page.

Hijacker removal

Before the settings can be restored you must remove the hijacker that is run on every restart. In the registry (Start->Run->regedit), find the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and remove any entries of the form ‘regedit /s C:\Windows\System\sp.dll’. Then delete sp.dll (or sp.reg) in the System folder. Then use Reset Web Settings to get the normal search page back.

DoS attack removal

Open the Windows folder and check the ‘System’ (on Windows 95/98/Me) or ‘System32’ (on Windows NT/2K/XP) folder for a file called ‘atk.vbs’. If you have it, open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. There should be a value here, possibly called ‘Messanger’, pointing at the atk.vbs file. Remove it and restart the machine; you should then be able to delete the atk.vbs file.

Links

Asher Nahmias (at trixscripts.com) sells TinyBar and other deliberately deceptive scripts to other unscrupulous webmasters.

The vulnerability used to install TinyBar, as described by Guninski and Microsoft. WindowsUpdate is the only known source for the JVM update you will need to fix this bug; alteratively you could disable Java or use Sun’s Java VM instead.

A different vulnerability is sometimes used to install TinyBar/sp. Described by GreyMagic and Microsoft (with patch available from that page).

* Parasite information and detection script by Andrew Clover - www.doxdesk.com, used with permission.

For more information about Scumware, Spyware and Parasites, their sources and their cure, visit our About Parasites page and related Tech Links.

Visit our new services portal at Allen One for a completely new parasite database format, comming November 2005!

webmaster@allentech.net
Tech Bench
Web Analytics by My-OLAP!

Top