Thread: Popup ads are killing me, Malicous Urls **RESOVLED**

You may have gain, or some other spyware installed, check your processes.

The only thing i can offer you is to visit lavasoft and download Ad Aware. This should tell you if you have any Spyware on your machine... and also lets you remove it

http://www.lavasoftusa.com/downloads.html

Post back if it works.

Gav

I would also advise getting a Virus Scanner as most have remote script blocking as standard now.

Thanks everyone. I will it out and post back when I find a solution.

Description
An Internet Explorer toolbar offering a search feature and possibly also link buttons. When used, the user is sent to the targeting web site, which is one of the very similar sites tinybar.com, allcybersearch.com, gocybersearch.com, topsearcher.com or znext.com.

More recently the script also seems to be used by 'Traffic Redirection' to do the same with their sites traffic4sure.com and errorpage404.com.

When it is installed it also sets the IE search settings to point to the site.

Variants
All these sites have also operated home-page hijackers, so you may have a program installed that resets your home page and search bar settings to point to one of these sites as well as, or instead of, TinyBar.

Also known as
JS_TRAFFICHBAR.A by Trend Micro anti-virus.

Distribution
Installed by exploitation of an security hole in the Microsoft Java Virtual Machine through Internet Explorer, when visiting one of the named sites or perhaps through pop-up advertisements from them. May also be included in some releases of Zero Popup (zeropopup.com; not the similarly-named product from 'Tooto technologies') and Internet Eraser (internet-eraser.com), both products sold by the same author.

What it does
Advertising
No.

Privacy violation
No.

Security issues
No. (Not to do with the toolbar itself, but if it has managed to install itself your browser is vulnerable and should be patched.)

Stability problems
Yes. May cause startup to be slow. The installation exploit itself may also cause IE to crash.

Removal
Spybot S&D can remove TinyBar.

Manual removal
The toolbar is implemented as a page 'tinybar.html' or 'hb.html' inside the Windows System (or System32 in Windows NT/2000/XP) folder. Delete this file along with the registry file 'br.reg', 'br.dll' or 'hb.reg'.

Then to stop IE trying to load the page as a toolbar, open the registry (Start->Run->regedit) and delete the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\{69555BE2-9A78-11d2-BA91-00600827878D}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{69555BE2-9A78-11d2-BA91-00600827878D}
HKEY_CLASSES_ROOT\CLSID\{69555BE2-9A78-11d2-BA91-00600827878D}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\>>> Search The Web <<<
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout
(In some variants of TinyBar, the classid starts with '69550BE2-...' instead of '69555BE2-...'.)

Finally use Internet Options->Programs->Reset Web Settings to remove its search page.

Hijacker removal
Before the settings can be restored you must remove the hijacker that is run on every restart. In the registry (Start->Run->regedit), find the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and remove any entries of the form 'regedit /s C:\Windows\System\sp.dll'. Then delete sp.dll (or sp.reg) in the System folder. Then use Reset Web Settings to get the normal search page back.

Links
Asher Nahmias is the antisocial coder behind these sites; he sells deliberately deceptive web scripts for absurd prices at trixscripts, including customised versions of TinyBar.

The security hole being exploited to install TinyBar is described by Microsoft here. You can get a patched JVM through Windows Update, or alternatively you can disable Java or install Sun's JVM instead (which is a bit more up-to-date and not vulnerable).


and.doxdesk.com