AVG Toolbar - is a browser hijacker that was created in 2011 by AVG and was bundled with every AVG product untill 2014. However, this toolbar can be still downloaded from sites like Softonic or


AVG Toolbar might be installed on the user's PC using various software downloaders (e.g. CNET 


CNET Downloader for Free CUDA Video Converter prompts for AVG Toolbar installation

AVG Toolbar installs itself in a folder under Program Files, for example:

  • Program Files\AVG Antivirus 2012 Beta\Toolbar
  • Program Files\AVG Toolbar\
  • Program Files\ Downloader Data\Freemake Video Converter\AVG Toolbar

The family consists of multiple components, whose file names vary from one version to another. We have seen variants use the following file names for the main component:

  • AVGToolbar.exe
  • AVGToolbarBeta.exe
  • Toolbar.dll
  • avg_toolbar_8.0_beta.xpi

    AVG Toolbar is listed in the Firefox 3.0 RC2 addons list.

  • AVGToolbar.crx
  • ToolbarM.dll

It might install itself as a Firefox extension with one of the following names:

  • "AVG Toolbar ", avg_toolbar_9.0.xpi
  • "AVG Toolbar", avg_toolbar_8.0_beta.xpi

In Chrome, it might use these names:

  • "AVG Toolbar", AVGToolbar.crx

    AVG Toolbar is running on Chrome 27.0.1891 Dev.

In Internet Explorer, it might use this name:

  • "AVG Toolbar", ToolbarM.dll

Additional information

AVG Toolbar hooks a number of APIs to:

Снимок экрана 2014-09-24 в 20.37.18

PowerISO 5.1 installer asks user to install AVG Toolbar on his computer

  • Prevent itself from being stopped or removed
  • Monitor registry and file system changes to prevent certain registry keys and files from being modified
  • Trigger the JavaScript engine hooking behavior described below

Hooks JavaScript library loading events

It hooks library loading events to trigger the JavaScript-hooking engine by hooking the following exports of mozjs.dll:

  • "?Compile@JS@@YAPAUJSScript@@PAUJSContext@@V?$Handle@PAUJSObject@@"
  • "?JS_DecodeScript@@YAPAUJSScript@@PAUJSContext@@PBXIPAUJSPrincipal"

the user's browser startup homepage is modified to refer to a different variable by replacingbrowser.startup.homepage with browser.startup.homepage.CT.

JavaScript replacements also take over the new tab page in Firefox.