ToolbarCC is an Internet Explorer Browser Helper Object. When it detects you making a Google search, it redirects the query to its controlling server, two.toolbar.cc, which may redirect to another page or return you to Google.

Variants

ToolbarCC/Rnd variants use a random four-letter filename. Other variants use four random letters appended to a prefix chosen to sound like a Windows filename.

ToolbarCC/Win files are prefixed 'win'; ToolbarCC/Pre uses prefixes that are themselves random; 'ms', 'com', 'wdm', 'kbd' and 'd3d' have been seen so far.

Distribution

It is currently unknown where ToolbarCC is coming from.

Advertising

None known. Some pages redirected to may be advertising, however this has not been observed so far.

Privacy violation

Yes. The URLs of targeted search pages (including queries) are sent to the controlling server.

Security issues

None known.

Stability problems

May cause IE to crash when the browser window is closed (observed under IE6SP1).

Removal

There is no uninstall feature.

Manual removal

Open an Explorer window (a folder viewer or Internet Explorer) and type '%Temp%' in the address bar. This should open your temporary files folder, which may be quite full if you have not cleaned it out recently. Look for a DLL file whose name is four random letters (Rnd variant), or 'win' followed by four random letters (Win variant). If you right-click it and choose 'Properties' you should find its length is about 8.5K.

Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands, replacing 'xxxx' with the actual filename you found.

Next, open the registry (click 'Start', choose 'Run', enter 'regedit') and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. If you have a 'MatrixScreenSaver' entry on the right pointing to MSS.EXE, delete this.

Restart the computer and you should be able to delete the four-letter DLL and 'MSS.EXE' in the '%Temp%' folder.