AdSpy.TTC Detected by Spybot

I updated Spybot Search & Destroy from version 1.4 to version 1.5 on a family member's PC on December 30, 2007. When I scanned the system, which is running Windows XP Professional Service Pack 2, with Spybot, it reported AdSpy.TTC (see SpybotSD Results).

AdSpy.TTC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

Spybot provided the following information for AdSpy.TTC:

Company:
Product: AdSpy.TTC
Threat: Trojan

Functionality
supposed to be some kind of browser helper object

Description
This trojan horse gets installed by other trojan horses. It pretends to be some kind of browser helper object while running in background and connecting to various malicious servers without user consent.

When I ran regedit and checked the registry value, I saw the following:

Value name: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} Type: REG_SZ Value data: 0

Searching the registry for other references to the Globally Unique Identifier, {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}, referenced in the registry key listed by Spybot, I found the following:

HKEY_CLASSES_ROOT\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

That key had the following value:

Value name: Type: REG_SZ Value data: MSN

It contained the subkey HKEY_CLASSES_ROOT\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\InprocServer32, which had the values shown below within it.

Name	Type	Data
(Default	REG_SZ	C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
ThreadingModel	REG_SZ	Apartment

Before running the Spybot scan, I had switched Spybot to "advanced" mode and checked the Browser Helper Objects (BHOs) on the system. One of those Spybot listed is the one the Spybot scan associated with AdSpy.TTC.

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (MSNToolBandBHO)
          location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
          BHO name: 
        CLSID name: MSNToolBandBHO
              Path: C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\
         Long name:          msntb.dll

When I looked in C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us, though, I did not see any files there, even with Windows Explorer configured to show hidden and system files. And I did not see the module loaded in memory when I checked with the tasklist command.

C:\>tasklist /fi "modules eq msntb.dll"
INFO: No tasks running with the specified criteria.

Nor did I see it in memory when I searched for it with Process Explorer v10.11.

The msntb.dll DLL file may have been removed previously by another antispyware or antivirus program, though I did not find it in any quarantine folder on the system.

I also searched the "BHO/CLSID" list on CastleCops for information on the CLSID {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}. I found two entries for it. One was for ninemsn Search Toolbar Helper and the other was for Windows Live Toolbar. Both listed msntb.dll for the filename. CastleCops gave both the status "L TB", which indicates a legitimate toolbar. For ninemsn Search Toolbar Helper, the status field also listed it as a BHO. So there is also the possibility that, though the file msntb.dll appears to no longer be present on the system in the directory referenced by the registry key, that, when it was on the system, it was an innocuous BHO.

When I checked on it within Internet Explorer itself (the system is now running Internet Explorer 7), by clicking on Tools, Manage add-ons, then selecting Enable or Disable Add-ons, I saw the following:

Name	Publisher	Status	Type	File
MSN		Enabled	Toolbar	msntb.dll
MSNToolBandBHO		Enabled	Browser Helper Object	msntb.dll

I searched the system for any occurences of the msntb.dll file in any other directory. I found the file listed in two other directories.

C:\>dir /s msntb.dll
 Volume in drive C is Sys-WinXP
 Volume Serial Number is B0E3-65A7

 Directory of C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us

08/13/2004  05:42 PM           282,624 msntb.dll
               1 File(s)        282,624 bytes

 Directory of C:\Program Files\MSN Apps\Updater\Download\AU196785562

01/17/2006  04:04 PM           282,624 msntb.dll
               1 File(s)        282,624 bytes

     Total Files Listed:
               2 File(s)        565,248 bytes
               0 Dir(s)  50,415,452,160 bytes free

I submitted the msntb.dll file in C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us to VirusTotal, a free online virus and malware scanner. None of the 32 programs used by VirusTotal reported the file as being associated with malware (see msntb.dll #1).

I then submitted the file from C:\Program Files\MSN Apps\Updater\Download\AU196785562 Though the filesize was the same as the file in the other directory, it was not the same file, since the MD5 and SHA1 hash values were different. None of the antivirus and antispyware programs used by VirusTotal reported any problems with that copy of the file either, though (see msntb.dll #2).

In any case since there is no msntb.dll file in C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\, which is the location referenced for the BHO, now, I had Spybot "fix" the problem it reported.

When I checked on the add-ons reported by Internet Explorer again, by clicking on Tools, Manage add-ons, then selecting Enable or Disable Add-ons, I saw the following:

Name	Publisher	Status	Type	File
MSNToolBandBHO		Enabled	Browser Helper Object	msntb.dll

I no longer saw the one named "MSN" that I had seen previously.