According to "depends", it uses sockets and multimedia. (winmm.dll, lz32 and ws2_32.dll)
(Though typical Microsoft bloat: it appears to use multimedia solely to get the system time. Go figure.)
As others have said, it is a COM dll of for MS.AdClient. However, it also has a bunch of other entry points, so it is obviously meant to be run directly in-process from straight C++ as well.
It implements the IAdClientSSO interface, which has these methods:
- HRESULT GetAd(
[in] BSTR bstrParams,
[out, retval] BSTR* pbstrHTML);
- HRESULT About([out, retval] BSTR* pbstrBuildString);
HRESULT GetServerName([out, retval] BSTR* pbstrServerName);
HRESULT GetEngineHost([out, retval] BSTR* pbstrEngineHost);
My guess is that it is part of MSN. Do you use MSN? Otherwise, you should have gotten a certificate box warning of the install. (Unless you said "always trust Microsoft" sometime in the past.)
Actually, your story makes it sound as if you were just browsing MSNBC. I suppose that the first time you visited that sight, you clicked "yes" to get their spiffy ActiveX menu, right? Well, that's where this thing probably came from. It is likely a client to let MSNBC show you spiffy ads.
Anyway, without more info about what exactly you were doing when you got this, I can't really say more. I can't run it on my machine because it obviously isn't standalone. It is likely just one of a set of files that were to be downloaded.
I'm fairly certain that this DLL alone is fairly useless to anyone as it seems designed to by directly loaded with LoadLibrary.
Whether or not it is "spyware" is impossible to tell. It is a DLL, and as such, has full rights to your system, like every other DLL. (A java app would not, BTW.) But looking at the parts of the C runtime it hits, it does not appear to me to be writing files. It calls "fopen", "fgets" and "fclose", but no other file io routines. (They could be doing it with stuff other than the C runtime, but it seems to me unlikely that they'd go through such hoops.) It could be reading almost anything, of course, but without seeing logs of what the DLL actually sends and receives, such a claim is premature.
This is k5. We're all tools - duxup
[ Parent ]