Spyware False Positive?

[Mamba]

Downloaded AWC V.2 yesterday. Spyware scan reports CoolWebSearch infection (msacmx.dll) registry keys:

 

HKCR\CLSID\{A5366673-E8CA-11D3-9CD9-0090271D075B}

and

HKLM\SOFTWARE\Classes\CLSID\{A5366673-E8CA-11D3-9CD9-0090271D075B}

 

Ran regscanner and found the keys reported. The contents at those locations refer to jccatch.dll which is the browser helper for the FlashGet download manager. I find no instance of msacmx.dll in the registry or on disk.

 

Is this a false positive based on the classId rather than the real malware? I had a CWS infection once (on another system, not this one) and I think I'd definitely recognize the symptoms if I had it in this case.

[enoskype]

Hi Mamba,

 

You may be right, but please have a look at that page.

 

• This legitimate BHO (jccatch.dll) is related to FlashGet
  
• This spyware BHO (msacmx.dll) is related to CoolWebSearch parasite variant

I hope this helps. Cheers.

[Mamba]

Thanks

 

My system is legitimate. the file is jccatch.dll, the size is 81920 bytes and it is located in the program files\flashget folder.

 

Since the CLSID is the same for the malware & presumably could even name itself jccatch.dll, it's a tricky problem. In a case like this, I'd like to be able to place it on an ignore list (which I assume can be done in the paid version) but also record a checksum of the legitimate file in case it gets changed/replaced by the malware version at some point in the future.

[Tim Xue]

This component in FlashGet is known as Adware. There is a ad banner within FlashGet, and it will collect your surfing info. It's not false positive.