Avast Loader Win32:Adware-gen

Hi All, first time poster here. I searched this site and didn’t find this mentioned anywhere else, so I thought you might want to know that on a recent Full System Scan (April 12, 2017), Avast 17.3.2291 (build 17.3.3443.0) quarantined an Avast file:

Downloads\Avast Premier\avast_loader_2_build281.exe [L] Win32:Adware-gen [Adw] (0)
File was successfully moved to chest

I’m hoping this was a false positive, or just some file that somehow got downloaded from the web. I’d hate to think anyone is uploading buggy versions of your files, or even worse, targeting the legitimate ones in the user’s Downloads folder (if that’s even possible)? Whatever this was, I thought it appropriate to post the information here.

~ Bill ~

Thanks Bill,

Welcome to the forums.

Did you get your file from here?: https://forum.avast.com/index.php?topic=199715.msg1381571#msg1381571 (Sticky posted just above your post.)

Hi mchain, according to my records, I purchased Avast (product ID 272168400 if that helps) directly from the web site (store.avast.com) on 5/9/2016, then later upgraded to Internet Security on 11/1/2016.
All changes since then have been via the automated updates.

Looks as if the detection was on the original file you got from the avast store? And every version update since has been done automatically by you as each new version arrives via using the graphic user interface? In other words, the only clean installation you had is the very first one and all the others are upgrades of the first install?

The link provided prior will allow a choice between an automatic upgrade and a fresh clean install of the latest version.

You can upload the malicious avast file to Virus Total dot com here: https://www.virustotal.com Copy the url address of the resulting scan in your next reply.

I can’t say for sure the file avast_loader_2_build281.exe came from the Avast store. Internet Security was a second, separate install by hand, using file avast_internet_security_setup_offline.exe, otherwise anything else has been automated distribution “push”.

Restored the file from Virus Chest, and uploaded it to Virustotal, which said:

File already analysed
This file was last analysed by VirusTotal on 2017-04-17 06:39:05 UTC (1 day ago) it was first analysed by VirusTotal on 2017-04-03 08:48:36 UTC.
Detection ratio: 21/62
You can take a look at the last analysis or analyse it again now.

Clicked on Reanalyse. My detection ratio was 23/61, and curiously, Avast was not one of the 23.

https://www.virustotal.com/en/file/5216c7e70ec235a27022f17c72cf47002d596916025fb90310b96c4105b83778/analysis/1492498851/

Seems that 5 other, similar file names have been reported in the past 2 weeks (different build numbers).

Wonder why it’s calling Russia ? (URL: http://infdata.ru/api/v3.1.0/target/get_override?place_id=216&subtype=avast)

Deleted the file. :wink:

Actual source of the original detected file is important. Definitely not from the original link I provided in reply # 1.

Cursory examination of file name on duckduckgo gives this: https://duckduckgo.com/?q=avast_loader_2_build314.exe&t=brave&ia=web

Interestingly enough, first site link gives avast scan results from 2012, to which I replied to in 2013, a year later: https://forum.avast.com/index.php?topic=104143.0

Not a lot of research but looks offhand to be the use of cracked software or licenses in play here and in that duckduckgo link above.

I’d wager your detection is about illegal software or use of. [EDIT:] Not from avast in any case.

I have a suspicion where that file might have come from. I’m doing lots of internet research for my online college courses (I’m finally going to complete my degree this year, at the age of 55). You know how sometimes when you try to download something from a web site, you’re presented with a large “DOWNLOAD” button that if you don’t look closely is actually for some product the site is sponsored by, and the real download button for the file you want is smaller and off to one side?

I don’t wish to make an accusation here, because I could be mistaken (so I’ve come back in and removed the site name from this post), however I seem to recall trying to download a PowerPoint presentation that I had found at [a certain web site to upload and share PowerPoint presentations online] that related to one of my classes, and hit the big “DOWNLOAD” button which was (supposedly) to get Avast! I could have just saved the file off to my Downloads folder, then gone back to download the presentation that I wanted, then completely forgot about it until now. (I have nothing against that particular site, and I’m not 100% sure that’s where this occurred.)

If that or something similar is what happened, thank goodness I already have Avast, and did NOT run that file. I don’t know if it’s possible to scan the entire internet for malware files that have been made to look like your own product, but if I were the folks over at Avast, I’d try to hunt down these things and take action to get rid of them. Your thoughts?

Suggest getting an adblocker for every browser you use: https://duckduckgo.com/?q=adblocker+plugins&atb=v23&ia=web

Having such will prevent a malicious download button from appearing, as on CNET. In the past, there were at least two different download buttons available at that site, so avoided use of such and only downloaded programs or files directly from vendor’s sites. With an adblocker, only the legitimate button will show.