Win32:Adware-gen [Adw]

I was browsing a site and avast! popped up saying Virus has been detected!
File Name: rul6jysj.exe
FileID: 5
Virus Description: Win32:Adware-gen [Adw].
Avast! recommended to move to chest and abort internet connection so I moved it to the chest and I disconnected from the internet.
Is it safe to go into the avast! virus chest and delete it safely?

Hi flygirl,

It is secure there in the chest, and it can do no more harm just like a prisoner in a cell.
Leave it for some time there and then you can delete it. Keep all the software on your box updated to the last versions.

Good if you download ad-aware 2007, and scan your machine once in a while with that program.
Your download link: http://www.lavasoftusa.com/single/mirror_download.php?f=g2Obc772A

polonus

Hi polonus
That’s a good idea. For Ad-aware 2007, I’ll do that right away.
Thanks polonus.

I’m a little surprised that you got both a move to chest and abort connection as when picked up by the web shield previously there was only one option, abort connection. The Standard Shield should pick up others not picked up by the web shield and for that you would have an option to move to the chest but not abort connection.

So I think you had two different alerts (unless avast has changed how the web shield works), so can you check the detection in the avast log viewer and post the one/s relating to this detection. Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

I did a test to confirm and it doesn’t offer both abort connection and move to chest, try the test for your self, it is a harmless file designed to test your antivirus.
Web Shield Test - http://www.eicar.org/download/eicar.com

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

I was browsing some PC games at http://ninemsn.com.au/ and I seen a game I was interested in so I clicked on the trial download link and that’s when avast! detected it and I was given two options, abort connection and move to chest, so I done what it told me to do. Sorry I didn’t mentioned that earlier.

That is why I asked you to check the avast log viewer Warning Section, as it gives details of detections and post them here.

The reason I gave you the link to click is to see what is ‘normal’ for a web detection as what you posted most certainly isn’t normal. If you clicked abort connection that should have been it.

I know that. I have this Firefox extension “Dr Web”, it even detects adware in the download link as well.

Humour me and check the log viewer and post the entries in the warning section about these detections, it just may help us to say why this happened.

Basically I want to know if what you sent to the chest was also what was detected by the web shield and if so why it got past the web shield.

But if you are happy I shan’t waste your time.

I don’t know why it got passed the web shield, but here’s the page I was viewing:
http://ralph.ninemsn.com.au/article.aspx?id=226908
I clicked on the trial link and that’s what happened.

Hi flygirl,

This link is clean according to DrWeb’s:
File size: 70382 bytes, with inside scripts and frames: 351.3K

article.aspx?id=226908 - archive MAIL
article.aspx?id=226908/ - archive HTML

article.aspx?id=226908//Script.0 - OK
article.aspx?id=226908//javascript.1 - OK
article.aspx?id=226908//Script.2 - OK
article.aspx?id=226908//Script.3 - OK
article.aspx?id=226908//Script.4 - OK
article.aspx?id=226908//Script.5 - OK
article.aspx?id=226908//Script.6 - OK
article.aspx?id=226908//Script.7 - OK
article.aspx?id=226908//Script.8 - OK
article.aspx?id=226908//Script.9 - OK
article.aspx?id=226908//Script.10 - OK
article.aspx?id=226908//Script.11 - OK
article.aspx?id=226908//Script.12 - OK
article.aspx?id=226908//Script.13 - OK
article.aspx?id=226908//Script.14 - OK
article.aspx?id=226908//Script.15 - OK
article.aspx?id=226908//Javascript.16 - OK
article.aspx?id=226908//Script.17 - OK
article.aspx?id=226908//Script.18 - OK
article.aspx?id=226908//Script.19 - OK
article.aspx?id=226908//Script.20 - OK
article.aspx?id=226908//Script.21 - OK
article.aspx?id=226908//Script.22 - OK
article.aspx?id=226908//Script.23 - OK
article.aspx?id=226908//Script.24 - OK
article.aspx?id=226908//Script.25 - OK
article.aspx?id=226908//Script.26 - OK
article.aspx?id=226908//JavaScript.27 - OK
article.aspx?id=226908//JavaScript.28 - OK
article.aspx?id=226908/ - OK

This page also includes scripts/frames. All of them was also checked:

* http://ralph.ninemsn.com.au/share/js/global/Ninemsn.Global/NinemsnComm.js%3Fv=1?id=226908
* http://ralph.ninemsn.com.au/share/js/global/Ninemsn.Global/ContentMgr.js?id=226908
* http://ralph.ninemsn.com.au/share/js/global/Ninemsn.Global/Serialization/JavaScriptSerialization.js?id=226908
* http://ralph.ninemsn.com.au/share/js/global/Ninemsn.Site/NH/NHFeedReader.js?id=226908
* http://ralph.ninemsn.com.au/share/js/global/Ninemsn.Site/NH/NHProfile.js?id=226908
* http://ralph.ninemsn.com.au/share/com/js/SuperGrouping.js?id=226908
* http://ralph.ninemsn.com.au/share/js/global/Ninemsn.Global/NinemsnComm.js?id=226908
* http://ralph.ninemsn.com.au/share/com/js/flashobject.js?id=226908
* http://ralph.ninemsn.com.au/share/com/js/popup.js?id=226908
* http://ralph.ninemsn.com.au/share/com/js/UI/base.js?id=226908
* http://ralph.ninemsn.com.au/share/com/js/UI/event.js?id=226908
* http://ralph.ninemsn.com.au/share/com/js/UI/dom.js?id=226908
* http://ralph.ninemsn.com.au/share/com/js/UI/animation.js?id=226908
* http://ralph.ninemsn.com.au/share/com/js/UI/connection.js?id=226908
* http://ralph.ninemsn.com.au/9msnshared/spac.js?id=226908
* http://ralph.ninemsn.com.au/share/com/ugc/Js/MiscLibrary.js?id=226908
* http://ralph.ninemsn.com.au/share/com/ugc/Js/ratings.js%3Fv=1?id=226908
* http://ralph.ninemsn.com.au/share/com/highlights/templates/inc/sbknav.js?id=226908
* http://ralph.ninemsn.com.au/share/omniture/omniture_scode.js%3Fv=12?id=226908
* http://ralph.ninemsn.com.au/share/com/adtrack/adtrack.js?id=226908
* http://ralph.ninemsn.com.au/share/com/js/survey.js?id=226908
* http://ralph.ninemsn.com.au//secure-au.imrworldwide.com/v52.js?id=226908
* http://ralph.ninemsn.com.au/share/com/highlights/templates/inc/taxtag.js?id=226908
* http://ralph.ninemsn.com.au/share/js/pu_footer.js?id=226908

polonus

That page has a total of 58 scripts and I would have to question why.

I was going check the download of the trial but there is a restriction, see image1, so I can’t test it.

However, the link to the trial when tested by DrWeb link checker also finds Adware, see image2.

If you upload the DMH_Setup.exe to VirusTotal I’m sure you will find other scanners that detect it also. I don’t know if this is because it it a free trial and they use adverts to support it I don’t know. But I certainly wouldn’t consider installing it.

Hi DavidR,

The adware is being tackled by ewido. Instructions can be found here:
http://www.geekstogo.com/forum/Adware-Trymedia-t135714.html

polonus


I think you will find that almost all trialware from such sites will include adware and/or spyware of some type.


There are many ad supported applications out there but they all don’t seem to have the same issues. I don’t think this happened to older versions of Opera when it was ad supported.

The same issue is there how does avast detect that this is ad supported software and the user has agreed to using it.

So it has to be down to the users choice, first it should be made clear to the user that the software is ad supported (and may be detected as adware by some anti-adware/malware), what it does, etc. Then if the user gets a hit on it by his/her AV then the choice is theirs to accept the risk and if so exclude the file, etc. Me I would just walk away.

This thread really helped me out. Thanks to everyone who gave advice!

Well you helped yourself by using the forums search function ;D

There really is a wealth of information on the forums.

Welcome to the forums.