File FU-Setup.exe - Win32:Adware-gen [Adw] - False Positive?

[w1mm3r]

HI,

I have had this file for a long time, it's the install file for Fairuse Wizard 2.9, and it was scanned when I downloaded it
and many times since.

After last update:
14-01-2009 00:52:31   SYSTEM   1484   The virus database (VPS 090113-1) was automatically updated.

It was suddenly marked as Adware, so I scanned it with total virus scan and other AV says it's adware to?
I then downloaded FU-Setup.exe again from fairusewizard.com and still the same.

File FU-Setup.exe received on 01.13.2009 10:31:01 (CET)Antivirus Version Last Update Result
a-squared - - -
AhnLab-V3 - - -
AntiVir - - ADSPY/Rabio.LJ
Authentium - - -
Avast - - Win32:Adware-gen
AVG - - Generic3.AFSX
BitDefender - - -
CAT-QuickHeal - - AdWare.Rabio.lj (Not a Virus)
ClamAV - - -
Comodo - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
F-Prot - - -
F-Secure - - AdWare.Win32.Rabio.lj
Fortinet - - Adware/Rabio
GData - - Win32:Adware-gen 
Ikarus - - -
K7AntiVirus - - not-a-virus:AdWare.Win32.Rabio.lj
Kaspersky - - not-a-virus:AdWare.Win32.Rabio.lj
McAfee - - -
McAfee+Artemis - - -
Microsoft - - -
NOD32 - - -
Norman - - W32/Rabio.AN
Panda - - -
PCTools - - -
Prevx1 - - -
Rising - - -
SecureWeb-Gateway - - Ad-Spyware.Rabio.LJ
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - AdWare.Win32.Rabio.lj
ViRobot - - Adware.Rabio.9659869
VirusBuster - - -
 
Additional information
MD5: d80aa2359d6e1042aea1a432a6b7e1c7
SHA1: 16f1169bf37583cc0378495031373710b5f92114
SHA256: 13e65bb880704461e4ccf6042d87a27586172ce3eb4560969adeaeaf0538078d
SHA512: 1c6fb32b53f78238e34c9878739218894290377e15a1f277393faabc658e61fef2dafa52b77144f82757b8e972f0c1343880a3bdb1aa8bc1a6fbc0184271ae9f

Please help 

[DavidR]

Well a lot of the detections are generic (-gen, etc.), which are more prone to false positive, however there are several not detected by generic signatures and son say not-a-virus which is a bit silly OK technically adware isn't a virus, so don't read too much into the not-a-virus part.

The win32.rabio is generally considered unwanted adware (see below), now some programs typically free come with some payback, they want something in return for the free program and that is usually in the form of delivering targeted ads, from which they can earn some revenue. Now I don't know what their definition of fair use is.

A potentially unwanted adware program designed to deliver various advertisements to the users' systems

http://www.emsisoft.com/en/malware/?Adware.Win32.Rabio

Rabio is an adware that can displays advertisements that are based off of user preferences and settings. It may also gather information anonymously or in aggregate only.

So does the above link and information on the page ring any bells ?

You could send it to avast for further analysis, but given the above it gathers information which is used to deliver ads and to me that is too high a price (you don't know what it does with the data) for a free application/service, whatever that might be.

[w1mm3r]

There has been other cases I can see, but they are older.

http://forum.avast.com/index.php?topic=39073.0

http://www.dvd-guides.com/component/option,com_smf/Itemid,91/topic,13549.0

About the virus alert issue : this alert was triggered by some antivirus (AVG as far as I know, possibly more) because of the installer, not the exe itself. The issue was solved by simply rebuilding the FU installer after upgrading the installation suite (the software used to create FU's installer) to the latest version. Again, there was NO virus or trojan here, only a false positive.
By ump

Fairuse = GPL

Light Edition = Free version compiled by ump

Full Version = Paid version by ump with more features than LE.

Full Version Source Code = Freely available so that you can modify the program and build it yourself.

This is Paid version so I don't think, that include adware

[DavidR]

It may just have it in the setup file so it can be used as one or other version depending on your having paid or not.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

[w1mm3r]

Okay I'll send it.
Thanks for your reply 

[DavidR]

No problem, welcome to the forums.

After the submission, periodically scan the file in the chest to see if it is no longer detected, then no problem. If you are happy to accept the risk that it might contain adware (as you say it shouldn't) then you could exclude the file from scans.

See http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.