This made us really curious, so we contacted all the parties involved for their statements and found out there was series of mistakes involved.
First, Download.com: They download the software from the developer's site using the PAD mechanism - by this method the developers share metadata and paths to binaries, and the software portals download the software and publish it on their page. We assumed that this is automated and one of the steps wold also be automated antivirus/antimalware/antispyware scans. This was confirmed by Download.com staff, BUT(!) the problem is with the level of noisiness of the scanners, which sometimes detect lots of stuff in 'grey area' corners of download portals. This file is in a category where there is a high probability it would be detected by an AV as a keylogger or PUP, so it seems there is either an ignore-mode or there was a manual (wrong) decision to let the file through.
Next, the Developer: The main mistake of the developer of the software is that he is not running an AV with the usual "I know what I'm doing" approach. We see this approach with the power users and developers too often. I wouldn't even trust myself to decide what is a virus or even browse safely without the help of various tools, including AV, and I work in the Avast VirusLab! There is a bit of controversy regarding the origin of the infection - the developer is quite sure that the InstallMonetizer setup he got was infected. This seems plausible, because it was the only infected binary in the whole installer.
And finally: InstallMonetizer denies responsibility and claims the file was clean.
The moral of the story is obvious - run antivirus protection with up-to-date databases and all shields up. Even the reputable, legit sites you know may have problems as is illustrated in this example. Also, if you are not sure, don't automatically regard such a message from your AV to be a false positive - cross verify the file on VirusTotal or report it to us for verification. Please use this form to contact Avast with your issue. Choose 'Report false virus alert' as the Subject/Topic.