Classmates.com Links Infected with Spyware from XPOnlineScanner.com

The Internet Patrol default featured image
Share the knowledge

Here at the Internet Patrol we’ve been getting complaints of “Classmates.com email trying to take over my computer” and “I clicked a link in a Classmates .com email and my computer froze”… or “..and my computer told me I had a virus.”

All of this is because Classmates.com has fallen prey to spyware called XPOnlineScanner (XP Online Scanner). XPOnlineScanner claims to be an XP antivirus software, but is really spyware, and Classmates.com currently has some advertising banners which have become infected such that if someone visits a page with one of the infected banners, the infected banner advertisements on Classmates.com act as a conduit for XPOnlineScanner to download itself on to your Windows PC.

Here’s an example of what you will see on your PC if it becomes infected, in addition to your computer possibly freezing up:

So what to do?

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

First, as always, make sure that you are running an anti-virus program, and that it’s up-to-date.

Second, avoid Classmates.com until you have reason to believe that they have gotten rid of all of the infected advertising.

*Update! We were contacted by a representative of Classmates.com, who advised us that:

“Protecting our members is a top priority at Classmates. In the case of the XPOnlineScanner, on March 24, 2008 we became aware of potential abnormalities from an ad banner running on our site. Our Quality Assurance team investigated and the ad was suspended within an hour. Classmates Connections emails to members do not include any ads and did not take over any computers.

[Ed. note: The XPOnlineScanner problem occurred when members clicked links in the email, and so were taken to pages at the Classmates site which were displaying the infected banner ads.]

After the March instance we refined our system that puts all of our flash ads through a tool that screens for potential security hacks. In the May instance, the ad received was coded differently. In both instances there were not any issues with email links, but rather bad ads which were identified and pulled from our site. Their respective characteristics were added to our screening systems, which are continually updated to reflect the latest known malware, so it can be identified and stopped before given a chance to run.

Our Member Care department worked with members who may have clicked the abnormal ad during the short time it was running to help them resolve their issues. Our team put additional Quality Assurance procedures in place as part of ongoing improvements we make to protect against the latest malware on the Internet.

We appreciate The Internet Patrol helping Classmates update people about how the situation was quickly resolved.”

Third, if you do find that your computer is exhibiting these symptoms, run your anti-virus program, and if that doesn’t work, you can manually remove all of it’s components by deleting the following files from your hard drive:

xpa.exe
xpa2008.exe
XPAntivirus.exe
XPAntivirusUpdate.exe
Uninstall XPAntivirus.lnk
XPAntivirus on the Web.lnk
XPAntivirus.lnk
XPOnlinescanner.com.lnk
Uninstall XPOnlinescanner.com.lnk
XPAntivirus.url
shlwapi.dll
wininet.dll
XP antivirus

You will also need to remove this from your Windows registry:

HKEY_USERS\Software\XP antivirus

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

Get New Internet Patrol Articles by Email!


Share the knowledge

4 thoughts on “Classmates.com Links Infected with Spyware from XPOnlineScanner.com

  1. It’s back!!!
    Spyware is coming through from Classmates again (January 2010). These are probably from pop-up ads from the Classmates site. I got hit last week, got it all removed, and then got hit again on Saturday 1/16/2010. So watch out!!!

  2. I was a paid member at CM for some time because I did want to connect with many of the people I once knew, WHAT AN EXPERIENCE!
    I noticed discussion boards and one was on the lection and boy was that a mistake to join in, I became the object of what I can only describe as cyber hate!
    The racist, biggoted, remarks are not to be believed including remarks advocating violence of undocumented aliens!
    Remarks directed towards democrats were at the very least uncivil.
    Ulitmately I was strpped of my membership and gold rating after three years of good standing because the folks who hate anyone with an alternate point of view as them complained enough to make CM remove my name.
    But wait theres more?
    Yesterday I returned to see what my status was after year? And I was able to relist myself. After all I first went there to reconnect not argue with the folks who seem to still reside there on the discussion board?
    Having logged out? you’ll never guess?
    My computer came under withering assault from something called ‘System Anti Virus 2008’ that told me I had a virus etc etc and the darn thing has taken 2 days to get off my PC.
    Reviewing a google ‘Syatem anti virus 2008’ I can attest to the notion it is a very serious assault on youyr PC.
    I can only assume it came from CM.
    I wish I had read your site prior to ever revisiting CM again, thanks for the updates.

  3. According to my research shlwapi.dll and wininet.dll are legitimate Windows files. It might be a good idea not to remove them.

    AG

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.