Classmates.com Links Infected with Spyware from XPOnlineScanner.com

You can share this, including by text message!

  • Classmates.com Links Infected with Spyware from XPOnlineScanner.com

Here at the Internet Patrol we’ve been getting complaints of “Classmates.com email trying to take over my computer” and “I clicked a link in a Classmates .com email and my computer froze”… or “..and my computer told me I had a virus.”

All of this is because Classmates.com has fallen prey to spyware called XPOnlineScanner (XP Online Scanner). XPOnlineScanner claims to be an XP antivirus software, but is really spyware, and Classmates.com currently has some advertising banners which have become infected such that if someone visits a page with one of the infected banners, the infected banner advertisements on Classmates.com act as a conduit for XPOnlineScanner to download itself on to your Windows PC.

Here’s an example of what you will see on your PC if it becomes infected, in addition to your computer possibly freezing up:

So what to do?

 

First, as always, make sure that you are running an anti-virus program, and that it’s up-to-date.

Second, avoid Classmates.com until you have reason to believe that they have gotten rid of all of the infected advertising.

*Update! We were contacted by a representative of Classmates.com, who advised us that:

“Protecting our members is a top priority at Classmates. In the case of the XPOnlineScanner, on March 24, 2008 we became aware of potential abnormalities from an ad banner running on our site. Our Quality Assurance team investigated and the ad was suspended within an hour. Classmates Connections emails to members do not include any ads and did not take over any computers.

We know you're sick of ads on websites. But we still need to pay to keep the lights on for you. So instead of huge ads and video ads, we use smaller, plainer ads. Still, if you'd like to support the Internet Patrol but not the ads, please consider supporting us here:
Donate via Paypal
Other Amount:
What info brought you here today? (Optional):

(Article continues below)
Get notified of new Internet Patrol articles for free!
Or Read Internet Patrol Articles Right in Your Inbox!
as Soon as They are Published! Only $1 a Month!

Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
Classmates.com Links Infected with Spyware from XPOnlineScanner.com

[Ed. note: The XPOnlineScanner problem occurred when members clicked links in the email, and so were taken to pages at the Classmates site which were displaying the infected banner ads.]

After the March instance we refined our system that puts all of our flash ads through a tool that screens for potential security hacks. In the May instance, the ad received was coded differently. In both instances there were not any issues with email links, but rather bad ads which were identified and pulled from our site. Their respective characteristics were added to our screening systems, which are continually updated to reflect the latest known malware, so it can be identified and stopped before given a chance to run.

Our Member Care department worked with members who may have clicked the abnormal ad during the short time it was running to help them resolve their issues. Our team put additional Quality Assurance procedures in place as part of ongoing improvements we make to protect against the latest malware on the Internet.

We appreciate The Internet Patrol helping Classmates update people about how the situation was quickly resolved.”

Third, if you do find that your computer is exhibiting these symptoms, run your anti-virus program, and if that doesn’t work, you can manually remove all of it’s components by deleting the following files from your hard drive:

xpa.exe
xpa2008.exe
XPAntivirus.exe
XPAntivirusUpdate.exe
Uninstall XPAntivirus.lnk
XPAntivirus on the Web.lnk
XPAntivirus.lnk
XPOnlinescanner.com.lnk
Uninstall XPOnlinescanner.com.lnk
XPAntivirus.url
shlwapi.dll
wininet.dll
XP antivirus

You will also need to remove this from your Windows registry:

HKEY_USERS\Software\XP antivirus

  
No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!

Classmates.com Links Infected with Spyware from XPOnlineScanner.com

Get notified of new Internet Patrol articles!

You can share this, including by text message!

  • Classmates.com Links Infected with Spyware from XPOnlineScanner.com

4 Replies to “Classmates.com Links Infected with Spyware from XPOnlineScanner.com”

  1. It’s back!!!
    Spyware is coming through from Classmates again (January 2010). These are probably from pop-up ads from the Classmates site. I got hit last week, got it all removed, and then got hit again on Saturday 1/16/2010. So watch out!!!

  2. I was a paid member at CM for some time because I did want to connect with many of the people I once knew, WHAT AN EXPERIENCE!
    I noticed discussion boards and one was on the lection and boy was that a mistake to join in, I became the object of what I can only describe as cyber hate!
    The racist, biggoted, remarks are not to be believed including remarks advocating violence of undocumented aliens!
    Remarks directed towards democrats were at the very least uncivil.
    Ulitmately I was strpped of my membership and gold rating after three years of good standing because the folks who hate anyone with an alternate point of view as them complained enough to make CM remove my name.
    But wait theres more?
    Yesterday I returned to see what my status was after year? And I was able to relist myself. After all I first went there to reconnect not argue with the folks who seem to still reside there on the discussion board?
    Having logged out? you’ll never guess?
    My computer came under withering assault from something called ‘System Anti Virus 2008’ that told me I had a virus etc etc and the darn thing has taken 2 days to get off my PC.
    Reviewing a google ‘Syatem anti virus 2008’ I can attest to the notion it is a very serious assault on youyr PC.
    I can only assume it came from CM.
    I wish I had read your site prior to ever revisiting CM again, thanks for the updates.

  3. According to my research shlwapi.dll and wininet.dll are legitimate Windows files. It might be a good idea not to remove them.

    AG

Leave a Reply

Your email address will not be published. Required fields are marked *