I've retitled this post and added this preface due to a comment I received today:
I've seen several versions of the install file over the past week which is an indication that someone is up to no good. The source was: hxxp://xponlinescanner.com/2008/downloadSo it looks like this was part of an attack of some sort. The Minneapolis Star Tribune site may have been compromised or it may be an unwitting attack vector. I couldn't find a good email address to notify them yesterday, but I did find a "feedback" form that looked like it might work. They really need to have a link to notify them of website issues in general and malware attacks in particular.
XPantivirus2008_v77011816.exe
XPantivirus2008_v880136.exe
XPantivirus2008_v77024205.exe
XPantivirus2008_v880181.exe
I submitted these files to TrendMicro and they all came back as malware containing a Trojan downloader.
--
I click on the StarTribune National News link and my Firefox page vanishes. Instead I see:
I have to kill Firefox from the XP application list to get free. Talk about "erratic PC behavior, PC freezes and creahes".
There actually is a vendor selling this product. So this might not be a simple phishing attack; maybe the bot virus is embedded in a supposed commercial product instead. Maybe my XP box isn't really infected and this really was something the Strib's ad supplier tossed up.
Or not. [jf: see comments. Looks like a malware attack.]
I just can't tell. McAfee SiteAdvisor connects the vendor to spam, so I'm leaning towards my machine NOT being infected and XPonlinescanner.com being a shady enterprise with a good probability of a nasty "backdoor" in their "antiviral" "security" product.
I really do need to get rid of my last XP box. Using XP on the net is like waving a wad of bills in a port bar of old Bangkok.
Update 9/14/09: A similar attack hit the New York Times
I found your comment about this by googling it (just this morning - google found you fast!) after we got the same thing when visiting the Star Tribune website. If it is something legitimately spawned from their site it's pretty tacky of them since they are a large metropolitan newspaper. It could, however, be an ad hijack from a third-party ad server (which does happen to even the biggest websites sometimes). Either way, if you close the window it doesn't seem to try to install anything (like some nasty-ware does).
ReplyDeleteThis same thing happens to me on the StarTribune website. I hate this thing.
ReplyDeleteDo not install this software. I am sure it's spam or a virus. I sent an email to the StarTrib explaining the problem. However, I doubt that I'll hear back from them.
ReplyDeleteIt would probably help if you could send them an email as well.
I sent an email to their "corrections" address.
ReplyDeleteThey don't provide a contact address for problems like this. The Strib ain't the most sophisticated operation!
Another Twin Cities Startribune web reader and I got the same thing on both machines. I have up to date windows forefront and that did not detect it but it sounds like that is where its spawning from. Just closing and removing cookies.
ReplyDeleteI too got to this page from the Star Tribune site. It was weird since I was using safari on a mac, and it was an XP system scanner or whatever.
ReplyDeleteI just got the same treatment from them via salary.com and I notice it didn't install anything. They have a script that just resizes the browser really small and then they put a confirmation dialog on top of it. I closed the confirmation window and it resized my browser to the height and width of my screen and claimed to be scanning my computer. Nonsense. Nonsense that it is scanning and bigger, infuriating nonsense that such ads exist. I am going to filter them out with my ad blocker, and I am a bit glad that now I have something new to look for, in case someone else tries this sort of thing.
ReplyDeleteThis popup is a Trojan Horse malware, users should close the window and not use any buttons presented in main popup.
ReplyDeleteOccurred twice this weekend on ST site.
Sent the webmaster a notice.
This is fraud. It supposedly "scanned" my computer and told me that I was 3 or 4 Windows viruses and needed to run their anti-virus. I run Linux.
ReplyDeleteThe "antivirus" scan is nothing but a canned Javascript program that make it look like it's scanning things, but is really doing nothing.
Assume this is a malicious site, do NOT download anything from it (even though it tries hard to force you to), and complain to the site owner.
I've seen several versions of the install file over the past week which is an indication that someone is up to no good.
ReplyDeleteThe source was: hxxp://xponlinescanner.com/2008/download'
XPantivirus2008_v77011816.exe
XPantivirus2008_v880136.exe
XPantivirus2008_v77024205.exe
XPantivirus2008_v880181.exe
I submitted these files to TrendMicro and they all came back as malware containing a Trojan downloader.
~jbrown
Started this weekend on the jsonline.com (Milwaukee Journal Sentinel) site. Complaint has been filed with site owner.
ReplyDeleteI just recieved it this morning. But I believe this one actually popped up while I was on Photobucket.
ReplyDeleteI closed it but it just opened into a window saying it was scanning and then I just closed it again. I'm hoping it didn't do anything else.
I got it on JSOnline and a music lyrics website called "letssingit.com."
ReplyDeleteI just got this on a livejournal user's page. It had pictures from photobucket, ads from google, and javascript from snap.com for I'm not sure what.
ReplyDeleteI've never heard of or been to the Star Tribune website, but this pop up has appeared on starting up firefox on both a Linux and a Mac computer. I don't use MS Windows.
ReplyDeleteIt would appear that this is wider spread than just a rogue web site.
A new anonymous person here. It just happened to me when I was trying to connect to LiveJournal. Looks like it's getting around...
ReplyDeleteI love the fact that it tries to pull this crap my Mac. Never mind the fact that Im running safari , the malware spammer doesn't seem to bother checking what os it's trying to chum. Im sorry, I dont have any sort of DLL's , C: , or Local Setting. windows style pop up diallogs on a mac is even funnier.
ReplyDeleteCar Domain has it as a popup as well.
ReplyDeleteMetacritic.com is also featuring this nasty dialog warning box. I sincerely hope it does not feature a self-installing component, as I clicked 'cancel' when it popped up.
ReplyDeleteI got the same thing and I was on The Sporting News website. It is definetly not limited to one site.
ReplyDeletemy website is also hijacked by xponlinescanner.com :-(
ReplyDeletesomebody know what to do?
I got that popup about many months ago, but I don't know which site it originated from.. and since then, my computer lost its main user profile. So everything that is now saved, which is now on the temp profile all gets deleted. /:
ReplyDeleteAnd now I just received it again and I was on Photobucket.
It's getting ridiculous and I need my main login again, but I don't know how to do that without paying lots of money to fix it.
I have just received this very misleading pop-up. Thanks god decided to google it first. I have submitted the info to Symantec people. Let's see what they have to say.
ReplyDeleteThank you very much for your blog.
I just got the http://xponlinescanner.com/2008/1/_freescan.php?aid=77024204
ReplyDeleteerror with the 4 virus warning and popup to download their software. I was/am using firefox and was looking at my photobucket account.
It startled me because the wording is somewhat tricky in how to 'exit' it, so I just clicked the X (hope that didn't dispense anything) and shut down firefox and ran a couple of my virus protections.
WHAT IS THIS AND WHERE IS IT COMING FROM? (Not yelling, per se, but VERY curious)
I couldn't even find it on major geeks!
DO NOT INSTALL THIS!
ReplyDeleteGo to your task manager and close whatever internet program you were using when you got this.
This will infect your computer.
i that same warning message when i went to photobucket.com
ReplyDeleteLook here if you have been infected with this.Hopefully you have not.
ReplyDeletehttp://www.spyware-techie.com/how-to-remove-xponlinescannercom/
or just google xponlinescanner.com
it brings up lots of results.
I'm pretty sure that this exploit is not caused by how much crap is on a LiveJournal page. I was going through my friends list and I got the pop-up as well--and I usually get it on Safari, not Firefox (since I upgraded to the latest beta). It's the work of Russian mafia scammers trying to make a buck.
ReplyDeleteThis crap has been embedded in ads displayed from advertisers. It is happening all over the place. The good news is that most ad firms are catching on.
ReplyDeleteHope that helps. It has nothing to do with the site itself you may be visiting at the time.
I had a TON of windows pop up when I started AOL a few weeks ago. I had to shut AOL down to get them to stop. This morning when I started AOL, I got the XPONLINESCANNER message that all of you have gotten. Everytime I tried to close it, it popped up in a different window. I finally got it to close, but it took a while. I googled it, and found this site. Thanks for all the info posted, and I will surely warn everyone I know about this. Also, thanks wo whoever posted the site for the removal tool. I am going to give it a shot as soon as I am done writing this.
ReplyDeleteIts obviously malware... Fake website, all links on it lead to the download box.
ReplyDeleteAnd to top it off, I was using Linux when it popped up. It can't scan something it wasn't supposedly designed to scan... :) Windows incompatibility ya know...
well it's happening again at star trib, it's done it to me twice in the past day, trying to take me to xponilnescanner.com. grr.
ReplyDeleteThe StarTribune has tried to give me the Antivirus XP malware twice today on separate PC's and twice last week. I'm still trying to identify what pages i'm sitting on etc but it has consistantly been StarTribune handing out malware.
ReplyDeleteI had it happen to me on StarTribune.com yesterday. I was using Safari on my Mac. How frustrating.
ReplyDeleteShould I find a new place to read my news?