Parasite: Gator

This record last updated Tue Sep 20 2005 03:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

The Gator Advertising and Information Network is one of the earliest and most widespread advertising parasites.

The script at this website cannot detect Gator itself, but it can detect Gator’s installer DLLs, which may be a sign of an unfinished or failed Gator installation.

Variants

Gator/A covers all versions of Gator before it became ‘GAIN’. These old variants have not been researched, so the removal instructions here may not work for them.

Gator/GAIN includes versions (3.1.x-4.0.x) of the current system, an independent adware network.

Gator/Trickler is an installer program which fetches Gator/GAIN gradually, using only a small part of the bandwidth available.

Gator/PDP is an ActiveX control used to install Gator.com applications which bundle Gator/Trickler. When Gator itself has started loading, the installer control is removed.

Gator/HDPlugin is a new, smaller rewrite of PDP.

Gator/Dashbar is a (seemingly harmless) search toolbar bundled with some recent Gator distributions. Note this is unconnected to the dash.com ‘DashBar’ of old.

Also known as

Gator/PDP may be known as IEGator or PDPPlugin, after its filename.

The Gator company renamed itself to Claria in October 2003.

Distribution

The Gator/A variant was distributed as part of ‘Gator eWallet’, an application used to fill in web forms. eWallet is now a separate program.

Gator/Trickler (and hence Gator/GAIN) is now distributed with all Gator.com applications, including eWallet and Precision Time/Date Manager. It is also widely bundled with third-party software, particularly peer-to-peer file-sharing programs.

Gator/PDP and HDPlugin are included as a drive-by download on web pages, particularly hidden pop-ups.

What it does

Advertising

Yes. Pop-up windows (both Internet Explorer windows and Gator’s own non-browser windows) appear periodically whilst IE is in use.

Privacy violation

Yes. Every time a new site is visited, the address of the site (though not the full URL) is reported to Gator’s servers, with a unique user ID which can be used to track your web usage.

Security issues

Yes. Gator/GAIN can download and execute arbitrary code from its controlling server (as an update feature).

Gator/PDP and HDPlugin, the installer controls, can be directed by any web page to install code from Gator’s servers.

Gator/PDP/3061, an early version of the installer control, has a critical security flaw: it allows any web page to download and execute code from anywhere, with no security checks.

Gator/PDP/5094, the latest version of the installer control, seems to contain code to work around the network security products Zone Alarm Pro, STOPzilla, Norton Internet Security and McAfee Desktop Firewall. However I cannot confirm this as when I tested it with one of these products loaded, the plug-in crashed.

Stability problems

None known in Gator/GAIN, but the Gator/PDP installer seems sometimes to crash, particularly on IE5.0.

Removal

These instructions are for Gator/GAIN. If the script has detected that you have a Gator/PDP , HDPlugin and/or Trickler version, see ‘Partial install removal’.

First go to Add/Remove Programs in the Control Panel and remove any Gator.com applications - Date Manager, Precision Time or Gator eWallet. (These will try to restart Gator/GAIN.) If you are lucky, Gator may actually uninstall by itself at this point. If so, skip the following paragraph.

Otherwise, open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Select it and, on the right hand side, right-click the ‘CMESys’ entry and click ‘Delete’. In some earlier variants there might also be a ‘GMT’ entry; you can delete that one, too. Restart the computer and open the Common Files folder inside Program Files. Delete the ‘CMEII’ and ‘GMT’ folders.

If Gator was installed by Precision Time/Date Manager you may also have a ‘WebPT’ or ‘WebDM’ folder inside Program Files containing the Gator/Trickler program; this can also be deleted.

If you like, you can clean up by opening the registry and deleting the keys:

HKEY_CLASSES_ROOT\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com
HKEY_LOCAL_MACHINE\SOFTWARE\GatorTest

Partial install removal

For Gator/PDP, open the Downloaded Program Files folder (inside the Windows folder). The Gator/PDP control is called ‘PdpPlg Class’ in version 4094, ‘PdpPi Class’ in version 5094, and ‘DFRun Class’ in other versions. For Gator/HDPlugin it is ‘HDPluginCtrl Class’. Right-click this entry and choose ‘Remove’. Check that no Gator/Trickler instance is loaded.

For Gator/Trickler, open the registry (Start->Run->regedit) and choose the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right-hand side, look for an entry whose filename contains ‘trickler’ or sometimes ‘fsg_’.

Note the full filename so that, after restarting the computer, you can come back and delete it.