Gator
- By W3 Privacy
- Published 05/8/2007
- Parasites
- Unrated
Gator
Description
The Gator Advertising and Information Network is one of the earliest and most widespread advertising parasites.
The script at this website cannot detect Gator itself, but it can detect Gator's installer DLLs, which may be a sign of an unfinished or failed Gator installation.
Variants
Gator/A covers all versions of Gator before it became 'GAIN'. These old variants have not been researched, so the removal instructions here may not work for them.
Gator/GAIN includes versions (3.1.x-4.0.x) of the current system, an independent adware network.
Gator/Trickler is an installer program which fetches Gator/GAIN gradually, using only a small part of the bandwidth available.
Gator/PDP is an ActiveX control used to install Gator.com applications which bundle Gator/Trickler. When Gator itself has started loading, the installer control is removed.
Also known as
Gator/PDP may be known as IEGator or PDPPlugin, after its filename.
Distribution
The Gator/A variant was distributed as part of 'Gator eWallet', an application used to fill in web forms. eWallet is now a separate program.
Gator/Trickler (and hence Gator/GAIN) is now distributed with all Gator.com applications, including eWallet and Precision Time/Date Manager. It is also widely bundled with third-party software, particularly peer-to-peer file-sharing programs.
Gator/PDP is included as a drive-by download on web pages, particularly hidden pop-ups.
What it does
Advertising
Yes. Pop-up windows (both Internet Explorer windows and Gator's own non-browser windows) appear periodically whilst IE is in use.
Privacy violation
Yes. Every time a new site is visited, the address of the site (though not the full URL) is reported to Gator's servers, with a unique user ID which can be used to track your web usage.
Security issues
Yes. Gator/GAIN can download and execute arbitrary code from its controlling server (as an update feature).
Gator/PDP, the installer control, can be directed by any web page to install code from Gator's servers.
Gator/PDP/3061, an early version of the installer control, has a critical security flaw: it allows any web page to download and execute code from anywhere, with no security checks.
Gator/PDP/5094, the latest version of the installer control, seems to contain code to work around the network security products Zone Alarm Pro, STOPzilla, Norton Internet Security and McAfee Desktop Firewall. However I cannot confirm this as when I tested it with one of these products loaded, the plug-in crashed.
Stability problems
None known in Gator/GAIN, but the Gator/PDP installer seems sometimes to crash, particularly on IE5.0.
Removal
These instructions are for Gator/GAIN. If the script has detected that you have a Gator/PDP and/or Gator/Trickler version, see 'Partial install removal'.
First go to Add/Remove Programs in the Control Panel and remove any Gator.com applications - Date Manager, Precision Time or Gator eWallet. (These will try to restart Gator/GAIN.) If you are lucky, Gator may actually uninstall by itself at this point. If so, skip the following paragraph.
Otherwise, open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Select it and, on the right hand side, right-click the 'CMESys' entry and click 'Delete'. In some earlier variants there might also be a 'GMT' entry; you can delete that one, too. Restart the computer and open the Common Files folder inside Program Files. Delete the 'CMEII' and 'GMT' folders.
If Gator was installed by Precision Time/Date Manager you may also have a 'WebPT' or 'WebDM' folder inside Program Files containing the Gator/Trickler program; this can also be deleted.
If you like, you can clean up by opening the registry and deleting the keys:
HKEY_CLASSES_ROOT\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com
HKEY_LOCAL_MACHINE\SOFTWARE\GatorTest
Partial install removal
For Gator/PDP, open the Downloaded Program Files folder (inside the Windows folder). The Gator/PDP control is called 'PdpPlg Class' in version 4094, 'PdpPi Class' in version 5094, and 'DFRun Class' in other versions. Right-click this entry and choose 'Remove'. Check that no Gator/Trickler instance is loaded.
For Gator/Trickler, open the registry (Start->Run->regedit) and choose the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right-hand side, look for an entry whose filename contains 'trickler' or sometimes 'fsg_'.
Note the full filename so that, after restarting the computer, you can come back and delete it.
