Hi everyone,

I am having a problem with "Gator" Corporations legal virus on my fathers computer. It has embedded itself into the registry- so it is not on the hard drive. He has Windows 2000 Pro, and the Microsoft Messenger has been disabled. We have also tried Spybot, etc. Nothing works. I have fixed this virus in the past by re-installing the operating system, but this takes many, many hours. Any programmers out there who can help? How do you clean out the registry!!?! Basically, the computer is inoperable because it is so full of popups after a few minutes it crashes, and all of the programs run slow.

PS This comes from "Travelocity" web site, and I heard other people have been infected after signing up there.

Are the pop-ups from the messenger part of Windows, or do they open in IE as a website?

Man, I feel sorry for you. That Gator bastard came preinstalled with one of my PC's and it was annoying to say the least.

Just to correct you on something:


It has embedded itself into the registry- so it is not on the hard drive.

First of all, the registry is stored on your hard drive. Second of all, the registry simply contains settings used by different applications (windows included). Gator is sitting on your harddrive, it just hasn't registered itself properly (so it doesn't show up in Add/Remove programs dialog).

Fixing your problem is pretty easy. Just go into start/run, type in regedit (to edit the registry).

Look for HKEY_LOCAL_MACHINE, then SOFTWARE, then MICROSOFT, then Windows, then "Currentversion" then "Run", expand the "Run" tab to see a list of programs that load during Windows startup. Look for gator.exe (or something similar) and delete it from registry.

There may be other programs sitting there that shouldn't be running. You might want to check into deleting them as well.

To remove gator for the future, record the path to gator.exe and then delete it.

There is a small program called "Hijack This" that can help you. It tells you what programmes load at startup. You can find it here: Hijack (http://www.tomcoyote.org/hjt/) .

This programme together with Spybot and AdAware has removed Gator & Co from my computer several times. Also you might want to use some of Spybot's "immunisation" features to prevent further trouble. ;)

if you dont know what to do with hijackthis

after you download it, run the program, click scan and then save log.

go here LINK (http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=SF;f=32;st=0), open a new thread by pasting the log and ask if there´s something wrong with it.

Thanks everyone, I will try this tonight when I get back from work.

Or you could just run msconfig and get exactly the same information plus be given the option which programs to remove from startup... Saves bandwidth and time. :)

Or you could just edit the registry like I posted. :p

Originally posted by Ove
There is a small program called "Hijack This" that can help you. It tells you what programmes load at startup. You can find it here: Hijack (http://www.tomcoyote.org/hjt/) .

This programme together with Spybot and AdAware has removed Gator & Co from my computer several times. Also you might want to use some of Spybot's "immunisation" features to prevent further trouble. ;)

Or you could just run msconfig and get exactly the same information plus be given the option which programs to remove from startup... Saves bandwidth and time.

Or you could just edit the registry like I posted


Yes you can if you are an experienced windows user and knows 100% what you're doing but i got the impression that Quasi is quite unsure of what to do. Hijackthis provides some very helpfull tools. ;)

Very true. :)

Originally posted by Ove

Yes you can if you are an experienced windows user and knows 100% what you're doing but i got the impression that Quasi is quite unsure of what to do. Hijackthis provides some very helpfull tools. ;)

Simple answer...


Go Google...put in "Remove Gator"...

See what comes up...

Your prayers will be answered...

DB

I have tried lots of things. The registry search turned up several viruses. Some other searches turned up others. After trying a combination attack, the system worked well for about 5 minutes, but then the viruses loaded themselves back again. I am definetly missing something, somewhere. My father is going to break down soon and pay off Norton Utilities to protect the computer, which he thinks will work. I will try the google "remove gator" bit and see what happens. Damn agressive these programs are. The irony is that so many popups appear, the computer is useless, so any marketing value is lost.

Quasi...

Download "POW" from Analogx.com

It works a treat...you only ever get the pop ups once....then never again...

DB

Just removing them from the registry is NOT ENOUGH. That's because they write themselves back into your registry. You need to delete the actual file the registry points to.

I suggest you press CTRL+ALT+DEL, go into task manager and click on the processes tab (not applications, processes). You'll see the very same "viruses" that your registry had references to. You need to shut them down then delete them off your hard drive, then remove them from the registry.

Originally posted by Quasi
I have tried lots of things. The registry search turned up several viruses. Some other searches turned up others. After trying a combination attack, the system worked well for about 5 minutes, but then the viruses loaded themselves back again. I am definetly missing something, somewhere. My father is going to break down soon and pay off Norton Utilities to protect the computer, which he thinks will work. I will try the google "remove gator" bit and see what happens. Damn agressive these programs are. The irony is that so many popups appear, the computer is useless, so any marketing value is lost.

Originally posted by Quasi
I have tried lots of things. The registry search turned up several viruses.

"Virus" is a misnomer. A virus continuously replicates itself, looking for other system to infect.

What you have is spyware, which can be far more troublesome in some aspects.

Download Spybot Search & Destroy and run it. Remove all the spyware.

http://www.pcworld.com/downloads/file_download/0,fid,22262,fileidx,1,00.asp

Also use the immunize function, as well as the "block all pages silently" function. Good stuff.

And remove Kazaa, use Kazaa Lite instead. Kazaa comes with Gator, if you keep it installed after you've removed the spyware you're right back where you started.

Once you remove Gator, you can stop it from installing itself on your system once and for all by simply setting your browser not to download and install software or run ActiveX controls from untrusted sites. Then you can whitelist sites you trust on a case-by-case basis.

Hear my words:

If you can't keep spyware (or virii) off your machine, you would be wiser to sell it and buy a Macintosh.

Thanks for the advice. I will try these things tonight. I used POW!, but that had no effect, even with MS Messenger disabled. I tried Spybot S&D, but the programs kept coming back. This computer does not have Kazaa. This all started when I viewed a travel web site, and registered. It must have downloaded the spyware. I have heard the same complaint from others who visited the same web site. Anyway, wish me luck!

There is a good chance you are talking about the popup ads you get on port 1214. If so, this is unrelated to gator. Unfortunately, there is no way to block these in windows without also destroying your ability to use DNS - because the programmers at MS are a load of morons. I've found two ways around the probelm:

1) Install a firewall that will block incoming traffic on port 1214.
2) Install software that will block incoming traffice on port 1214. The free version of ZoneAlarm will do this - and is highly recommended - if you set the second two checkboxes on the "Services and Controller app" to disable.

This will disable those annoying popup ads that you get - 90% of te ones I get are advertisements for how to get rid of the advertisements! I swear, if I ever meet anyone at the companies sending thoe ads out, I will kill them.

-Chris

Originally posted by Quasi
This all started when I viewed a travel web site, and registered.

Which travel site is this? Do you have the URL?

You can check your Trusted Sites (Tools->Internet Options -> Security -> Trusted Sites and click the "sites" button) to see if it added itself to your trusted site list. If it did then it can load anything on your machine when you visit that site.

If you use the immunize feature, as well as the "block all pages" feature of Spybot then you can stop a huge amount of spyware from loading on your machine again.
Just scanning & removing isn't enough.

Originally posted by Quasi
Thanks for the advice. I will try these things tonight. I used POW!, but that had no effect, even with MS Messenger disabled. I tried Spybot S&D, but the programs kept coming back. This computer does not have Kazaa. This all started when I viewed a travel web site, and registered. It must have downloaded the spyware. I have heard the same complaint from others who visited the same web site. Anyway, wish me luck!

try with hijackthis

Hi everyone. I suspect this will be my last post on this thread. Well, it turned out to be a file called "mfin32.exe" which embedded itself into the registry. It looked like official Microsoft stuff, so I ignored it the first few times around. Then when I hooked up to the internet tonight, this program took up over 98% of the system resources, and the popups poured in so fast it crashed IE. Basically, I went back to the registry, deleted it, and at the folder source too- as you guys suggested. Result? Popups completely eliminated. Thanks guys!

Congratulaitons, job well done. :D :D :D


I know 100% how you must be feeling now, it's a wonderful feeling to get your computer "back" from captivity.

:clap: :clap: :clap:
:clap: :clap: