GatorHDPlugin

Jay · Oct 20, 2003

What is GatorHDPlugin? How do I get rid of it?

Using a popular greeting-card site, I got the following popup:
http://205.180.85.40/w/pc.cgi?mid=21943&sid=110
The IP address is from Genuity, now part of Level3. (I contacted their
"abuse" desk, but got only an automated generic response.)

At that same instant, HDPlugin1014.dll was downloaded to my PC and
installed surreptitiously without informing me or asking permission. It
left a log file, GatorHDPlugin. Also surreptitiously, it then ran and it
tried to communicate out on the Internet.

I did not install any software that day. I thought that the Gator Corp.
stuff got planted only when the user knowingly installs some software...
true?

Is anybody familiar with this attack?

Duane Arnold · Oct 20, 2003

What is GatorHDPlugin? How do I get rid of it?

Using a popular greeting-card site, I got the following popup:
http://205.180.85.40/w/pc.cgi?mid=21943&sid=110
The IP address is from Genuity, now part of Level3. (I contacted their
"abuse" desk, but got only an automated generic response.)

At that same instant, HDPlugin1014.dll was downloaded to my PC and
installed surreptitiously without informing me or asking permission. It
left a log file, GatorHDPlugin. Also surreptitiously, it then ran and it
tried to communicate out on the Internet.

I did not install any software that day. I thought that the Gator Corp.
stuff got planted only when the user knowingly installs some software...

Is anybody familiar with this attack?

It's called a Website drive by where you visit a Website and that site
sends someting like Gator that installs on your computer silently.

Download and install Ad-Aware 6 (free) and it will remove spyware. You
should run it on a routine basis to clean spyware off of the machine.

Duane

null · Oct 20, 2003

What is GatorHDPlugin? How do I get rid of it?

Using a popular greeting-card site, I got the following popup:
http://205.180.85.40/w/pc.cgi?mid=21943&sid=110
The IP address is from Genuity, now part of Level3. (I contacted their
"abuse" desk, but got only an automated generic response.)

At that same instant, HDPlugin1014.dll was downloaded to my PC and
installed surreptitiously without informing me or asking permission.

What browser? (Need I ask

) What version? What (choke) security
settings?

It
left a log file, GatorHDPlugin. Also surreptitiously, it then ran and it
tried to communicate out on the Internet.

I did not install any software that day.

But you did

I thought that the Gator Corp.
stuff got planted only when the user knowingly installs some software...
true?

It's not unusual for this sort of crap to be planted on IE users.

Is anybody familiar with this attack?

No, since I eradicated IE.

Art
http://www.epix.net/~artnpeg

Duane Arnold · Oct 21, 2003

What is GatorHDPlugin? How do I get rid of it?

Using a popular greeting-card site, I got the following popup:
http://205.180.85.40/w/pc.cgi?mid=21943&sid=110
The IP address is from Genuity, now part of Level3. (I contacted their
"abuse" desk, but got only an automated generic response.)

At that same instant, HDPlugin1014.dll was downloaded to my PC and
installed surreptitiously without informing me or asking permission. It
left a log file, GatorHDPlugin. Also surreptitiously, it then ran and it
tried to communicate out on the Internet.

I did not install any software that day. I thought that the Gator Corp.
stuff got planted only when the user knowingly installs some software...
true?

Is anybody familiar with this attack?

You can set IE to Notify On Download, which will notify if something like
Gator is trying to download from a site and you can terminate the download.
You can also use a FW like BlackIce that will also stop a Website Drive BY.

Duane

Jay · Oct 21, 2003

Duane said:
You can set IE to Notify On Download, which will notify if something
like Gator is trying to download from a site and you can terminate the
download. ...

Is this in MSIE 5.5? I can't find it.

Jay · Oct 21, 2003

What browser? (Need I ask ) What version? What (choke) security
settings?

MSIE 5.5, default settings.

But you did

I should've said "I did not intentionally install any software that day."

null · Oct 21, 2003

MSIE 5.5, default settings.

Then no wonder. But even you had said IE6 +sp1 or whatever the latest
patchworked security fiasco is from M$ I'd still strongly recommend
that you change to Mozilla or one of its cousins such as Firebird.

I should've said "I did not intentionally install any software that day."

Yep

Art
http://www.epix.net/~artnpeg

Duane Arnold · Oct 21, 2003

Is this in MSIE 5.5? I can't find it.

Open Internet Explorer and click Tools, Internet Options, Security, and
Custom Level. Under "ActiveX controls and plug-ins", choose Prompt for both
signed and unsigned controls. Click OK, Yes, and OK."

I don't know if this is on IE 5.5 I would think so. IE 6 has section to
just turn off Downloads period.

Duane

Jay · Oct 23, 2003

Then no wonder. But even you had said IE6 +sp1 or whatever the latest
patchworked security fiasco is from M$ I'd still strongly recommend
that you change to Mozilla or one of its cousins such as Firebird.

Actually, I do use Mozilla for most of my www activity.

I only use MSIE when
- my Mozilla settings are to strict for a web site to work, and
- the web site is well-known.
This time, I trusted the wrong site. ;-(

Fortunately, ZoneAlarm caught the intruder trying to phone home, so I think
the damage was contained.

Still, I'd like to undo the damage altogether.

GatorHDPlugin

Jay

Duane Arnold

null

Duane Arnold

Jay

Jay

null

Duane Arnold

Jay