Contributing on G-Buster

Just joined, got some good info here, wanted to pass on additional learning on the G-Buster defense mechanism that made my computer non-functional. Can I reply to other posts?

 

Thanks Tim. I read this blog while having my problem with G-Buster making my computer non-functional, so thought I'd contribute back, not sure what you'll do with something that isn't malware or a virus but has some worse affects than if it was.

GBuster or gbplugin is a horrible program that is heavily defended by the Brazilian banking developers. It is purposely designed to avoid removal numerous ways, uses files in program files/gbplugin and a system32/driver, my version was called gbpkm.sys

I tried all the canned reponses, no virus checker or malware program stood a chance. Restoring from before life existed on earth didn't work, upgrading the OS didn't work, using Avenger to weed out root-kits and bad stuff long before windows starts was the best shot but it didn't work and the Brazilian banks have successfully wiped out specialized related programs designed to kill it. (of course reformatting your harddrive and starting with a blank disk would work.) Arg. This link gave me most information but the initial solution documented near the top did not work, but the hundred comments below show numerous perspectives, including from one of the original developers, and the fix I found is short and buried in the middle:
http://insanebits.blogspot.com/2007/04/g-buster-browser-defense-analysis-and.html

I have it fixed on my computer now. Much to my displeasure, I used a free Linux based tool found at the link below, and followed directions to a T, (see their docs for Noobies and Getting Started taught me how to navigate the disk drives), created a Linux boot CD and used Linux commands to navigate to the offending files, then rebooting in Windows, then editing the Register to remove the dozen or so entries:

http://trinityhome.org/Home/index.php?pid=1&wpid=5&p_node=1&edit_pid=5&front_id=12

For my Brazilian bank, Caixi Economica, the bad files are:
c:\Program Files\GbPlugin\cef.gpc
c:\Program Files\GbPlugin\gbidh.gmd
c:\Program Files\GbPlugin\gbiehCef.dll
c:\Program Files\GbPlugin\gbpdist.dll
c:\Program Files\GbPlugin\gbpsv.exe
c:\Windows\System32\drivers\gbpkm.sys

I found registry keys by searching for "gbplugin" and removing ones closely named too, for my pc:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\GblehObjClass
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginCef
HKLM\Software\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540003}
HKLM\Software\Classes\CLSID\{DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}
HKLM\Software\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}
HKLM\Software\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}
HKLM\Software\Classes\GbiehCef.GbPluginObj
HKLM\Software\Classes\GbiehCef.GbPluginObj.1
HKLM\Software\Classes\GbiehCef.GbIehObj
HKLM\Software\Classes\GbiehCef.GbIehObj.1
HKLM\Software\Classes\GbpDist.GbpDistObj
HKLM\Software\Classes\GbpDist.GbpDistObj.1
HKLM\Software\Classes\TypeLib\{6B71634C-5867-4D85-BFFE-DF1C322F8B96}
HKLM\Software\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540003}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{E37CB5F0-51F5-4395-A808-5FA49E399003}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellExtensions\Approved\{E37CB5F0-51F5-4395-A808-5FA49E399003}
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginCef
HKLM\SYSTEM\ControlSet001\Servces\GbpKm
HKLM\SYSTEM\ControlSet001\Servces\GbpSv
HKLM\SYSTEM\ControlSet002\Servces\GbpKm
HKLM\SYSTEM\ControlSet002\Servces\GbpSv