Jump to content

Recommended Posts

Hi guys, this is my first post here, so forgive me for minor problems with this post. Let's get to it:

 

My problem and my fight:

  My Windows 7 computer is infected with a malware, Malwarebytes Anti-Malware does not detect it, and I can't remove it. I tried everything I could already, and this malware has been dodging every attack I came up with for years. I think it's been about some 5 years of struggle already, and I just gave up by now and hope someone can win this fight for me, because I know by now I can't.

 

 

The malware:

  It is called G-Buster Browser Defense (or Gbp Service). It is developed by a company called GAS Tecnologia, from Brazil, and it is used by almost every single Brazilian internet banking system. Supposedly, it is a simple plugin which makes your internet banking activities "secure" (like there are no already existing options to make such transactions secure over the web, right?...).

 

  Most banks make us install it so we can have access to our accounts over the internet. However, this "plugin" is by all means a rootkit malware: it has privileged access, more than any system Administrator, over your own computer; it runs on startup, even in Safe Mode, even if you explicitly uncheck the process or service from msconfig (they are checked when you come back to see if it worked); you cannot delete the executable files or DLLs which make it run; you cannot kill the process and service from task manager (it starts again immediately after such try); and it is linked directly to the Winlogon process, meaning you have no hope of killing it without killing Windows with it.

 

  I have installed this "plugin" in the past because I was unaware of what it was and because I actually had to use internet banking and so was forced to it. For some time now I have been client of a bank which does not force internet users to install any such malware (maybe they are realizing what this plugin really is by now). I don't have bank accounts with any other bank now, but I still carry in my computer this malware, and it is consistently consuming resources.

 

 

Why this is more important than you may think:

  This plague of a plugin proliferated incredibly in Brazil. Really, you have no idea how many Brazilian computers have this installed, and users have no idea that that thing they installed once just to check their accounts is running and making their computers unstable at each and every moment. Sometimes I like to check on friends' and acquaintances' computers if they have this, and I have seen it in ALL of them.

 

  The company which makes the malware, GAS Tecnologia, is in my opinion a shady company which has no respect to internet users; they are only interested in their clients: the banks. You can see by their website <http://www.gastecnologia.com.br/pt/> (in Portuguese) that they do not give any email contacts; they give you their 2 physical addresses (which given the size of Brazil is like a bad joke) and a phone number which they do not answer. They announce their "plugin" as a great tool for internet banking and show you all their clients and how great they are, ignoring completely that the end-users of their malware product are common people which do not know who they are, and when they do know, it is likely because they found their product silently killing their computers and want to get immediately rid of it.

 

  I have found a lot of blogs, forums and posts about ways to get rid of this malware, but none of them worked so far. One of the reasons for this is that it seemingly updates itself without knowledge of the users. I think the company employs their developers to look for these solutions over the internet and find ways to counter them.

 

  All of these shady tactics would be bad enough, but even worse is how this plugin really hurts millions of computers. I have found news articles about how this plugin would be the cause of major problems occurring in many Windows systems. One such article (in Portuguese) is this <http://g1.globo.com/tecnologia/noticia/2013/04/software-bancario-brasileiro-pode-ser-causa-de-travamento-do-windows-7.html>, in which GAS deals with the news reporters as they deal with their malware victims: ignoring completely and not answering anything. From my side, I can say that my brother's computer from a few years back suffered major system stability issues due to the plugin's DLL (gbieh.dll), and I believe it was the major reason for him to go buy a new computer when there would be no need for such.

 

 

Only possible solutions I found so far:

  There are 3 actual solutions to remove the malware which I found so far (and believe they work, but did not test):

    1- You format your whole Hard Disk;

    2- You plug your Hard Disk to another computer as a secondary drive, or install and log into Linux, and delete the files from there;

    3- You call your bank which made you install the plugin and they will give you a password to uninstall it, as described here <http://forum.clubedohardware.com.br/topic/1004004-resolvido-g-buster-browser-defense-como-tirar-essa-praga/> (in Portuguese).

 

  I don't like any of the options. Formatting my HD is out of question. Removing my HD and attaching it to another computer, as well as installing Linux, may be an option if this malware continues to drive me insane, but I think I don't have enough energy left to do all this and maybe deal with the frustration I may have if I still do not get rid of it (I expect all the worse from these GAS folks). I could maybe call the bank to solve it, the problem being that I do not know which of the banks made me install this back then and I don't have any accounts in those banks anymore, which could make them simply refuse to help me. Besides, I do not want to concede to big and powerful banks that I should need to call them, wait on the line, explain situations and take notes of procedures and passwords to get rid of a malware (which they gave me) from my own computer. It is a distortion of principles of respect to internet users which is beyond anything I have seen.

 

 

Malwarebytes' fail:

  Malwarebytes Anti-Malware does not detect the G-Buster plugin as malware. Also, other beta solutions I tried (such as Malwarebytes Anti-Rootkit Beta) do not detect it either. Other anti-viruses and anti-malwares do not detect it also. I don't know why it is so. My belief is that GAS somehow made a lobby and convinced folks that their "plugin" is not malware. Or maybe it really has come unnoticed, since what this plugin really excels at is hiding itself and being shady. Or maybe Brazilian users have not complained enough, which could be true since the level of computer knowledge here is lower than in many places (thus the plugin remaining unnoticed) and since we may culturally have a defeatist way of seeing problems, where powerful institutions such as banks can do us harm and we don't believe we have anything to do or anywhere to go to counter this.

 

 

The actual files and folders:

  In my Windows 7 64-bit computer, G-Buster files are present in "C:\Program Files (x86)\GbPlugin\". The names of the files currently there are: "abn.gpc", "gbieh.gmd", "gbiehabn.dll", and "GbpSv.exe". I have also seen before a file named "gbieh.dll" either in my computer or in others'. These files are impossible to delete even in Safe Mode, and when attempts are made, I have such errors as "access denied", "this file is currently being used by another", "you don't have admin permission" and such.

 

  A driver is installed by them in "C:\Windows\SysWOW64\drivers\GbpKm.sys". We have more of their files in "C:\ProgramData\GbPlugin\Bb", being them "Bb.gdt", "Bb.mnn", "GbpMid3.gbp"; and in "C:\ProgramData\GbPlugin\Abn", being them "00000B34.tmp", "000002FC.tmp", "000012FC.tmp", "00000138.tmp", "00001658.tmp", "Abn.gdt", "bin.stu", "gbieh.mtu", "gmd.stu", "gpc.stu". Some more too in "C:\ProgramData\GAS Tecnologia\GBBD", where there are "abn.gpc", "gbieh.gmd", and a folder "abn" with files "data" and "profile", without file extension.

 

  In msconfig, there is currently the "Gbp Service" listed on Services running on startup, but I have seen it listed under the Startup tab (processes) too. As said before, unchecking it does not work as it will automatically check itself again after you reopen it.

 

  I have found many instances of it in the Registry, but they are numerous and I don't know if they are useful for you. Deleting their keys does not work since it combes back again immediately after. I am attaching the references I see for it in the HijackThis log:

 

O2 - BHO: G-Buster Browser Defense Banco Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files (x86)\GbPlugin\gbiehabn.dll

O20 - Winlogon Notify:  GbPluginAbn - C:\Program Files (x86)\GbPlugin\gbiehAbn.dll

O23 - Service: Gbp Service (GbpSv) -   - C:\PROGRA~2\GbPlugin\GbpSv.exe
 

  CCleaner gives me the only following startup program (undeletable) under the Internet Explorer tab (oh, how I wish this malware only ran when IE was on, which is never):

Enabled: Yes

Key: Helper

Program: GbIehObj Class

Publisher: Banco Real

File: C:\Program Files (x86)\GbPlugin\gbiehabn.dll

 

 

Conclusion:

  I am unable to continue this fight and I hope Malwarebytes or others find solutions. If not for me, please do it for the millions of other Brazilians having this malware around.

 

  I hope someday the company that created this malware will have to respond for their actions.

 

  Now please, I beg of you, go get'em.

Link to post
Share on other sites

Hello and Welcome to Malwarebytes

Being that you are probably infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

Link to post
Share on other sites

Hello and Welcome to Malwarebytes

Being that you are probably infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

 

Ok, I am a bit confused now. Did you read my post? Because it looks a lot like an automatic answer. I know I am infected, and I have said already that this malware is not only affecting me, but millions of other computers. My intention is for Malwarebytes' tools to find and recognize the malware (which I already pointed to with details on files, folders, and where to get it), and be able to remove it.

 

I have read the pinned topic you provided me, and went all around the other sublinks there too, as exhausting as that was. Now believe me, I have done all of that already. Running Malwarebytes Anti-Malware tools is NOT the problem, as it runs fine; I say this again: the problem is that MAM won't find and recognize the malware, so how is it supposed to remove it?

 

Maybe I should get one-on-one assistance (and I have said already that I may have some hard ways to remove the malware), but that defeats the entire purpose of my post. What I am giving you is a report on a nation-wide malware spread and asking for Malwarebytes if you can come up with solutions for that. If you can't or won't even try, just tell me already so I can stop hoping for something to be done for these users. Then I'll just either get my hard disk formatted or throw away this computer and get a new one, while taking pity on the millions of users in the country who will never know and will never get rid of this malware, all the while suffering its side effects.

Link to post
Share on other sites

Yes I read your post.... and my reply although it seems to be an automatic reply, is what you need to do to get the computer cleaned up.  We do not work on malware removal in this section of the forum.

 

If you want Malwarebytes to detect this said infection and you have the files that are associated with this infection then submit them to the Malwarebytes Research Team for review and if they are found to be malicious they will be added.  You can submit the files HERE

Link to post
Share on other sites

I read about this awhile back about a Windows update problem. It is not considered Malware.

 

I did a Google search >  G-Buster Browser Defense - service  < that came up with plenty of information.

Seems like it cannot be removed with Windows running because of the protection. You have to boot from a Linux or

other boot cd to remove the Program Folder.

 

Do the search and read the results.

 

Hiren's boot cd is an easy way to delete programs using the mini XP menu.

Link to post
Share on other sites

KenW:

You are neither a member of "Trusted Advisors" or "Experts" so please...  Do not provide any form of assistance with those who are infected with malware, those who may be infected with malware or have a Potentially Unwanted Program (PUP) intrusion.

 

Reference:

TROJ_SCAR.ACR

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.