Interviewed by CNN on 12/05/2012 19:07, Paul B. Gallagher told the world: > You guys will probably find these links interesting and/or entertaining: > > <http://www.gringoes.com/forum/printer_friendly_posts.asp?TID=14465> > Gripe session on G-Buster/Brazilian banks > > <http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_programs/impossible-to-get-rid-of-g-buster-browser-defense/9536bffb-ef87-4d48-b046-10eb68af37c0> > Various thoughts on how to remove the worm. > > <http://forums.spybot.info/showthread.php?t=61409> > Another guy's idea on how to remove the worm (I make no claims or > warranties as to accuracy or efficacy). > > From what I've read, the idea seems to be that the user must install > Internet security software, but it's not enough that they do so, they > must install precisely the bank's preferred ISS. On every ^%$#^% machine > they ever use to access the account. It makes me wonder if the banks > have a financial relationship to the SW vendor. >
I have extensive experience with this "G-Buster" crap. It's not an antivirus, anti-spyware or firewall; it's mostly a browser plugin whose main purpose apparently is to establish some sort of encrypted tunnel connection between the browser and the bank. This is not a retail product; the banks purchase the "security solution" from a company called GAS and offer it as a download on their websites. If that was all it did, it would have been fine... The problem is that the IE version installs itself in Windows (as opposed as installing itself just as an IE extension) using rootkit techniques -- it runs ALL THE TIME, and protects itself very aggressively from being shut down or removed. It messes with permissions (both NTFS and Registry permissions) and protects those permissions too. Not only it uses a lot of CPU cycles to protect itself, it will often enter a race condition with your antivirus, causing very high CPU usage. The only reasonably reliable way I found to remove it (without help from the bank) is to boot from a CD (Linux, UBCD4WIN or similar) and remove the G-Buster executables before boot. It still leaves lots of entries in the Registry, which I found out the hard way it's best not to mess with... And yes, supposedly you can call the bank support line and ask to remove it. There is a somewhat complicated procedure (go to a special webpage, generate a computer signature, call the bank support line with the signature code and they will supply an utility that will uninstall it from *that specific computer only.*) Fortunately, the Firefox version is a straight Firefox extension, that not only does not interfere in other programs but can be disabled at will. I'm told that other browsers (Chrome, Opera) use a Java-based solution... -- MCBastos This message has been protected with the 2ROT13 algorithm. Unauthorized use will be prosecuted under the DMCA. -=-=- ... Sent from my table at Ten Forward. * Added by TagZilla 0.7a1 running on Seamonkey 2.9 * Get it at http://xsidebar.mozdev.org/modifiedmailnews.html#tagzilla _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
