What is Blubster? Options

[Wonnov Menny]

I've not run A-Squared Free scanner in many months. A friend told me they have a new version which I should try, so I gave it a go to see if it's improved. The quick scan found 10 traces of "Blubster" (see log below). KIS and SuperAntiSpyware did not find anything.

I have not allowed a-squared to remove this yet, as I don't know if it's a false positive.

What should I do (recommendations)?
Why does KIS not detect this?
What is InProcServer32?
What is Blubster?

==LOG FILE STARTS==================================
a-squared Free - Version 3.0
Last update: 10/09/2007 10:10:37

Scan settings:

Objects: Memory, Traces, Cookies
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 10/09/2007 10:25:21

Value: HKEY_CLASSES_ROOT\CLSID\{8C11E411-860C-4BAE-A0F4-CBE8DAE6B84C}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Blubster

Value: HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Blubster

Value: HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Blubster

Value: HKEY_CLASSES_ROOT\CLSID\{EA6DA0D5-1021-4F55-ACBA-D1D8BA7EAB2C}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Blubster

Value: HKEY_CLASSES_ROOT\CLSID\{EE12598F-BD9F-4BAD-BB13-D49829A024FE}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Blubster

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C11E411-860C-4BAE-A0F4-CBE8DAE6B84C}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Blubster

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Blubster

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Blubster

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EA6DA0D5-1021-4F55-ACBA-D1D8BA7EAB2C}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Blubster

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE12598F-BD9F-4BAD-BB13-D49829A024FE}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Blubster

Scanned

Files: 1420
Traces: 139203
Cookies: 11
Processes: 38

Found

Files: 0
Traces: 10
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 10/09/2007 10:26:36
Scan time: 00:01:15
==LOG FILE ENDS====================================

[p2u]

What is InProcServer32?
InprocServer32 is a normal part of Windows, and will appear in hundreds of CLSID keys. It tells Windows how that particular class should be used and where the file for it can be found. Whether the CLSID keys were simply written corrupt or are actually connected to some sort of malware we can't tell you for sure as you will understand. The {Default} values under the InprocServer32 keys should point to actual files on your system somewhere.

What is Blubster?
Blubster is a file sharing program, which connects computers peer-to-peer (direct from one computer to another) so that users may transfer files between them. If you don't even know what it is, then these 'found' objects may be false positives.
How Blubster works:
* Blubster, by default, starts at the same time the computer starts. This means that, no matter what you are doing, Blubster is running in the background.
* Whenever the computer is connected to the network or internet in any way, Blubster becomes active. It transmits two sets of information across whatever network it is connected to.
* The first signal basically says, "Hi, I'm here and I have files to share!" The second one says, "Hey, is anyone out there who has files?" Blubster sends these two sets of signals at regular intervals, up to dozens of times a minute. This creates significant traffic on whatever network the given computer is on. When multiple computers are doing the same thing at the same time, the network traffic increases exponentially.
* When the signals go out, they find other computers broadcasting similar signals. That way, if Blubster is running in the background on your computer, someone else *could* find your machine, connect to it, and start downloading files without you even knowing it.

Why does KIS not detect this?
What if those objects are NOT traces of malware, but just false positives?

Paul

This post has been edited by p2u: 12.09.2007 15:07

[Baz^^]

..and its a registry key that is harmless without the corresponding executables... (which K will deal with if they are present)

[Wonnov Menny]

tried to reply yesterday, but the forum just wouldn't play ball.. the new server is much slowwweeerrr than the old one.

p2u: thank you for the good explanations. I've never heard of blubster before, but then again I don't do file sharing/peer to peer as I thought it was illegal and riddled with virus and trojan. I certainly don't like sound of something running in background allowing D/L from this PC without my knowledge.

Possibly it is a false positive (a-squared was prone to this), but the reg keys seem to be there even though the program files are not. False positives are the sort of thing which confuse users who rely on these security softwares to know their stuff. It's in cases like this where users don't know whether to allow the app to fix the problem or not. The reg keys could actually relate to something quite different so removal would cause problems.. Some years ago I had problems caused by allowing Norton Systemworks to fix registry faults it detected. I suppose the only other way for users to double check is to run google search for each CLSID.


MAPKOBKA^^: I appreciate reg keys are harmless without executables and understand that KIS would remove the program files if they were on this PC. But what is the point in KIS ignoring these reg keys and causing unnecessary registry bloat. Surely it would be more efficient and tidier to remove if not a false pos. Maybe I run JV16 and see if it finds any orphan reg keys.

I can't understand how these reg keys could be present but the program files (which create the reg keys) are not?? I'd like to know what created these reg keys on this system. For now I leave them and trust in KIS.

[p2u]

I can't understand how these reg keys could be present but the program files (which create the reg keys) are not?? I'd like to know what created these reg keys on this system. For now I leave them and trust in KIS.

Did you check manually if they are really there?

Paul

[alexrider1234]

Maybe somebody used Blubster on the computer the uninstalled, just let a-squared remove the keys and you'll be fine. And yes, most the files on file sharing programs are illegal.

This post has been edited by alexrider1234: 13.09.2007 18:10

[Wonnov Menny]

Did you check manually if they are really there?

Yes, I searched for the CLSID's using JV16. It found these entries, which all had the same last modified date of June 15 2007, 22:58 ...

HKEY_CLASSES_ROOT\CLSID\{8C11E411-860C-4BAE-A0F4-CBE8DAE6B84C}\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{8C11E411-860C-4BAE-A0F4-CBE8DAE6B84C}\@ : XceedSmartUI.ppImageList
HKEY_CLASSES_ROOT\CLSID\{8C11E411-860C-4BAE-A0F4-CBE8DAE6B84C}\InprocServer32\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{8C11E411-860C-4BAE-A0F4-CBE8DAE6B84C}\InprocServer32\@ : C:\WINDOWS\system32\SmartUI2.ocx
HKEY_CLASSES_ROOT\CLSID\{8C11E411-860C-4BAE-A0F4-CBE8DAE6B84C}\InprocServer32\InprocServer32 : ZkF2TI4E1=P6np6~L63Z>(E7lTwBO*@10{xUg$-1@
HKEY_CLASSES_ROOT\CLSID\{8C11E411-860C-4BAE-A0F4-CBE8DAE6B84C}\InprocServer32\ThreadingModel : Apartment
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\@ : XceedSmartUI.clsLicensing
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\Implemented Categories\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\InprocServer32\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\InprocServer32\@ : C:\WINDOWS\system32\SmartUI2.ocx
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\InprocServer32\InprocServer32 : ZkF2TI4E1=P6np6~L63Z>(E7lTwBO*@10{xUg$-1@
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\InprocServer32\ThreadingModel : Apartment
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\ProgID\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\ProgID\@ : XceedSmartUI.clsLicensing
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\Programmable\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\TypeLib\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\TypeLib\@ : {84F88E17-9508-403E-A0C1-BBF8CA57433B}
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\VERSION\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9583E033-1CCC-446E-A858-317A0620EE66}\VERSION\@ : 1.3
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\@ : XceedSmartUI.SmartUI
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\Control\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\Control\@ : N/A
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\Implemented Categories\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\InprocServer32\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\InprocServer32\@ : C:\WINDOWS\system32\SmartUI2.ocx
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\InprocServer32\InprocServer32 : ZkF2TI4E1=P6np6~L63Z>(E7lTwBO*@10{xUg$-1@
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\InprocServer32\ThreadingModel : Apartment
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\MiscStatus\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\MiscStatus\@ : 0
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\MiscStatus\1\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\MiscStatus\1\@ : 164241
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\ProgID\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\ProgID\@ : XceedSmartUI.SmartUI
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\ToolboxBitmap32\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\ToolboxBitmap32\@ : C:\WINDOWS\system32\SmartUI2.ocx, 30000
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\TypeLib\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\TypeLib\@ : {84F88E17-9508-403E-A0C1-BBF8CA57433B}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\VERSION\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{9E6A5B24-1FBC-42D9-870D-07D5C5738075}\VERSION\@ : 1.3
HKEY_CLASSES_ROOT\CLSID\{EA6DA0D5-1021-4F55-ACBA-D1D8BA7EAB2C}\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{EA6DA0D5-1021-4F55-ACBA-D1D8BA7EAB2C}\@ : XceedSmartUI.ppItemsProperty
HKEY_CLASSES_ROOT\CLSID\{EA6DA0D5-1021-4F55-ACBA-D1D8BA7EAB2C}\InprocServer32\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{EA6DA0D5-1021-4F55-ACBA-D1D8BA7EAB2C}\InprocServer32\@ : C:\WINDOWS\system32\SmartUI2.ocx
HKEY_CLASSES_ROOT\CLSID\{EA6DA0D5-1021-4F55-ACBA-D1D8BA7EAB2C}\InprocServer32\InprocServer32 : ZkF2TI4E1=P6np6~L63Z>(E7lTwBO*@10{xUg$-1@
HKEY_CLASSES_ROOT\CLSID\{EA6DA0D5-1021-4F55-ACBA-D1D8BA7EAB2C}\InprocServer32\ThreadingModel : Apartment
HKEY_CLASSES_ROOT\CLSID\{EE12598F-BD9F-4BAD-BB13-D49829A024FE}\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{EE12598F-BD9F-4BAD-BB13-D49829A024FE}\@ : XceedSmartUI.ppMain
HKEY_CLASSES_ROOT\CLSID\{EE12598F-BD9F-4BAD-BB13-D49829A024FE}\InprocServer32\{KEY} : {KEY}
HKEY_CLASSES_ROOT\CLSID\{EE12598F-BD9F-4BAD-BB13-D49829A024FE}\InprocServer32\@ : C:\WINDOWS\system32\SmartUI2.ocx
HKEY_CLASSES_ROOT\CLSID\{EE12598F-BD9F-4BAD-BB13-D49829A024FE}\InprocServer32\InprocServer32 : ZkF2TI4E1=P6np6~L63Z>(E7lTwBO*@10{xUg$-1@
HKEY_CLASSES_ROOT\CLSID\{EE12598F-BD9F-4BAD-BB13-D49829A024FE}\InprocServer32\ThreadingModel : Apartment
HKEY_CLASSES_ROOT\XceedSmartUI.clsLicensing\CLSID\@ : {9583E033-1CCC-446E-A858-317A0620EE66}
HKEY_CLASSES_ROOT\XceedSmartUI.SmartUI\CLSID\@ : {9E6A5B24-1FBC-42D9-870D-07D5C5738075}


I don't understand what most of the above means, so I did a file search for SmartUI2.ocx then checked it's properties which contained xceedsoftware inc. www.xceedsoft.com, but I didn't find anything relating to blubster there.

I then searched for any files with the same date as the registry modified date/time (June 15 2007, 22:58), this turned up results... Lots of entries relating to a freeware program called CD Burner XP Pro 3, which I have installed.

So it appears that A-Squared has falsely identified CD Burner XP Pro3 as Blubster. If I had allowed a-squared to remove the reg keys then would the CD burner program have had problems running?

Has anyone else used CD Burner XP Pro 3? Is it malware? Should I uninstall it?

[Wonnov Menny]

Maybe somebody used Blubster on the computer the uninstalled, just let a-squared remove the keys and you'll be fine.

No, this was a brand new PC that I unpacked, nobody else has installed anything on it.

Good job I didn't allow A-Squared to remove the reg keys though (see my other post), it seems it was a false positive identifying CD Burner XP Pro 3 as Blubster. Removing the keys may have caused problems with the CD Burner program.

[Baz^^]

Seemed a bit strange it was only detecting reg keys... I'm sure A2 would have a "restore" function to put them back though?

[p2u]

Seemed a bit strange it was only detecting reg keys... I'm sure A2 would have a "restore" function to put them back though?

This is A2 free... If you install a trial version of the real stuff (A2 Pro or whatever), I'm sure it won't list these traces. I've seen this before... )))

Paul

[Baz^^]

Dirty underhand scare tactics then, Paul?

[p2u]

Dirty underhand scare tactics then, Paul?

Yes, Sir. This is called FUD (Fear, Uncertainty and Doubt, a marketing strategy that appeals to people's fear in the hopes of selling them a Pro version so they will feel better protected).

Paul

This post has been edited by p2u: 15.09.2007 23:47

[Wonnov Menny]

I don't want the pro version of A-Squared. I have KIS and SuperAntiSpyware Free. I don't want to upset the harmony by installing other real-time protection methods.

Before I used KIS on this new PC, I followed the staysafe security guide here:- How to stay safe and keep free of spyware and virus

I used to have all sorts of stuff on my old PC (SpyBlocker, SpyWareStopper, AdAware, Spybot S&D, Norton IS, SpywareBlaster, A-Squared free, IEAdBlock, TDS3, ProcessGuard, plus others I can't remember, all used in various combinations of realtime/scan only/killbit protection), but now after chatting with you guys on this forum, I rely on KIS. It sometimes feels like I am missing some protection by going against what I previously learned, I just hope KIS will not let me down and will offer the same protection against virii, trojans and spyware that all the other stuff did. I know Kaspersky are v.good at virus detection, but I don't know about trojan and spyware and bots, etc, I just hope I am protected?

I see Symantec have released Norton AntiBot. I would have expected NIS to detect Bots without having to pay for extra s/ware! Does KIS detect BOTS or do I need something extra ?

Does anyone know if CD Burner XP Pro 3 is definitely OK or should I uninstall it?

[Baz^^]

I don't want the pro version of A-Squared. I have KIS and SuperAntiSpyware Free. I don't want to upset the harmony by installing other real-time protection methods.

Before I used KIS on this new PC, I followed the staysafe security guide here:- How to stay safe and keep free of spyware and virus

I used to have all sorts of stuff on my old PC (SpyBlocker, SpyWareStopper, AdAware, Spybot S&D, Norton IS, SpywareBlaster, A-Squared free, IEAdBlock, TDS3, ProcessGuard, plus others I can't remember, all used in various combinations of realtime/scan only/killbit protection), but now after chatting with you guys on this forum, I rely on KIS. It sometimes feels like I am missing some protection by going against what I previously learned, I just hope KIS will not let me down and will offer the same protection against virii, trojans and spyware that all the other stuff did. I know Kaspersky are v.good at virus detection, but I don't know about trojan and spyware and bots, etc, I just hope I am protected?

I see Symantec have released Norton AntiBot. I would have expected NIS to detect Bots without having to pay for extra s/ware! Does KIS detect BOTS or do I need something extra ?

Does anyone know if CD Burner XP Pro 3 is definitely OK or should I uninstall it?

Antibot sounds very gimmicky IMHO... A good firewall and antivirus will keep you safe from bots.

Basically antibot is a standalone version of the Kaspersky equivalent (proactive defense) which analyses processes by their behaviour and is not signature based. Kaspersky provides the same amount (if not more) protection because it does detection by behaviour, and signature based detection PLUS heuristic detection of threats, something which Norton wants you to pay extra for. Honest opinion...they are just trying to grab as much cash off you as possible. Kaspersky does all of those things Norton Antibot+antivirus does for one price..... and you don't have to bloat your computer by running extra scanning engines.

This post has been edited by MAPKOBKA^^: 17.09.2007 16:02