Fixed: Protexis.MOD

[dooleda]

Spybot detected Protexis.MOD on my computer. I let Spybot fix it, but can someone give me any more details about this keylogger? Where does it come from? What does it do besides capture keystrokes ( I assume for banking websites, etc)? How can I tell if it got anything off my computer?

 

[seekaybee]

Seconded

I have no idea but I second your question. The directories in question -- C:\ProgramData\Protexis , C:\ProgramData\Protexis\DL and C:\ProgramData\Protexis\State -- were all empty. A Google search returned only a small number of hits -- none very enlightening.

 

[vsparky]

I have no idea but I second your question. The directories in question -- C:\ProgramData\Protexis , C:\ProgramData\Protexis\DL and C:\ProgramData\Protexis\State -- were all empty. A Google search returned only a small number of hits -- none very enlightening.

me too ...exactly

anyone?:beerbeerb:

 

[honda12]

hmm this may just be a coincidence, but spybot just happened to detect the same keylogger today when I scanned!

Merry Christmas :santa:

 

[tashi]

As the topic is getting longer, I have moved it to the false positives forum (just in case), and will bring to the attention of a detective.

 

[Yodama]

hello,

it appears that Protexis is the publisher of the qwertystudio MOD Keylogger while qwertystudio is the actual vendor. Since it is safe to assume that Protexis also publishes other software we will consider the Protexis folders as false positives. The Keylogger will also be renamed to Qwertystudio.MOD . This will take effect with the update scheduled for next wednesday .

 

[dooleda]

protexis.mod

There was actually a file in the Protexis folder on my computer before Spybot removed it. The file looked like it had a randomly generated number for a name with a .plf extension. Would this make any difference as far as actually being malware or not?

Does anyone know what the keyloggers from each vendor log? Does someone know if this file came from the publisher Protexis or qwertystudio? Sorry about so many questions, but I would like to know as much as possible about this file since it was found on my computer. I'd like to know what it did or what it possibly could do because I didn't install anything from Protexis or qwertystudio unless it came bundled with something else.

Thanks for any help.

 

[Yodama]

There was actually a file in the Protexis folder on my computer before Spybot removed it. The file looked like it had a randomly generated number for a name with a .plf extension. Would this make any difference as far as actually being malware or not?

This file does not appear to be harmful, the Protexis folder appear to be created with all softwares which get promoted/published by Protexis (making it some kind of bundling).

The QwertyStudio.MOD Keylogger only loggs keystrokes, it does not appear to have advanced features like making screenshots.

You most likely have a software installed that was promoted/published via Protexis, if you are unsure if there may be some harmful software involved you can create a Spybot S&D or Runalyzer log and sent it do us for analysis.

 

[darkblitz]

My Protexis.MOD Issue

Well.. spybot has been catching it alot of times. So i made a runanalyzer log.
Please check it out.

HIJ is attached

 

[Needlenose]

Spybot detected this virus on my computer as well...

 

[Yodama]

@darkblitz

your Hijackthis log does not show any items that are related to the keylogger.



The detection update from 2007-12-26 should not flag the protexis folders anymore.

 

[bunnyhero]

false positive for qwertystudio.MOD?

spybot s&d reported detection of qwertystudio.MOD, but i think it's a false positive.

OS: Windows XP Home, SP2
Browsers: Firefox 2.0.0.11, Internet Explorer 7
Spybot S&D Version: 1.4.
Latest update: 2008-01-02
False positive occurred in a Scan Result

Qwertystudio.MOD: Web page (File, nothing done)
C:\Documents and Settings\bunnyhero\Local Settings\Application Data\Protexis\UserSettings.xml



i looked inside the reported file. the contents of UserSettings.xml are:

<USER_SETTINGS><PROXY><SERVER IP="" Port="" /><AUTHENTICATION UserName="" Password="" /></PROXY></USER_SETTINGS>

and that's it.

 

[Buster]

Hello bunnyhero,

thanks for reporting this. Looks like we missed this file. This will be fixed by the next update.

 

[admin111]

silly, silly monkeys

Protxis is a DRM company fools! not spyware,
spybot must suck if this is the kind of mis-categorization i can expect to see

 

[admin111]

Protxis is a DRM company fools! not spyware,
spybot must suck if this is the kind of mis-categorization i can expect to see

this is the actual creator of the software you have mislabled and miscategorized:
http://qwertystudio.com/

jeez, have some computer tech knowlede

 

[Yodama]

this is the actual creator of the software you have mislabled and miscategorized:
http://qwertystudio.com/

jeez, have some computer tech knowlede

Mind your manners and read page 1 of this thread.
Insulting people will only get you banned, if you just want a place to steam off, you should go to somewhere else.

 

[admin111]

think about it....

Mind your manners and read page 1 of this thread.
Insulting people will only get you banned, if you just want a place to steam off, you should go to somewhere else.

seriously, spybot is becoming as destructive as the big name AV crap. too many false positives...removing protxis folders _will_ break any software using that DRM (digital rights mgmt for the ubernubers) (and since its cnet, yeah there might be oh I dunno, 100000!)

gj spybot, adaware for me