Tracks - Are they really innocuous?

[bjmcdow]

My cousing was recently the victim of an "account takeover" at his financial institution. He was instructed to immediately run a virus scan on his computer, change all passwords, etc. We updated all of his spyware detection and anti-virus tools, ran the scans (several times each, just to be safe), and everything seems to be pretty good except for this one thing that gets "fixed" but then comes right back - MS DirectInput. Reading through the forum, it appears that this is dismissed as just "tracks" and nothing to worry about. However, if my cousin was the victim of a banking trojan and/or a keylogger, shouldn't he be worrying about this MS DirectInput? If not, can someone explain why not? When we researched banking trojans, the info was really disconcerting. It appears that newer strains are able to hide from malware detection programs pretty easily.

So, is MS DirectInput showing up as Tracks really nothing to worry about?
Short of a reformat and clean install (for which he can't find his software), how does he know that he's protected?

[tashi]

Hello bjmcdow,

My cousing was recently the victim of an "account takeover" at his financial institution. He was instructed to immediately run a virus scan on his computer, change all passwords, etc. We updated all of his spyware detection and anti-virus tools, ran the scans (several times each, just to be safe), and everything seems to be pretty good except for this one thing that gets "fixed" but then comes right back - MS DirectInput. Reading through the forum, it appears that this is dismissed as just "tracks" and nothing to worry about. However, if my cousin was the victim of a banking trojan and/or a keylogger, shouldn't he be worrying about this MS DirectInput? If not, can someone explain why not? When we researched banking trojans, the info was really disconcerting. It appears that newer strains are able to hide from malware detection programs pretty easily.

Which version of Spybot is your cousin using please and is there a reason he isn't making his own inquiry, or do you have access to his PC?

http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx

Kind regards,

[bjmcdow]

Hi Tashi!

My cousin was using my laptop. He is not very computer savvy so, since it is my laptop to begin with, he gave it back to me in frustration. I have spent the better part of the past two days troubleshooting this. I'd like to be able to use this machine without fear of having the same issues he had, particularly the issue he had with the bank account "takeover."

I'm using Spybot 2.2 (Free edition) on the machine. It's an HP Pavillion laptop (Intel i5), 4GB RAM, with Windows 7 Home Premium, Service Pack 1. Here's what I've done so far...

Deleted unused user accounts
Updated Spybot to version 2.2, ran scans, applied fixes, applied immunization
Updated Avast! to version 2014.9.0.2008, ran scans, applied fixes

Spybot scans keep showing low threat stuff, including the tracks that prompted me to make my initial post. Since that post (and running several other programs), an additional concern has arisen. One of tools identified "PerfectKeylogger" (don't recall which one) and RogueKiller identified several registry entries that should be deleted (which I did).

Additional tools used: Ran MalwareBytes, AdwCleaner, Junkware Removal Tool, and Rogue Killer.

Registry entries of concern:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]"{59031a47-3f72-44a7-89c5-5595fe6b30ee}"=dword:00000001

RogueKiller seems to have eradicated the problem registry keys, but how do I know if I'm really safe?

Guidance appreciated!

Bethany (bjmcdow)

Hello bjmcdow,

Which version of Spybot is your cousin using please and is there a reason he isn't making his own inquiry?

http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx

Kind regards,

[tashi]

Hi bjmcdow,

Thank you for the information.

One of tools identified "PerfectKeylogger" (don't recall which one)

If you did not install a key logging program on the laptop, someone with physical access?

It might be best if you start a topic in the Malware Removal Forum so someone can take a look at the system.

If you choose to do that please see the forum FAQ which also includes instructions in post #2 on how to provide DDS and aswMBR logs, which are used in the preliminary analysis.

http://forums.spybot.info/showthread.php?t=288

From the sticky,
"If one has already run tools/fixes before posting please inform your helper, so that s/he is aware changes may have been made to the system and why. Running fixes before being assisted can destroy evidence in an infection, leaving the malware difficult to detect."

For that reason please provide a link back to this thread so that our volunteer analysts know the background.

Best regards.