Tablet PC functionality incorrectly labeled at Smitfraud-C

[segalsegal]

The latest updates for Spybot (most dated 3 November) seem to recognize some key Tablet PC functionality as a threat and delete it. The damage can be undone with Windows XP System Restore.

Spybot detects what it refers to as "Smitfraud-C.Toolbar888", and flags the following registry entries as problems:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\TabBtnWL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\Sebring

It offers to fix the "problem", and if you then re-boot you find that the "Change tablet and pen settings" icon is missing from the tray and many Tablet buttons are disabled (on Motion Computing LS800 the Escape, Function, 5-way directional control button, Motion Dashboard button and Rotate Display button, yet the programs seem to launch properly if invoked by clicking on shortcuts).

System Restore to a time immediately before running Spybot fixes the problem.

I've reproduced this problem in a case in which the only item I allowed Spybot to fix was "Smitfraud-C.Toolbar888".

[Faenol]

I agree with this. SpyBot detect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\Sebring as "Smitfraud-C.Toolbar888".

It only depends on this value if SpyBot found the Toolbar or not. If i disable the Sebring (LgNofity.dll) Value, there's no alarm.

But i see too, SpyBot isn't able to delete this file...
I could check it, it's say, it try's or will does, but in real it doesn't do anything to the value of Sebring...

So, 1 Day lost, because I'm so paranoid of this. Nobody (virustotal) found anything, but wanted to get save in this information..

So long, and sorry for my english.. ;-)

[Buster]

We will fix this false positive as soon as possible. Thanks for reporting!

[satrow]

Quote:

Originally Posted by Buster

We will fix this false positive as soon as possible. Thanks for reporting!

Thanks for actioning this quickly, Buster - caused me some puzzlement yesterday - http://www.tek-tips.com/viewthread.c...1298163&page=1

I hope it's updated soon

[refractorygod]

Quote:

Originally Posted by Buster

We will fix this false positive as soon as possible. Thanks for reporting!

HELP- I ran the scan on my HP 4200 and now my tablet features are disabled. I cannot do a system restore. Can you walk me through a reg edit to fix this???

[satrow]

Quote:

Originally Posted by refractorygod

HELP- I ran the scan on my HP 4200 and now my tablet features are disabled. I cannot do a system restore. Can you walk me through a reg edit to fix this???

I've had a quick dig around but only come up with:-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\TabBtnWL
?
?
and:-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\Sebring
Dllname: C:\WINDOWS\System32\LgNotify.dll
Logon: SebringUserLogon


I'll reboot to XP and see what I have ... back soon.

[md usa spybot fan]

refractorygod:

Did you check in Spybot > Recovery and see if the removed entries can be restored?

[satrow]

Quote:

Originally Posted by md usa spybot fan

refractorygod:

Did you check in Spybot > Recovery and see if the removed entries can be restored?

And have you tried System Restore?

(my Registry entries may not match those removed from your PC)

[md usa spybot fan]

satrow:

refractorygod indicated:

Quote:

Originally Posted by refractorygod

... I cannot do a system restore. ...

[satrow]

Point taken, I missed it.

Often happens that SR will work the next time or the following day even though it fails first time (if that's what happened in this case).