PDA

View Full Version : Tablet PC functionality incorrectly labeled at Smitfraud-C



segalsegal
2006-11-04, 18:00
The latest updates for Spybot (most dated 3 November) seem to recognize some key Tablet PC functionality as a threat and delete it. The damage can be undone with Windows XP System Restore.

Spybot detects what it refers to as "Smitfraud-C.Toolbar888", and flags the following registry entries as problems:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\TabBtnWL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\Sebring

It offers to fix the "problem", and if you then re-boot you find that the "Change tablet and pen settings" icon is missing from the tray and many Tablet buttons are disabled (on Motion Computing LS800 the Escape, Function, 5-way directional control button, Motion Dashboard button and Rotate Display button, yet the programs seem to launch properly if invoked by clicking on shortcuts).

System Restore to a time immediately before running Spybot fixes the problem.

I've reproduced this problem in a case in which the only item I allowed Spybot to fix was "Smitfraud-C.Toolbar888".

Faenol
2006-11-05, 16:26
I agree with this. SpyBot detect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\Sebring as "Smitfraud-C.Toolbar888".

It only depends on this value if SpyBot found the Toolbar or not. If i disable the Sebring (LgNofity.dll) Value, there's no alarm.

But i see too, SpyBot isn't able to delete this file...
I could check it, it's say, it try's or will does, but in real it doesn't do anything to the value of Sebring...

So, 1 Day lost, because I'm so paranoid of this. Nobody (virustotal) found anything, but wanted to get save in this information..

So long, and sorry for my english.. ;-)

Buster
2006-11-06, 10:28
:oops: We will fix this false positive as soon as possible. Thanks for reporting! ;)

satrow
2006-11-06, 15:28
:oops: We will fix this false positive as soon as possible. Thanks for reporting! ;)

Thanks for actioning this quickly, Buster - caused me some puzzlement yesterday - http://www.tek-tips.com/viewthread.cfm?qid=1298163&page=1

I hope it's updated soon :bigthumb:

refractorygod
2006-11-06, 21:57
:oops: We will fix this false positive as soon as possible. Thanks for reporting! ;)

HELP- I ran the scan on my HP 4200 and now my tablet features are disabled. I cannot do a system restore. Can you walk me through a reg edit to fix this???

satrow
2006-11-06, 22:22
HELP- I ran the scan on my HP 4200 and now my tablet features are disabled. I cannot do a system restore. Can you walk me through a reg edit to fix this???

I've had a quick dig around but only come up with:-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\TabBtnWL
?
?
and:-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\Sebring
Dllname: C:\WINDOWS\System32\LgNotify.dll
Logon: SebringUserLogon


I'll reboot to XP and see what I have ... back soon.

md usa spybot fan
2006-11-06, 22:34
refractorygod:

Did you check in Spybot > Recovery and see if the removed entries can be restored?

satrow
2006-11-06, 22:48
refractorygod:

Did you check in Spybot > Recovery and see if the removed entries can be restored?

And have you tried System Restore?

(my Registry entries may not match those removed from your PC)

md usa spybot fan
2006-11-06, 23:12
satrow:

refractorygod (http://forums.spybot.info/member.php?u=14156) indicated:


... I cannot do a system restore. ...

satrow
2006-11-06, 23:20
Point taken, I missed it.

Often happens that SR will work the next time or the following day even though it fails first time (if that's what happened in this case).

segalsegal
2006-11-06, 23:35
And have you tried System Restore?

System Restore fixed the problem for me. I didn't know about Spybot > Recovery so I didn't try it, but now I know for next time.

md usa spybot fan
2006-11-06, 23:38
Republishing my original post so it is overlooked among intervening posts.

refractorygod:

Did you check in Spybot > Recovery and see if the removed entries can be restored?

siljaline
2006-11-07, 07:04
From what I have read in news and Forums, a System Restore is required to recover from this F/P :sick:
Bummer for folks that barely know how to use SR...

Silj

Mitsubishiman
2006-11-08, 06:36
Hello, I keep getting the same "Smitfraud-C.Toolbar888"

the only difference is the last part is "ddayy"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon|Notify\ddayy

SpyBot says it cannot remove it beacause it is in use and asks permission to run at next startup and then I reboot and it still finds it, is it the same false positive ?

Dell Dimension 8400
Windows XP Home
SP 2

md usa spybot fan
2006-11-08, 06:50
Mitsubishiman:

Other similar detections have been classified as false positives. See the following post in the False Positives (http://forums.spybot.info/forumdisplay.php?f=16) forum:
Tablet PC functionality incorrectly labeled at Smitfraud-C
http://forums.spybot.info/showthread.php?t=8668
I suggest that you do not attempt to fix that detection until the detection signatures are updated.

steamwiz
2006-11-09, 19:42
Mitsubishiman ....

That looks like a vundo key...

It wont do any harm to run vundofix and see if it removes it...

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".

7. Keep the C:\vundofix.txt log & if you are having problems ... post in the malware removal forum

malware removal forum >
http://forums.spybot.info/forumdisplay.php?f=22

steam

instantrunoff
2006-11-10, 06:01
I purged the recovery and had System Restore disabled, because I was trying to remove an insidious NSIS Media infection. How can I get the tablet button functionality back? Is there a tablet program I can reinstall? Thanks.

VAIO UX User
2006-11-10, 07:39
I am having this same problem...long story made as short as possible
Spybot found Smitfraud on my Sony UX 180P handheld on Friday
- It would/could not remove both files
- Spysweeper, Ad-Aware, and Norton never saw it and I never experienced the pop-ups described with this threat
- I paid Norton to remotely access my computer to remove it, but they were unsuccessful
- I completed a system recovery on the C drive from the D drive behind the partition
- Spybot found the virus again after the recovery. Norton 2007 still does not see it, and Sony thinks it may have jumped the partition to the recovery side
- Before I send this computer back to Sony for reimaging, does this sound like a virus? or is the same issue posted by other users? <<I am a novice at this but also keep my computers 100% spyware free>>
This is what Spybot is seeing
1) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\system32\netsh.exe
2) HKEY_USERS\DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\system32\netsh.exe

Spybot please help ASAP before I send this handheld back!
Thanks

spybotsandra
2006-11-10, 10:44
Hello,

Please wait for the next detection update which will be released today (2006/11/10) - this should fix it.
Beginning with the release of Spybot - Search and Destroy 1.4 there should be updates once a week. So normally the beta public update and the official update is out on fridays.

Best regards
Sandra
Teeam Spybot

segalsegal
2006-11-10, 14:52
I can confirm that today's definitions do not label anything as Smitfraud on a Tablet PC that was flagged as having such a problem using last week's definitions.

instantrunoff
2006-11-10, 15:57
Hello,

Please wait for the next detection update which will be released today (2006/11/10) - this should fix it.
Beginning with the release of Spybot - Search and Destroy 1.4 there should be updates once a week. So normally the beta public update and the official update is out on fridays.

Best regards
Sandra
Teeam Spybot

Do you mean that the update will fix the damage done by "fixing" the false positive (which is what I hope), or that it will fix/prevent future detections of the false positive?

instantrunoff
2006-11-10, 17:04
Fernando suggests the following fix here (http://www.gottabemobile.com/CommentView,guid,5f202cb9-924d-4432-b529-ff2251c7c494.aspx)that seems to work for me so far:


1 - create a text file (with notepad) with this text:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TabBtnWL]
@=""
"Disconnect"="OnDisconnectEvent"
"DllName"="TabBtnWL.dll"
"Logoff"="OnLogoffEvent"
"Logon"="OnLogonEvent"
"Reconnect"="OnReconnectEvent"
"Shutdown"="OnShutdownEvent"
"StartShell"="OnStartShellEvent"
"Startup"="OnStartupEvent"

2 - save it with any name you want and extension “reg”, like example.reg

3 - double click the file, and respond yes to the question “are you sure to add…”

4 - reboot and you should get everything functional

Thanks to Mickey Segal (http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.tabletpc&mid=89f5aec1-2beb-4738-9854-01d8a5f2453a)for pointing this out to me.

If anyone has insight on what the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\Sebring Registry key does, please reply! I'm wondering what else Spybot may have damaged in trying to fix this false positive.

Also, even though Spybot has caused a problem here, I still want to say that I appreciate their anti-spyware service, which all-in-all has been very helpful and generous.