11 Comments

Summary:

Mickey Segal sent me an email detailing a problem with the latest version of anti-spyware program Spybot Search and Destroy running on Tablet PCs.  This from Mickey: The latest updates for the anti-spyware program “Spybot Search and Destroy” (http://www.safer-networking.org/; most updates dated 3 November) seem to […]

Mickey Segal sent me an email detailing a problem with the latest version of anti-spyware program Spybot Search and Destroy running on Tablet PCs.  This from Mickey:

The latest updates for the anti-spyware program “Spybot Search and Destroy” (http://www.safer-networking.org/; most updates dated 3 November) seem to recognize some key Tablet PC functionality as a threat and delete it.  The damage can be undone with Windows XP System Restore.

Spybot detects what it refers to as “Smitfraud-C.Toolbar888″, and flags the following registry entries as problems:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinLogonNotifyTabBtnWL
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinLogonNotifySebring

It offers to fix the “problem”, and if you then re-boot you find that the “Change tablet and pen settings” icon is missing from the tray and many Tablet buttons are disabled (on Motion Computing LS800 the Escape, Function, 5-way directional control button, Motion Dashboard button and Rotate Display button, yet the programs seem to launch properly if invoked by clicking on shortcuts).

System Restore to a time immediately before running Spybot fixes the problem.

I’ve reproduced this problem in a case in which the only item I allowed Spybot to fix was “Smitfraud-C.Toolbar888″.

I don’t know a lot about the Windows Registry or Spybot, so it would be good if others could check the plausibility of my concerns and help take appropriate action.

This is a serious problem so all Tablet owners running Spybot take notice and make sure you have a good System Restore image to fall back on. Thanks, Mickey!

You’re subscribed! If you like, you can update your settings

  1. SpyBot And Tablet PC Incompatibility Issue Sunday, November 5, 2006
  2. Spybot Search and Destroy nukes Tablet PCs Sunday, November 5, 2006
  3. Spybot Search and Destroy eats Tablet PCs Sunday, November 5, 2006
  4. I’ve used Spybot S&D for the last few years. Yes, it can be a little too thorough at times. However, it’s simple to tell S&D not to automatically fix things. First you need a little more fine-grained control.

    1) Launch S&D
    2) Mode Menu (top bar)–> choose “Advanced Mode”
    3) Settings Tab (lower left)–> choose Settings.
    4) In Settings list that appears on the right, scroll down to “Expert Settings.”
    5) Check “Show Expert buttons in results list” and “Show Expert buttons in recovery list”

    Now, run a full scan.
    1) Click on the “Search & Destroy” icon in left bar
    2) In the scan window that appears on the right, click on the “File Sets” menu –> choose “Select all available checks.”
    3) Click “Check for Problems.”
    4) This runs a complete system scan for spware, usage tracks, etc.
    5) Once the scan completes (it’ll take some time) carefully review the items in the list.
    6) For each item that you want to exclude from being “fixed” simply right click on it and select to exclude from future searches.

    Anyone else who uses Spybot please feel free to modify what I’ve outlined here. Hope this helps.

    P.S. As added protection, I team Spybot with JavaCool Software’s SpywareBlaster, which blocks spyware from being installed in the first place.
    http://www.javacoolsoftware.com/spywareblaster.html

  5. On my system Spybot only took action against “Smitfraud-C” after I followed the advice to “fix” the problem. If I had known this “threat” was really essential Tablet PC functionality I wouldn’t have acted, but this is not the sort of thing that many people would know unless warned.

    Hopefully this will get fixed before too many people are inconvenienced, but mistakes happen and people need to stay in the loop. Spybot, Microsoft and Motion Computing have all gotten a heads-up. I presume other hardware companies need to know about this too since it sounds like this will affect all Tablet PC users who run the 3 November Spybot definitions, but I have only tested on Motion Computing hardware.

  6. Smithfraud is a real threat. One of many I had on a PC that took over a week to purge!

  7. Yesterday I emailed to the bugs address listed at
    http://www.safer-networking.org/en/contact/index.html and started a thread at http://forums.spybot.info/showthread.php?t=8668 so hopefully we should get some attention to this problem from the Spybot people.

    What we know for sure is that there is an actual Smitfraud.C and that the Spybot “fix” disables Tablet functionality. What remains to be determined is whether the only computers that display the message are infected, or whether Spybot will flag some or all Tablet PCs that are not infected.

    Other reports are appearing of people getting the Smitfraud.C message, for example http://www.gottabemobile.com/CommentView,guid,5f202cb9-924d-4432-b529-ff2251c7c494.aspx
    What we don’t know yet is whether people getting this message are infested with such spyware or whether this is a false positive.

  8. I got a message from the Spybot folks today saying “This is a false positive that will be fixed with the next updates.”

  9. Hi-

    I ran spybot over the weekend on my HP 4200- it did in fact disable the tablet functions. Sadly I cannot get system restore to work- it fails every time i try to go back to an earlier time. Is there a manual way for me to fix this??? I would hate to have to reload my entire operating system for this.

    HELP!!!

  10. Bill,

    It might be worth running the Windows System File Checker, you’ll need to have your Operating System CD handy.

    Start > Run

    then in the run box type:

    “sfc /scannow”

    without the quotes.

    Worth a try, but as with anything backup first :)

Comments have been disabled for this post