Results 1 to 5 of 5

Thread: Teatimer has detected an unauthorized database change?

  1. #1
    Junior Member
    Join Date
    Jan 2007
    Posts
    24

    Default Teatimer has detected an unauthorized database change?

    For the 2nd time today, I saw this message pop up on my screen:

    Teatimer has detected an unauthorized database change (RegTBTB2-Global.reg) This could be the result of a system crash or of manipulation. Do you want to verify each possibly affected registry key (if you do not feel up to that, press NO and do a full system scan)?



    The first time was this morning when I started the computer, and the 2nd time was when I closed Teatimer to run Ad-Aware, Avira Antivir, Hijackthis and Spybot S&D. When I started Teatimer again, the same message appeared.

    I saw nothing unusual in any of the above programs, and a Google search turns up nothing on RegTBTB2-Global.reg. I tried searching for that reg key file, but couldn't find it. I also used Regseeker to see if there's any RegTBTB2 string and the only thing I found was:

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
    "000"="RegTBTB2-Global.reg


    Now that all that might indicate is that I did a web search for the term RegTBTB2-Global.reg, but I also found the clsid here after performing another Regseeker search. This first registry key reminded me that I closed port 135 last night by shutting down several services. I wonder if this caused the Teatimer alert?:

    [HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}]
    @="File and Folders Search ActiveX Control"
    "MenuText"=""
    "HelpText"=""
    "DefaultIcon"="%SystemRoot%\\system32\\shell32.dll,-135"

    [HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\Implemented Categories]

    [HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\InProcServer32]
    @="C:\\WINNT\\system32\\shell32.dll"
    "ThreadingModel"="Apartment"

    [HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\MiscStatus]
    @="0"

    [HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\MiscStatus\1]
    @="20191"

    [HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ProgID]
    @="Shell.FileSearchBand.1"

    [HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ToolboxBitmap32]
    @="c:\\WINNT\\system32\\shell32.dll, 260"

    [HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\TypeLib]
    @="{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"

    [HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\Version]
    @="1.0"

    [HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\VersionIndependentProgID]
    @="Shell.FileSearchBand"

    [HKEY_CLASSES_ROOT\Shell.FileSearchBand\CLSID]
    @="{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}"


    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}]
    "UseSearchOptions"=dword:00000001




    I also found this thread but it doesn't seem conclusive concerning the above clsid:

    http://www.wilderssecurity.com/archi...p/t-98228.html

    In summary, should I be concerned about:

    1) {C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

    2) The Teatimer alert "about an unauthorized database change (RegTBTB2-Global.reg)"?


    Any suggestions?

  2. #2
    Junior Member
    Join Date
    Jan 2007
    Posts
    24

    Default

    Just an update. The Teatimer message reappeared today, except that the file is called RegGBTB2-Global.reg. When I did a search for it, I found it here:

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots

    and here:

    E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2

    The dates on the files are three weeks apart but both contain the following info:


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}]
    "BarSize"=hex:41,00,00,00,00,00,00,00


    Judging by this, the clsid in my first post may have nothing to do with the file.

    Toolbar Cop has the following information on that clsid:

    File and Folders Search ActiveX Control
    Explorer Bar - Vertical
    {C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    E:\WINNT\system32\shell32.dll
    Enabled
    All Users



    Toolbar Cop gives me the following info associated with RegGBTB2-global.reg


    &Tip of the Day
    Explorer Bar - Horizontal
    {4D5C8C25-D075-11D0-B416-00C04FB90376}
    %SystemRoot%\system32\shdocvw.dll
    Enabled
    All Users


    Once again, why is Teatimer warning me every time I start up about this global.reg file?

  3. #3
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    The Snapshots folder is that of the old TeaTimer, the Snapshots2 folder that of the new one, the message will always be about the new one, since this didnt exist in the older version.

    Are you using different users on this machine?

    And could you take a look if there is a Timestamps.ini in the Snapshots2 folder, and if so, if it contains entries for RegGBTB2-Global.reg andRegTBTB2-Global.reg?
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  4. #4
    Junior Member
    Join Date
    Jan 2007
    Posts
    24

    Default

    Quote Originally Posted by PepiMK View Post
    The Snapshots folder is that of the old TeaTimer, the Snapshots2 folder that of the new one, the message will always be about the new one, since this didnt exist in the older version.

    Are you using different users on this machine?

    And could you take a look if there is a Timestamps.ini in the Snapshots2 folder, and if so, if it contains entries for RegGBTB2-Global.reg andRegTBTB2-Global.reg?
    First of all, thank you so much for replying. I've read so many of your forum posts over the years that it's like getting a response from one of the celebrity superstars of anti-spyware!

    First of all, since I could no longer edit my first post, I think that I erred in ever mentioning "RegTBTB2-Global.reg" file, and that it's only the "RegGBTB2-Global.reg" that is mentioned in the Teatimer alert.

    In answer to your question, there are two users allowed to sign in on this computer and both have administrator privileges (although only one usually signs in). I had upgraded my initial install of Spybot to the beta version as suggested on your forum, when I discovered that I couldn't see the Teatimer allow button when a known registry change was being made.

    There is a Timestamps.ini file in the Snapshots2 folder, but it doesn't contain any reference to "RegGBTB2-Global.reg". There's about 40 other references in there such as:


    RegGS1SM-Global.reg
    RegExtBat-Global.reg
    RegGBP4-Global.reg
    RegGBP3-Global.reg
    RegExtExe-Global.reg

    All are followed by long alpha-numeric strings.


    Is the Teatimer warning about "RegGBTB2-global.reg" anything to be alarmed about and if this is what's in that file?:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}]
    "BarSize"=hex:41,00,00,00,00,00,00,00


    Is it benign and is Toolbar Cop correct with the following info?:


    File and Folders Search ActiveX Control
    Explorer Bar - Vertical
    {C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    E:\WINNT\system32\shell32.dll
    Enabled
    All Users


    &Tip of the Day
    Explorer Bar - Horizontal
    {4D5C8C25-D075-11D0-B416-00C04FB90376}
    %SystemRoot%\system32\shdocvw.dll
    Enabled
    All Users


    Would a simple uninstall and reinstall of the beta version of Spybot help?
    Could this problem have been caused by closing ports and services as a security measure with a Windows 2000 Pro OS? For example, as described here:

    http://www.claymania.com/windows2000-hardening.html

    I made adjustments to the registry in order to close ports 135 and port 445.


    I await your experienced and much appreciated advice.
    Last edited by Reggie Stry; 2007-01-17 at 00:27.

  5. #5
    Junior Member
    Join Date
    Jan 2007
    Posts
    24

    Default

    Well, I reinstalled Spybot 1.4 along with the Beta upgrade, and no longer see the Teatimer alert warning.

    My full post regarding this can be found on this thread:

    http://forums.spybot.info/showthread...4560#post64560


    As mentioned in the other thread,
    Do you think I should upgrade to the latest version of Teatimer - 1.5.0.3?

    Can I assume that the contents of the RegGBTB2 file:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}]
    "BarSize"=hex:41,00,00,00,00,00,00,00


    really just refers to the MS IE &Tip of the Day, as Toolbar Cop indicates?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •