For the 2nd time today, I saw this message pop up on my screen:


Teatimer has detected an unauthorized database change (RegTBTB2-Global.reg) This could be the result of a system crash or of manipulation. Do you want to verify each possibly affected registry key (if you do not feel up to that, press NO and do a full system scan)?


The first time was this morning when I started the computer, and the 2nd time was when I closed Teatimer to run Ad-Aware, Avira Antivir, Hijackthis and Spybot S&D. When I started Teatimer again, the same message appeared.

I saw nothing unusual in any of the above programs, and a Google search turns up nothing on RegTBTB2-Global.reg. I tried searching for that reg key file, but couldn't find it. I also used Regseeker to see if there's any RegTBTB2 string and the only thing I found was:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
"000"="RegTBTB2-Global.reg

Now that all that might indicate is that I did a web search for the term RegTBTB2-Global.reg, but I also found the clsid here after performing another Regseeker search. This first registry key reminded me that I closed port 135 last night by shutting down several services. I wonder if this caused the Teatimer alert?:

[HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}]
@="File and Folders Search ActiveX Control"
"MenuText"=""
"HelpText"=""
"DefaultIcon"="%SystemRoot%\\system32\\shell32.dll,-135"

[HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\Implemented Categories]

[HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\InProcServer32]
@="C:\\WINNT\\system32\\shell32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\MiscStatus]
@="0"

[HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\MiscStatus\1]
@="20191"

[HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ProgID]
@="Shell.FileSearchBand.1"

[HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ToolboxBitmap32]
@="c:\\WINNT\\system32\\shell32.dll, 260"

[HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\TypeLib]
@="{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}"

[HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\Version]
@="1.0"

[HKEY_CLASSES_ROOT\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\VersionIndependentProgID]
@="Shell.FileSearchBand"

[HKEY_CLASSES_ROOT\Shell.FileSearchBand\CLSID]
@="{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}"


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}]
"UseSearchOptions"=dword:00000001




I also found this thread but it doesn't seem conclusive concerning the above clsid:

http://www.wilderssecurity.com/archive/index.php/t-98228.html

In summary, should I be concerned about:

1) {C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

2) The Teatimer alert "about an unauthorized database change (RegTBTB2-Global.reg)"?


Any suggestions?

Just an update. The Teatimer message reappeared today, except that the file is called RegGBTB2-Global.reg. When I did a search for it, I found it here:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots

and here:

E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2

The dates on the files are three weeks apart but both contain the following info:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}]
"BarSize"=hex:41,00,00,00,00,00,00,00

Judging by this, the clsid in my first post may have nothing to do with the file.

Toolbar Cop has the following information on that clsid:

File and Folders Search ActiveX Control
Explorer Bar - Vertical
{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
E:\WINNT\system32\shell32.dll
Enabled
All Users


Toolbar Cop gives me the following info associated with RegGBTB2-global.reg


&Tip of the Day
Explorer Bar - Horizontal
{4D5C8C25-D075-11D0-B416-00C04FB90376}
%SystemRoot%\system32\shdocvw.dll
Enabled
All Users


Once again, why is Teatimer warning me every time I start up about this global.reg file?

The Snapshots folder is that of the old TeaTimer, the Snapshots2 folder that of the new one, the message will always be about the new one, since this didnt exist in the older version.

Are you using different users on this machine?

And could you take a look if there is a Timestamps.ini in the Snapshots2 folder, and if so, if it contains entries for RegGBTB2-Global.reg andRegTBTB2-Global.reg?

The Snapshots folder is that of the old TeaTimer, the Snapshots2 folder that of the new one, the message will always be about the new one, since this didnt exist in the older version.

Are you using different users on this machine?

And could you take a look if there is a Timestamps.ini in the Snapshots2 folder, and if so, if it contains entries for RegGBTB2-Global.reg andRegTBTB2-Global.reg?

First of all, thank you so much for replying. I've read so many of your forum posts over the years that it's like getting a response from one of the celebrity superstars of anti-spyware! :bow:

First of all, since I could no longer edit my first post, I think that I erred in ever mentioning "RegTBTB2-Global.reg" file, and that it's only the "RegGBTB2-Global.reg" that is mentioned in the Teatimer alert.

In answer to your question, there are two users allowed to sign in on this computer and both have administrator privileges (although only one usually signs in). I had upgraded my initial install of Spybot to the beta version as suggested on your forum, when I discovered that I couldn't see the Teatimer allow button when a known registry change was being made.

There is a Timestamps.ini file in the Snapshots2 folder, but it doesn't contain any reference to "RegGBTB2-Global.reg". There's about 40 other references in there such as:



RegGS1SM-Global.reg
RegExtBat-Global.reg
RegGBP4-Global.reg
RegGBP3-Global.reg
RegExtExe-Global.reg

All are followed by long alpha-numeric strings.


Is the Teatimer warning about "RegGBTB2-global.reg" anything to be alarmed about and if this is what's in that file?:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}]
"BarSize"=hex:41,00,00,00,00,00,00,00

Is it benign and is Toolbar Cop correct with the following info?:


File and Folders Search ActiveX Control
Explorer Bar - Vertical
{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
E:\WINNT\system32\shell32.dll
Enabled
All Users


&Tip of the Day
Explorer Bar - Horizontal
{4D5C8C25-D075-11D0-B416-00C04FB90376}
%SystemRoot%\system32\shdocvw.dll
Enabled
All Users


Would a simple uninstall and reinstall of the beta version of Spybot help?
Could this problem have been caused by closing ports and services as a security measure with a Windows 2000 Pro OS? For example, as described here:

http://www.claymania.com/windows2000-hardening.html

I made adjustments to the registry in order to close ports 135 and port 445.


I await your experienced and much appreciated advice.

Well, I reinstalled Spybot 1.4 along with the Beta upgrade, and no longer see the Teatimer alert warning.

My full post regarding this can be found on this thread:

http://forums.spybot.info/showthread.php?p=64560#post64560


As mentioned in the other thread,
Do you think I should upgrade to the latest version of Teatimer - 1.5.0.3?

Can I assume that the contents of the RegGBTB2 file:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}]
"BarSize"=hex:41,00,00,00,00,00,00,00


really just refers to the MS IE &Tip of the Day, as Toolbar Cop indicates?