Results 1 to 8 of 8

Thread: Win32.yok

  1. #1
    henshawj Guest

    Default Win32.yok

    Hi Folks
    ZASS is finding Win32.yok each time I scan. After deleting the "Trojan" it re-appears.
    Spyware Doctor and SpyBot do not find it.
    Is it still ranked as a "false positive"?
    My spyware version is 01.200608.335.
    Best Wishes

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.1

  2. #2

    Default Re: Win32.yok

    We had this reported before, it's a false positive which hasn't been corrected yet.

  3. #3
    henshawj Guest

    Default Re: Win32.yok

    Hi Jeruselem
    Thanks for that. I thought that the recent updates would have solved the problem!
    Such is life

  4. #4

    Default Re: Win32.yok

    Actually, it's not ZA to blame for false positive - it's CA. They just use the CA/VET anti-virus which CA manage the signatures. One day,CA will fix the signature ...

  5. #5
    tony_a Guest

    Default Re: Win32.yok

    Although Win32.Yok MAY be a false positive, the question is:

    Why does the RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB} keep coming back when it is deleted?

    ZASS does delete the key, and I've even deleted it using Regedit, but the registry key keeps coming back.

    ZASS may identify the registry key incorrectly when it is found, but when deleted from the registry, shouldn't it stay deleted?

    What is this key connected to that makes it re-appear? Is it really connected to Internet Explorer? I never use IE so it's not a case of IE re-inserting it in the registry when the program runs.

    I also use Spyware Doctor and while it doesn't find Win32.Yok as spyware, every time I deleted the offending key, Spyware Doctor popped up an alert saying it had 'immunized' another Active X object. What is the connection?

    If this really is a false positive, it should be possible to authenticate where this key comes from to ensure it is legitimate.

    Are there any 'Active X' experts out there? Does anyone have any answers?


    Message Edited by Tony_A on 09-02-2006 09:48 PM

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.5

  6. #6
    wonderingtoo Guest

    Default Re: Win32.yok

    When I deleted Win32.Yok with ZAP spyware program It also keeps coming back and then I attempted to locate it with a reg program and I was unable to find it listed.

  7. #7
    tony_a Guest

    Default Re: Win32.yok

    Hello Wonderingtoo,

    You couldn't find Win32.Yok because that's not what is in the registry.

    Please read the Win32.Yok thread on the Security and Vulnerability forum and the Malware Discussion forum.


  8. #8
    ai_tak Guest

    Default Re: Win32.yok

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\stores the compatibility flags for all activex modules, one of which can be used to set that activex to disabled, if module that it stores compatibility flags still exists then it will be recreated. Why ZA is deletingtheactivexcompatibility flags for this malware (which it is possible to use to prevent the malware from loading), and not the malware key itself,I have no idea. Spybotand some similar programs have an immunize function that could create a key along these lines.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts