Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Win 32.yok showing up in spyware scan as a Trojan. This was previously reported as a false positive

  1. #1
    hawkeyelom Guest

    Default Win 32.yok showing up in spyware scan as a Trojan. This was previously reported as a false positive

    Showed up in my scan today, antispyware definitions 8/30/2006 (latest). Showed up as a registery entry only. If deleted it comes back after reboot and new scan. Turning off system restore ,etc. also does not fix, it still shows up on new scan. According to security forum around the tenth of August, this was/is a false positve and was to be fixed with 8/11 definitons.

    Was this not fixed or has it returned in latest definitions, or is it NOT a false positive. Not detected by another security scanner I have, NAV 2005, Spyware Doctor, Windows defender, Trojan Hunter, /adware, Spybot

    Information on the status of win32.yok would be appreciated. Thanks!

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Pro
    Software Version:6.5


    "Moved by Oldsod"

    Message Edited by Oldsod on 08-31-2006 01:37 AM

  2. #2
    woodycab Guest

    Default Re: Win 32.yok

    i too seem to have this win32.yok is there any more news or developments

  3. #3
    tony_a Guest

    Default Re: Win 32.yok

    Several ZA users have found Win32.Yok, and Win32.Yok.Supersearch, reported as spyware. Both are reported as being 'false positive' findings. However, each is based on a different registry key.

    Win32.Yok.supersearch is based on the registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories\{00021494-0000-0000-C000-000000000046}
    and,
    Win32.Yok is based on the registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB}

    My interest is with Win32.Yok, because that is what ZASS is reporting as being on my system.

    Although Win32.Yok MAY be a false positive, the question is:

    Why does the RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB} keep coming back when it is deleted?

    ZASS does delete the key, and I've even deleted it using Regedit, but the registry key keeps coming back.

    ZASS may identify the registry key incorrectly when it is found, but when deleted from the registry, shouldn't it stay deleted?

    What is this key connected to, that makes it re-appear? Is it really connected to Internet Explorer? I never use IE so it's not a case of IE re-inserting it in the registry when the program runs.

    I also use Spyware Doctor and while it doesn't find Win32.Yok as spyware, every time I deleted the offending key, Spyware Doctor popped up an alert saying it had 'immunized' another Active X object. What is the connection?

    If this really is a false positive, it should be possible to authenticate where this key comes from to ensure it is legitimate.

    Are there any 'Active X' experts out there? Does anyone have any thoughts/answers?

    Tony_A

  4. #4
    tony_a Guest

    Default Re: Win 32.yok Clean Scan - Perhaps a solution

    Well, I have managed to delete the RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB} and get a clean scan from ZoneAlarm.

    This is what I did without all the experimentation.

    Normal system boot which started up my security software, ZASS, Spyware Doctor, System Guard Alerter.

    Used an Administrator's account.

    Set a Restore point.

    Ran ZA and it found Win32.Yok once again.

    Ran Regedit.exe, navigated to the registry key.

    Used ZA to delete the key. Noticed that Spyware Doctor immediately popped up an alert that it had 'immunized' an Active X object.

    Checked the key existance with Regedit and it was back.

    Deleted the key using Regedit and noticed that Spyware Doctor immediately popped up an alert that it had 'immunized' an Active X object

    Checked key existance with Regedit and it was back.

    Exited from Spyware Doctor (making it non-operational)

    Deleted the key using Regedit.

    Ran ZA Spyware scan. CLEAN SCAN

    It seems pretty obvious to me that the culprit is Spyware Doctor on my system that is putting the key in the registry that ZA is finding.

    Are the other people having this problem also using Spyware Doctor? This Win32.Yok problem seems to have originated with Spyware Doctor Database Version 3.05500 on my system.

    If this solution works for you, please post a reply.

    Hope this helps, please let me know.

    Message Edited by Tony_A on 09-03-2006 04:47 PM

  5. #5
    tony_a Guest

    Default Re: Win 32.yok Digging Deeper and Apologies to Spyware Doctor

    Well, some deeper digging indicates that inserting the offending key in the registry is just Spyware Doctor doing its job. My apologies to Spyware Doctor for jumping the gun and pointing the finger.

    Spyware Doctor is indeed inserting the key in the Registry, as other spyware software may be doing, that ZA is finding and showing as Win32.Yok. The 'immunization' process that SD is using is explained in the Microsoft document "How to stop an ActiveX control from running in Internet Explorer" below.

    What is necessary to stop an Active X control from running, is to create a Registry key containing the Active X's CLSID and then set the the value of the Compatibility Flags DWORD value to 0x00000400. Which is exactly what is happening. So in the case of Win32.Yok, Spyware Doctor is finding the CLSID {A2B7A0F0-B697-4A71-8D91-43443F57D7BB} somewhere and then creating the registry key and setting the value to stop it from working.

    The Microsoft article below is about "How to stop an ActiveX control from running in Internet Explorer" but I think the technique will probably work whether the Active X control is part of IE or not, and doesn't necessarily mean the CLSID has to be associated with IE.

    The question now is: to what does the CLSID refer, and is it spyware? A search of my system using Windows Explorer for the CLSID doesn't find anything. So, where is Spyware Doctor finding it?

    I'm starting to believe that the ZA finding of Win32.Yok may be truely a 'false positive' that ZA can correct. But, it still leaves the possibility that there is something unseen lurking in the depths of the file system.

    Still digging.

    Tony_A


    http://support.microsoft.com/kb/240797


    How to stop an ActiveX control from running in Internet Explorer

    View products that this article applies to.
    Article ID : 240797
    Last Review : March 14, 2006
    Revision : 7.1

    This article was previously published under Q240797

    Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

    256986 (http://support.microsoft.com/kb/256986/) Description of the Microsoft Windows registry

    SUMMARY
    This article describes how to stop an ActiveX control from running in Internet Explorer. You can do so by modifying the data value of the Compatibility Flags DWORD value for the Class identifier (CLSID) of the ActiveX control.

    Note For Microsoft Windows XP-based and Windows Server 2003-based computers, administrators can use Software restriction policies to prevent an ActiveX control from running in any programs on computers in an Active Directory domain environment. For more information about software restriction policies, visit the following Microsoft Web site:

    http://www.microsoft.com/technet/pro.../rstrplcy.mspx (http://www.microsoft.com/technet/pro.../rstrplcy.mspx)

    MORE INFORMATION
    Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

    Warning Microsoft does not recommend unkilling (undoing the kill action on) an ActiveX control. If you do so, you may create security vulnerabilities. The kill bit is typically set for a reason that may be critical, and because of this, extreme care must be used when you unkill an ActiveX control. Also, because the following procedure is highly technical, do not continue unless you a very comfortable with the procedure and you it is a good idea to read the whole procedure before you start.

    The CLSID for an ActiveX control is a GUID for that control. You can prevent an ActiveX control from running in Internet Explorer by setting the kill bit so that the control is never called by Internet Explorer when default settings are used.

    The kill bit is a specific value for the Compatibility Flags DWORD value for the ActiveX control in the registry. This is different from revoking the "safe for scripting" option in an ActiveX control. When the "safe for scripting" option is revoked, Internet Explorer still calls for the control and then prompts you with a warning message that the ActiveX control may be unsafe. Depending on the choice you make, the control may be run. However, after the kill bit is set for an ActiveX control, that control is not called by Internet Explorer at all unless the Initialize and script ActiveX controls not marked as safe option is enabled in Internet Explorer. To set the kill bit, follow these steps:

    1. Determine the CLSID for the ActiveX control that you want to disable. If you are not sure of the CLSID for the control, contact the manufacturer. If the control is installed, you may be able to determine its CLSID if you know its friendly name. To do this, examine the Default string value for the ProgID key for each of the CLSID keys in HKEY_CLASSES_ROOT\CLSID. You may have to remove as many ActiveX controls as possible, except for the one that you want to disable, to make it easier to identify the appropriate CLSID. For more information about how to remove ActiveX controls, click the following article number to view the article in the Microsoft Knowledge Base:

    154850 (http://support.microsoft.com/kb/154850/) How to remove an ActiveX control in Windows

    2. Use Registry Editor to view the data value of the Compatibility Flags DWORD value of the ActiveX object CLSID in the following registry key
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\CLSID of the ActiveX control
    where CLSID of the ActiveX Control is the class identifier of the appropriate ActiveX control.

    Notes
    Typically, you will have to manually create this registry key.
    To determine the CLSID that corresponds with the ActiveX control that you want to disable, remove all the ActiveX controls that currently are installed, install the control that you want to disable, and then add the kill bit to its CLSID.

    3. Change the value of the Compatibility Flags DWORD value to 0x00000400.

  6. #6
    woodycab Guest

    Default Re: Win 32.yok Clean Scan - spyware doctor

    Thanks Tony-A Have been going mad since friday but you seem to have solved it. I completely uninstalled spyware doctor thenused registry mechanic(pc tools ha ha) done a spyware scan with za and sucess clean scan, reinstalled spyware doctorand yes it was back again have now put it on the ignore list and will be emailing pc tools,thanks again

  7. #7
    cyprinus Guest

    Default Re: Win 32.yok Clean Scan - Perhaps a solution

    I'm seeing this reported by Zonealarm as well since an update and scan at mid-day today. I also have spyware doctor and it seems I hadn't enabled smart update so I was still on version 3.05440. This wouldhave been the case for the last fewZA updates and scans so I think the detection just started today andif this is down to SD then it must have been the case for a while. I'm afraid I'm not too cluedup on what should be happening here...if SD is restoring the registry entry which it appears to be in your case, could this bebecause SD thinks it's immunisingagainst anunauthorised removal oris it clearfrom this that SD requires that entry and is responsible for it? Seems to me that removal via Regedit is legitimate and SD shouldn't be doing this unless it requires it itself. In that case, an explanation shouldn't be long in coming?

  8. #8
    cyprinus Guest

    Default Re: Win 32.yok Digging Deeper and Apologies to Spyware Doctor

    Hi Tony,Looks like posts crossed. Thanks for the info - thats brilliant.Now that we know that SD is just doing it's job, isn't this simply part of the immunisation process i.e. inserting the registry entry that prevents this trojan rather than it being triggered by locating something? That would add weight to ZA picking up a false positive given that my SD database was 10 days out of date?

  9. #9
    tony_a Guest

    Default Re: Win 32.yok Digging Deeper and Apologies to Spyware Doctor

    Hello Cyprinus,

    Yes, the registry entry is part of the immunization process, in fact, it is THE immunization process.

    But, it is still not known to what, the inserted registry key actually refers. It might be a trojan or spyware, or it might be something else. I would think it a little strange if so many careful ZA users became infected with Win32.Yok.

    Until it is known to what {A2B7A0F0-B697-4A71-8D91-43443F57D7BB} refers, the identity of the Active X control remains a mystery.

    I wouldn't put it on ZA's list of spyware exception just yet.

    Keep looking for anomilies. I've e-mailed PCTools asking for information as to where to find the CLSID but it will probably be several days before they reply, if ever.

    Tony_A

  10. #10
    tony_a Guest

    Default Re: Win 32.yok Even Deeper - Google searches for the CLSID

    Two hours online yielded the following notes:

    Google found 152 references to A2B7A0F0-B697-4A71-8D91-43443F57D7BB. Most were from China. Some from Europe.

    most internet references identify the CLSID as belonging to estAlive.dll, iehelper, ieyhelper, Askyaya, variously identified as adware, browser helper, etc.
    identified on www.spywaredata.com as estalive.dll
    found on internet at
    http://www.castlecops.com/tk30113-estAlive_dll.html

    GUID {A2B7A0F0-B697-4A71-8D91-43443F57D7BB}
    Filename estAlive.dll
    Object Name estAliveObj Class
    Status X BHO
    Description AskYaya aka Estalive adware
    Viewed 286 times since 23 May 2005, 1840 Hours UTC-4.


    STATUS KEY:

    KEY:
    # "X" - Certified spyware/foistware, or other malware
    # "L" - Legitimate items
    # "O" - Open to debate
    # "?" - Unknown Status
    # "BHO" - Browser Helper Object
    # "TB" - Toolbar
    __________________________________________________ ____________________

    Posts on http://www.wilderssecurity.com/showthread.php?t=144027 show that others are having the same problem with the same registry key.
    http://forums.afterdawn.com/thread_view.cfm/386300 says that Spy Sweeper identifies the registry key as IEHelper.
    http://www.beyondwork.com.cn/bbs/boa...fileid487.html reports key found without iehelper file.
    Various Registry key locations cited but all have the same CLSID.

    The file associated with the CLSID is identified as being in the WINDOWS directory.

    Nowhere did I find any reference to where the CLSID might be coming from if the offending file is not in the WINDOWS directory.

    No mention of the source of the infestation or how to get rid of it.

    I guess Spyware Doctor users will have to be satisfied that it is rendered harmless by 'immunization'. I can't see ZA considering it a 'false positive' since it is the CLSID of real malware.

    I've been thinking that perhaps the real problem is that Spyware Doctor has got ahead of the curve, included the definition in its database, and is inserting the registry key without actually finding anything. An explanation of when/why their 'immunizer' functions would probably help.

    Too tired to do any more tonight, I'll sleep on it.

    Suggestions would be welcomed.

    Tony_A

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •