Results 1 to 8 of 8

Thread: Win32.Yok

Hybrid View

  1. #1
    tony_a Guest

    Default Win32.Yok

    Although I've posted the message below on the Security and Vulnerability page, I'd like to post it here too because the 'false positive' finding that seems to be accepted, is certainly a topic for discussion.


    Several ZA users have found Win32.Yok, and Win32.Yok.Supersearch, reported as spyware. Both are reported as being 'false positive' findings. However, each is based on a different registry key.

    Win32.Yok.supersearch is based on the registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories\{00021494-0000-0000-C000-000000000046}
    and,
    Win32.Yok is based on the registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB}

    My interest is with Win32.Yok, because that is what ZASS is reporting as being on my system.

    Although Win32.Yok MAY be a false positive, the question is:

    Why does the RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB} keep coming back when it is deleted?

    ZASS does delete the key, and I've even deleted it using Regedit, but the registry key keeps coming back.

    ZASS may identify the registry key incorrectly when it is found, but when deleted from the registry, shouldn't it stay deleted?

    What is this key connected to, that makes it re-appear? Is it really connected to Internet Explorer? I never use IE so it's not a case of IE re-inserting it in the registry when the program runs.

    I also use Spyware Doctor and while it doesn't find Win32.Yok as spyware, every time I deleted the offending key, Spyware Doctor popped up an alert saying it had 'immunized' another Active X object. What is the connection?

    If this really is a false positive, it should be possible to authenticate where this key comes from to ensure it is legitimate.

    Are there any 'Active X' experts out there? Does anyone have any thoughts/answers?

    Tony_A

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.5

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Win32.Yok

    Hi

    I am no activeX expert by any means.

    Perhaps checking the C\WINDOWS\Downloaded Program files and deleted an unused or unwanted entry.Active X components are listed in here.

    Also does the IE6 in the full listing of Manage Add ons show a possible answer?

    Just my thoughts.

    What about a run with a cleaner like the ccleaner?

    Oldsod
    Best regards.
    oldsod

  3. #3
    tony_a Guest

    Default Re: Win32.Yok

    Hello Oldsod,

    I checked the C:\WINDOWS\Downloaded Program files and none of the four old files in my directory reference the Win32.Yok keys.

    The list of Managed Add-ons for IE also provides no clues.

    I am not familiar with ccleaner and I'm not keen on installing something new when I have a problem.

    I noticed on security and vulnerability forum that that new (2 Sep) entries are showing up identifying the Win32.Yok as being present. Obviously the latest spyware identity download is picking it up - but it's just the registry key that is present.

    I still think that finding out what is causing the registry key to re-appear will lead to a solution.

    Tony_A

  4. #4
    drwga Guest

    Default Re: Win32.Yok

    Hi Folks,I've got exactly the same problem with ZASS 6.5.722.000 on Win2000Pro, and I'm using Spyware Doctor 4.0.0.2613.EVERY time I scan with ZA, up pops Win32.Yok - it doesn't matter whether I quarantine it or delete it, it's always there (even if I've not used IE).I've had the problem for about a week now, and VERY disappointed at the lack help on the ZA pop-up screen.Thanks for listening!

  5. #5
    tony_a Guest

    Default Re: Win32.Yok

    I've pretty well beaten this to death on the Security and Vulnerability forum and readers should go there to read the whole story.

    Here is a short version.

    The spyware ZA is finding is actually just a registry key inserted by Spyware Doctor, and perhaps other spyware software, to disable (kill) a known piece of Active X malware know as estalive, eihelper, eiyhelper, etc, variously identified as a browser helper object, or adware. The CLSID that is causing this problem is: A2B7A0F0-B697-4A71-8D91-43443F57D7BB. A Google search lists 150+ references for this CLSID and, if you check, you will find that it is quite well known and distributed.

    ZA is incorrectly identifying the inserted registry key as Win32.Yok, and when deleted, Spyware Doctor or perhaps some other spyware hunter just inserts the key again. It is not yet known what is causing SD to insert the registry key, but it does not appear to be the presence of any actual spyware.

    This is probably an ongoing problem that will persist until ZA and PCTools get their act together. For the time being, ZA users should probably not put the Win32.Yok finding in the ZA exception list, as the CLSID represents real malware, but just delete Win32.Yok when it is found and not worry if it is found again on the next scan as long as only the registry key is found.

    Of course, this is only my opinion.

    Tony_A

  6. #6
    denimdick Guest

    Default Re: Win32.Yok

    Tony,Thank you for your research and efforts. I too have SpyWare Doctor and can confirm your findings. I also concur that the two companies could show a bit of empathy for their respective customers and resolve the issue - or at least acknowledge that it exists.Again,Thank you!Rick

  7. #7
    escalader Guest

    Default Re: Win32.Yok

    If I were you (and I'm not) I would disable ZA Pro for virus/malware/trojans. I just isn't a good tool yet for that.

    Spyware doctor is a good malware tool use it if you have it.

    I am relying on Spy Sweeper since it is best detector and remover. BUT none of these product get them all.

    Don't shut your system down till you have got rid of it.

    Restart in safe mode is you are brave and backed up, after locking out the internet.

    Then, run SD, Pest Spybot S&D Adware 3 times each! Do a registry clean up utility and bring windows back up!

    Bitdefender also lets you run a trial copy for 30 days

    Good luck!

    Escalader

  8. #8
    tony_a Guest

    Default Re: Win32.Yok This problem is fixed

    This problem was never with Spyware Doctor. It just got ahead of ZA in its spyware prevention.

    ZA has now caught up with Spyware Doctor, and todays download of spyware data file version 01.200609.340 corrects the ZA problem.

    Running ZA spyware now shows a clean scan with the Spyware Doctor registry entry in place to prevent the Win32.Yok (actually estalive).

    This should end this problem.

    Tony_A

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •