Although I've posted the message below on the Security and Vulnerability page, I'd like to post it here too because the 'false positive' finding that seems to be accepted, is certainly a topic for discussion.


Several ZA users have found Win32.Yok, and Win32.Yok.Supersearch, reported as spyware. Both are reported as being 'false positive' findings. However, each is based on a different registry key.

Win32.Yok.supersearch is based on the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories\{00021494-0000-0000-C000-000000000046}
and,
Win32.Yok is based on the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB}

My interest is with Win32.Yok, because that is what ZASS is reporting as being on my system.

Although Win32.Yok MAY be a false positive, the question is:

Why does the RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB} keep coming back when it is deleted?

ZASS does delete the key, and I've even deleted it using Regedit, but the registry key keeps coming back.

ZASS may identify the registry key incorrectly when it is found, but when deleted from the registry, shouldn't it stay deleted?

What is this key connected to, that makes it re-appear? Is it really connected to Internet Explorer? I never use IE so it's not a case of IE re-inserting it in the registry when the program runs.

I also use Spyware Doctor and while it doesn't find Win32.Yok as spyware, every time I deleted the offending key, Spyware Doctor popped up an alert saying it had 'immunized' another Active X object. What is the connection?

If this really is a false positive, it should be possible to authenticate where this key comes from to ensure it is legitimate.

Are there any 'Active X' experts out there? Does anyone have any thoughts/answers?

Tony_A

Operating System:Windows XP Pro
Product Name:ZoneAlarm Internet Security Suite
Software Version:6.5