[SOLVED] ConduitSilentUninstaller.exe --> Part of ZA toolbar and not malware
I had issues with the recent ZAP 10.x upgrade process on all 5 machines in my office that required some serious manual removal efforts to proceed beyond BSODs after rebooting. On one machine, I thought I'd finally recovered everything and had re-installed ZAP successfully, but I noticed today there was no icon appearing in the System Tray although Windows Security Center stated that "ZoneAlarm Firewall currently ON" and what appears to be generic MS advice about how a firewall helps protect your computer against viruses and other security threats" with a link that's not active or may start generating a lot of hard-drive activity but doesn't open any link in a browser or bring up the (potentially fake) ZAP UI.
I have four of the five machine infected with something troubling and possibly very unpleasant -- there is a subdirectory in Program Files named "zonealarm_security_suite" (I have ZAP, not ZASS) which has only this ConduitSilentUninstaller.exe file inside, and the Task Manager process listing only has a "zatray.exe" resident (a file which is located in the main CheckPoint\ZoneAlarm subdirectory). When I look at the properties for that zatray.exe file, it seems legit: 70.6 KB (72,336 bytes) Created Friday, July 22, 2011, 9:43:08 AM. There's also a "ZATRAY.EXE-0E07865F.pf" in the Windows\Prefetch subdirectory in a search of my root drive, but don't know if that is legit or malware, just as I am now concerned that the ZAP installation on each of these 4 computers is truly malware rather than legit.http://forums.zonealarm.org/images/smilies/eek.gif
I've already changed the filetype name to a non-executable extension and will reboot to see if it regenerates. If it doesn't regenerate, I'll run several of the online scanners until I get clean bills of health from all of them. I'll also try to upload this file if I can figure out where malware samples are to be submitted.
If I examine the properties of the 40 Kb "ConduitSilentUninstaller.exe" file, it appears as a nondescript generic Windows file properties box but with only four tabs: General, Compatability, Security and Summary (no "Version"). The security permissions for my account and the Administrators account are set to "full". This immediately made me start considering whether I'd been hijacked somehow -- the ZAP upgrade e-mail notification I believed in late July sure seemed legit to go through the login process and get the download, but was it somehow a trick to allow in a substitute trojan? How else did all of these machines become infected, if that is indeed what occurred? The 5th was so dysfunctional I had to reinstall the out-of-box image from recovery DVDs and bring its OS forward, but have not yet installed ZAP on it like the others so it's clean.
I've run a 5-user ZAP license in this office for many years, and over the past year switched the resident AV from avast! to MSE. I also run Panda cloud concurrently without issues, and do weekly manual scans with Malwarebytes, Super Antispyware, and Advanced System Care4, and thought I was secure.
Whatever seems to have installed itself is masquerading as legit ZAP but the former capability to manually interrupt/suspend/terminate the Internet connection doesn't seem to be available in its "Help" file and the individual program approval popups don't have the check box as versions 9 and before for user selection of a one-time vs. permanent approval. These two aspects are really quite discombobulating, even moreso if ZoneAlarm Pro version 10.0.250.000 (including vsmon version 10.0.250.000 and Driver version 10.0.250.000) is legit AND was deliberately built without any user options to retain the manual capability for both specific functions.
But now to the really important part -- can someone confirm whether this is malware (and offer any guidance on how I disinfect my systems) or set me straight (hopefully with an explanation in context of the issues raised) if I'm totally off-base and CheckPoint considers this software vergions I've installed to be legit as intended?
That is a legit file it comes with the ZA toolbar.
I see a folder call Conduit in Program Files.It's in IE8 View / Toolbars / Conduit Engine.Also a tab with a Plus next to the (spanner) Toolbar Options.
Was this install by ZoneAlarm Extreme Security version: 10.0.250.000.
Support just verified it's part of the Toolbar.
Have a nice Day
ZoneAlarm Extreme Security version: 10.0.250.000
vsmon version: 10.0.250.000
Driver version: 10.0.250.000
Anti-virus engine version: 188.8.131.52
Anti-virus signature DAT file version: 1057445440
AntiSpam version: 184.108.40.20671
ZoneAlarm Browser Security: 1.5.322.0
ZoneAlarm ForceField Spyware Scanner: 1.5.322.0
ZoneAlarm ForceField Anti-Phishing Database: 220.127.116.11
ZoneAlarm ForceField Spyware Sites Database: 04.155
Re: ConduitSilentUninstaller.exe --> Part of ZA toolbar and not malware
Sorry I didn't clarify this before in my original post (guess I was a bit freaked out by the prospect of such a massive potential infection), and thanks very much for the responses. I'm certainly relieved to know this is something legit. Three of the 5 machines are running XP Pro SP3, one Vista Ultimate 32-bit and the fourth Win7 Ultimate 32-bit; the Win7 machine got reformatted in going back to its out-of-box (OOB) state and ZAP has not been reinstalled on it (but has on the other four).
I don't find that other "conduit" folder reference on any of the XP machines or the Vista Ultimate machine, and have the search functions on all toggled for drilling down and looking into all subfolders, including hidden and system folders. There is no "Conduit Engine" indicated in IE8 View | Toolbars, though there is a "ZoneAlarm Security Engine" (ZSE). FYI, I don't use IE for anything other than MS-related updates and almost always use Opera v11.50 as my preferred browser for everything else.
However, since during the ZAP installation process I unchecked the option to install the toolbar (toggled by default), I'm uncertain whether I actually do have this toolbar but it's just not being displayed or if it was really not installed and honored the user's choice. If I uncheck the ZSE option in IE8 View | Toolbars nothing really changes -- there's a popup which asks if I want to disable the add-on, but confirmation doesn't untoggle that ZSE toolbar option even if IE is closed and relaunched (haven't checked to see if rebooting is required). Guess if there really are functional requirements for its installation integrated into the program and the necessary files are actually in place, I'm leaning toward the former explanation and the user choice offered was actually just a bit of misdirection.
In spite of a more relaxed feeling about the legitimate character of the functions that freaked me out after the various explanations, I'm still more than a bit irate that 1) when asked about authorizing programs in the popup windows in this newest version of ZA the user isn't given the same level of discrimination (one-time vs. permanent) as in previous versions, and 2) that the system tray icon's right-click context option to instantly suspend or kill Internet access completely is no longer available at all. I'd definitely like both features brought back soon in a future update.
Re: ConduitSilentUninstaller.exe --> Part of ZA toolbar and not malware
Relax, sit back and no worries. As already stated this are part of ZA and legit files. :)
Inconsistency in folders between different OSs may be by design, or due to failed install or faild cleanup of the installer. Again nothing to worry about. And ZA toolbar is only supported in IE8/9 and Firefox 5 not Opera.
Closing this thread since the issue is resolved. Also moving it to a more appropiate section.
For the other issues I am afraid they are by design in version 10.