Results 1 to 5 of 5

Thread: [SOLVED] ConduitSilentUninstaller.exe --> Part of ZA toolbar and not malware

  1. #1
    jhvance Guest

    Default [SOLVED] ConduitSilentUninstaller.exe --> Part of ZA toolbar and not malware

    I had issues with the recent ZAP 10.x upgrade process on all 5 machines in my office that required some serious manual removal efforts to proceed beyond BSODs after rebooting. On one machine, I thought I'd finally recovered everything and had re-installed ZAP successfully, but I noticed today there was no icon appearing in the System Tray although Windows Security Center stated that "ZoneAlarm Firewall currently ON" and what appears to be generic MS advice about how a firewall helps protect your computer against viruses and other security threats" with a link that's not active or may start generating a lot of hard-drive activity but doesn't open any link in a browser or bring up the (potentially fake) ZAP UI.

    I have four of the five machine infected with something troubling and possibly very unpleasant -- there is a subdirectory in Program Files named "zonealarm_security_suite" (I have ZAP, not ZASS) which has only this ConduitSilentUninstaller.exe file inside, and the Task Manager process listing only has a "zatray.exe" resident (a file which is located in the main CheckPoint\ZoneAlarm subdirectory). When I look at the properties for that zatray.exe file, it seems legit: 70.6 KB (72,336 bytes) Created Friday, July 22, 2011, 9:43:08 AM. There's also a "ZATRAY.EXE-0E07865F.pf" in the Windows\Prefetch subdirectory in a search of my root drive, but don't know if that is legit or malware, just as I am now concerned that the ZAP installation on each of these 4 computers is truly malware rather than legit.http://forums.zonealarm.org/images/smilies/eek.gif

    I've already changed the filetype name to a non-executable extension and will reboot to see if it regenerates. If it doesn't regenerate, I'll run several of the online scanners until I get clean bills of health from all of them. I'll also try to upload this file if I can figure out where malware samples are to be submitted.

    If I examine the properties of the 40 Kb "ConduitSilentUninstaller.exe" file, it appears as a nondescript generic Windows file properties box but with only four tabs: General, Compatability, Security and Summary (no "Version"). The security permissions for my account and the Administrators account are set to "full". This immediately made me start considering whether I'd been hijacked somehow -- the ZAP upgrade e-mail notification I believed in late July sure seemed legit to go through the login process and get the download, but was it somehow a trick to allow in a substitute trojan? How else did all of these machines become infected, if that is indeed what occurred? The 5th was so dysfunctional I had to reinstall the out-of-box image from recovery DVDs and bring its OS forward, but have not yet installed ZAP on it like the others so it's clean.

    I've run a 5-user ZAP license in this office for many years, and over the past year switched the resident AV from avast! to MSE. I also run Panda cloud concurrently without issues, and do weekly manual scans with Malwarebytes, Super Antispyware, and Advanced System Care4, and thought I was secure.

    Whatever seems to have installed itself is masquerading as legit ZAP but the former capability to manually interrupt/suspend/terminate the Internet connection doesn't seem to be available in its "Help" file and the individual program approval popups don't have the check box as versions 9 and before for user selection of a one-time vs. permanent approval. These two aspects are really quite discombobulating, even moreso if ZoneAlarm Pro version 10.0.250.000 (including vsmon version 10.0.250.000 and Driver version 10.0.250.000) is legit AND was deliberately built without any user options to retain the manual capability for both specific functions.

    But now to the really important part -- can someone confirm whether this is malware (and offer any guidance on how I disinfect my systems) or set me straight (hopefully with an explanation in context of the issues raised) if I'm totally off-base and CheckPoint considers this software vergions I've installed to be legit as intended?

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,286

    Default Re: ConduitSilentUninstaller.exe

    That is a legit file it comes with the ZA toolbar.

    Thanks,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    Join Date
    Aug 2009
    Location
    Texas Gulf Coast
    Posts
    1,647

    Default Re: ConduitSilentUninstaller.exe

    I see a folder call Conduit in Program Files.It's in IE8 View / Toolbars / Conduit Engine.Also a tab with a Plus next to the (spanner) Toolbar Options.

    Was this install by ZoneAlarm Extreme Security version: 10.0.250.000.

    Support just verified it's part of the Toolbar.

    Have a nice Day

    XP SP3
    IE8
    ZoneAlarm Extreme Security version: 10.0.250.000
    vsmon version: 10.0.250.000
    Driver version: 10.0.250.000
    Anti-virus engine version: 8.1.8.79
    Anti-virus signature DAT file version: 1057445440
    AntiSpam version: 6.3.1.4971
    ZoneAlarm Browser Security: 1.5.322.0
    ZoneAlarm ForceField Spyware Scanner: 1.5.322.0
    ZoneAlarm ForceField Anti-Phishing Database: 1.2.104.0
    ZoneAlarm ForceField Spyware Sites Database: 04.155
    Last edited by Sky Soldiers; August 7th, 2011 at 01:02 PM. Reason: Typo

  4. #4
    jhvance Guest

    Default Re: ConduitSilentUninstaller.exe --> Part of ZA toolbar and not malware

    Sorry I didn't clarify this before in my original post (guess I was a bit freaked out by the prospect of such a massive potential infection), and thanks very much for the responses. I'm certainly relieved to know this is something legit. Three of the 5 machines are running XP Pro SP3, one Vista Ultimate 32-bit and the fourth Win7 Ultimate 32-bit; the Win7 machine got reformatted in going back to its out-of-box (OOB) state and ZAP has not been reinstalled on it (but has on the other four).

    I don't find that other "conduit" folder reference on any of the XP machines or the Vista Ultimate machine, and have the search functions on all toggled for drilling down and looking into all subfolders, including hidden and system folders. There is no "Conduit Engine" indicated in IE8 View | Toolbars, though there is a "ZoneAlarm Security Engine" (ZSE). FYI, I don't use IE for anything other than MS-related updates and almost always use Opera v11.50 as my preferred browser for everything else.

    However, since during the ZAP installation process I unchecked the option to install the toolbar (toggled by default), I'm uncertain whether I actually do have this toolbar but it's just not being displayed or if it was really not installed and honored the user's choice. If I uncheck the ZSE option in IE8 View | Toolbars nothing really changes -- there's a popup which asks if I want to disable the add-on, but confirmation doesn't untoggle that ZSE toolbar option even if IE is closed and relaunched (haven't checked to see if rebooting is required). Guess if there really are functional requirements for its installation integrated into the program and the necessary files are actually in place, I'm leaning toward the former explanation and the user choice offered was actually just a bit of misdirection.

    In spite of a more relaxed feeling about the legitimate character of the functions that freaked me out after the various explanations, I'm still more than a bit irate that 1) when asked about authorizing programs in the popup windows in this newest version of ZA the user isn't given the same level of discrimination (one-time vs. permanent) as in previous versions, and 2) that the system tray icon's right-click context option to instantly suspend or kill Internet access completely is no longer available at all. I'd definitely like both features brought back soon in a future update.

  5. #5
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,286

    Default Re: ConduitSilentUninstaller.exe --> Part of ZA toolbar and not malware

    Relax, sit back and no worries. As already stated this are part of ZA and legit files.

    Inconsistency in folders between different OSs may be by design, or due to failed install or faild cleanup of the installer. Again nothing to worry about. And ZA toolbar is only supported in IE8/9 and Firefox 5 not Opera.

    Closing this thread since the issue is resolved. Also moving it to a more appropiate section.

    For the other issues I am afraid they are by design in version 10.

    Thanks,
    Fax
    Last edited by fax; August 8th, 2011 at 12:29 AM.

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Malware/Virus confused/desparate.
    By rimmer in forum Malware Discussion
    Replies: 5
    Last Post: March 11th, 2011, 11:33 PM
  2. Replies: 3
    Last Post: March 2nd, 2010, 08:36 PM
  3. [SOLVED] ForceField Toolbar disappeared when selecting Short Toolbar
    By palzero in forum Web Security/Security Toolbar/Do Not Track
    Replies: 0
    Last Post: January 5th, 2010, 11:28 PM
  4. Guru Oldsod "Malware Part Two"
    By Charles_B in forum Off-Topic
    Replies: 9
    Last Post: February 17th, 2009, 04:41 PM
  5. Is ISAFE.EXE part of Zone Alarme?!
    By jimryannz in forum General - Questions that don't fit any other category
    Replies: 1
    Last Post: September 26th, 2006, 12:47 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •