I had issues with the recent ZAP 10.x upgrade process on all 5 machines in my office that required some serious manual removal efforts to proceed beyond BSODs after rebooting. On one machine, I thought I'd finally recovered everything and had re-installed ZAP successfully, but I noticed today there was no icon appearing in the System Tray although Windows Security Center stated that "ZoneAlarm Firewall currently ON" and what appears to be generic MS advice about how a firewall helps protect your computer against viruses and other security threats" with a link that's not active or may start generating a lot of hard-drive activity but doesn't open any link in a browser or bring up the (potentially fake) ZAP UI.
I have four of the five machine infected with something troubling and possibly very unpleasant -- there is a subdirectory in Program Files named "zonealarm_security_suite" (I have ZAP, not ZASS) which has only this ConduitSilentUninstaller.exe file inside, and the Task Manager process listing only has a "zatray.exe" resident (a file which is located in the main CheckPoint\ZoneAlarm subdirectory). When I look at the properties for that zatray.exe file, it seems legit: 70.6 KB (72,336 bytes) Created Friday, July 22, 2011, 9:43:08 AM. There's also a "ZATRAY.EXE-0E07865F.pf" in the Windows\Prefetch subdirectory in a search of my root drive, but don't know if that is legit or malware, just as I am now concerned that the ZAP installation on each of these 4 computers is truly malware rather than legit.http://forums.zonealarm.org/images/smilies/eek.gif
I've already changed the filetype name to a non-executable extension and will reboot to see if it regenerates. If it doesn't regenerate, I'll run several of the online scanners until I get clean bills of health from all of them. I'll also try to upload this file if I can figure out where malware samples are to be submitted.
If I examine the properties of the 40 Kb "ConduitSilentUninstaller.exe" file, it appears as a nondescript generic Windows file properties box but with only four tabs: General, Compatability, Security and Summary (no "Version"). The security permissions for my account and the Administrators account are set to "full". This immediately made me start considering whether I'd been hijacked somehow -- the ZAP upgrade e-mail notification I believed in late July sure seemed legit to go through the login process and get the download, but was it somehow a trick to allow in a substitute trojan? How else did all of these machines become infected, if that is indeed what occurred? The 5th was so dysfunctional I had to reinstall the out-of-box image from recovery DVDs and bring its OS forward, but have not yet installed ZAP on it like the others so it's clean.
I've run a 5-user ZAP license in this office for many years, and over the past year switched the resident AV from avast! to MSE. I also run Panda cloud concurrently without issues, and do weekly manual scans with Malwarebytes, Super Antispyware, and Advanced System Care4, and thought I was secure.
Whatever seems to have installed itself is masquerading as legit ZAP but the former capability to manually interrupt/suspend/terminate the Internet connection doesn't seem to be available in its "Help" file and the individual program approval popups don't have the check box as versions 9 and before for user selection of a one-time vs. permanent approval. These two aspects are really quite discombobulating, even moreso if ZoneAlarm Pro version 10.0.250.000 (including vsmon version 10.0.250.000 and Driver version 10.0.250.000) is legit AND was deliberately built without any user options to retain the manual capability for both specific functions.
But now to the really important part -- can someone confirm whether this is malware (and offer any guidance on how I disinfect my systems) or set me straight (hopefully with an explanation in context of the issues raised) if I'm totally off-base and CheckPoint considers this software vergions I've installed to be legit as intended?