Assigned Uninstalling Zemana leaves Drivers behind?

[Svoll]

I just tried uninstalling ZAL myself and its took me quite a while to narrow down where most of the left files are. Had to use 3 apps to help me somewhat remove most of them (autoruns, RevoUninstaller, and Everything). There are quite a few traces left in the registry.

In addition to what others can't remove, Everything found folders left in the syswow64 folder.

Even deleting the keycrypt64, Event log still shows it tied with Wininit

 

[Sunshine-boy]

But when we uninstall the program, strange behavior

+1

 

[WinXPert]

Manual deletion

• Use everything, search for ZAM and Zemana and delete all folder/files found
• Manually delete ZAM and Zemana on registry entries

 

[TairikuOkami]

sc config ZAM start= disabled
sc config ZAM_Guard start= disabled
net stop ZAM /y
net stop ZAM_Guard /y
sc delete ZAM
sc delete ZAM_Guard
reg delete "HKCU\Software\Zemana" /f
reg delete "HKLM\Software\Zemana" /f
reg delete "HKLM\Software\ZmnGlobalSDK" /f
takeown /f "%WINDIR%\System32\drivers\zam64.sys" /a
icacls "%WINDIR%\System32\drivers\zam64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zam64.sys" /s /f /q
takeown /f "%WINDIR%\System32\drivers\zamguard64.sys" /a
icacls "%WINDIR%\System32\drivers\zamguard64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zamguard64.sys" /s /f /q
takeown /f "%ProgramFiles(x86)%\Zemana AntiMalware" /a /r /d y
icacls "%ProgramFiles(x86)%\Zemana AntiMalware" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles(x86)%\Zemana AntiMalware" /s /q
rd "%LocalAppData%\Zemana" /s /q
rd "%WINDIR%\SysWOW64\config\systemprofile\AppData\Local\Zemana" /s /q

 

[KevinYu0504]

sc config ZAM start= disabled
sc config ZAM_Guard start= disabled
net stop ZAM /y
net stop ZAM_Guard /y
sc delete ZAM
sc delete ZAM_Guard
reg delete "HKCU\Software\Zemana" /f
reg delete "HKLM\Software\Zemana" /f
reg delete "HKLM\Software\ZmnGlobalSDK" /f
takeown /f "%WINDIR%\System32\drivers\zam64.sys" /a
icacls "%WINDIR%\System32\drivers\zam64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zam64.sys" /s /f /q
takeown /f "%WINDIR%\System32\drivers\zamguard64.sys" /a
icacls "%WINDIR%\System32\drivers\zamguard64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zamguard64.sys" /s /f /q
takeown /f "%ProgramFiles(x86)%\Zemana AntiMalware" /a /r /d y
icacls "%ProgramFiles(x86)%\Zemana AntiMalware" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles(x86)%\Zemana AntiMalware" /s /q
rd "%LocalAppData%\Zemana" /s /q
rd "%WINDIR%\SysWOW64\config\systemprofile\AppData\Local\Zemana" /s /q

Thanks for your provide the code ,
it's pretty useful !

 

[mojaveron]

Thanks for the code, should it be saved as a .bat file?

 

[TairikuOkami]

Thanks for the code, should it be saved as a .bat file?

Yes or just copy it to CMD ran as admin.

 

[JB007]

sc config ZAM start= disabled
sc config ZAM_Guard start= disabled
net stop ZAM /y
net stop ZAM_Guard /y
sc delete ZAM
sc delete ZAM_Guard
reg delete "HKCU\Software\Zemana" /f
reg delete "HKLM\Software\Zemana" /f
reg delete "HKLM\Software\ZmnGlobalSDK" /f
takeown /f "%WINDIR%\System32\drivers\zam64.sys" /a
icacls "%WINDIR%\System32\drivers\zam64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zam64.sys" /s /f /q
takeown /f "%WINDIR%\System32\drivers\zamguard64.sys" /a
icacls "%WINDIR%\System32\drivers\zamguard64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zamguard64.sys" /s /f /q
takeown /f "%ProgramFiles(x86)%\Zemana AntiMalware" /a /r /d y
icacls "%ProgramFiles(x86)%\Zemana AntiMalware" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles(x86)%\Zemana AntiMalware" /s /q
rd "%LocalAppData%\Zemana" /s /q
rd "%WINDIR%\SysWOW64\config\systemprofile\AppData\Local\Zemana" /s /q

Hello @TairikuOkami ,
I just see on my Home PC that I have the same problem that @Evjl's Rain here Q&A - Zemana dropped files with persistent files ZAM.krnl.trace & ZAM_Guard.krnl.trace in C:\windows folder
Is your code always good 1 year later ?

 

[TairikuOkami]

Is your code always good 1 year later ?

Yes, I have just checked it and added those 2 files. They are persistent, when the drivers are running, once removed, files can be safely removed.

Spoiler: CODE

sc config ZAM start= disabled
sc config ZAM_Guard start= disabled
net stop ZAM /y
net stop ZAM_Guard /y
sc delete ZAM
sc delete ZAM_Guard
reg delete "HKCU\Software\Zemana" /f
reg delete "HKLM\Software\Zemana" /f
reg delete "HKLM\Software\ZmnGlobalSDK" /f
takeown /f "%WINDIR%\System32\drivers\zam64.sys" /a
icacls "%WINDIR%\System32\drivers\zam64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zam64.sys" /s /f /q
takeown /f "%WINDIR%\System32\drivers\zamguard64.sys" /a
icacls "%WINDIR%\System32\drivers\zamguard64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zamguard64.sys" /s /f /q
takeown /f "%ProgramFiles(x86)%\Zemana AntiMalware" /a /r /d y
icacls "%ProgramFiles(x86)%\Zemana AntiMalware" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles(x86)%\Zemana AntiMalware" /s /q
rd "%LocalAppData%\Zemana" /s /q
rd "%WINDIR%\SysWOW64\config\systemprofile\AppData\Local\Zemana" /s /q
del "%WINDIR%\ZAM.krnl.trace" /s /f /q
del "%WINDIR%\ZAM_Guard.krnl.trace" /s /f /q

 

[KevinYu0504]

Yes, I have just checked it and added those 2 files. They are persistent, when the drivers are running, once removed, files can be safely removed.

Spoiler: CODE

sc config ZAM start= disabled
sc config ZAM_Guard start= disabled
net stop ZAM /y
net stop ZAM_Guard /y
sc delete ZAM
sc delete ZAM_Guard
reg delete "HKCU\Software\Zemana" /f
reg delete "HKLM\Software\Zemana" /f
reg delete "HKLM\Software\ZmnGlobalSDK" /f
takeown /f "%WINDIR%\System32\drivers\zam64.sys" /a
icacls "%WINDIR%\System32\drivers\zam64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zam64.sys" /s /f /q
takeown /f "%WINDIR%\System32\drivers\zamguard64.sys" /a
icacls "%WINDIR%\System32\drivers\zamguard64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zamguard64.sys" /s /f /q
takeown /f "%ProgramFiles(x86)%\Zemana AntiMalware" /a /r /d y
icacls "%ProgramFiles(x86)%\Zemana AntiMalware" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles(x86)%\Zemana AntiMalware" /s /q
rd "%LocalAppData%\Zemana" /s /q
rd "%WINDIR%\SysWOW64\config\systemprofile\AppData\Local\Zemana" /s /q
del "%WINDIR%\ZAM.krnl.trace" /s /f /q
del "%WINDIR%\ZAM_Guard.krnl.trace" /s /f /q

Thanks

 

[illumination]

Many 3rd party applications leave left overs like this in the system, even zam portable as stated already leaves registry keys ect.

Those 3rd party removal tools do not remove everything from an application, they never have, and i have always found left overs after trying them, it is why i do not use them but search manually the system via file explorer/local C/search local disk and by regedit/edit/find while toggling F3 to jump from one found to the next.

After doing this, i take a manual tour of system 32 ect just to make sure.

Good example of why i keep preaching of running light, and avoiding 3rd party as much as possible.

 

[HarborFront]

Many 3rd party applications leave left overs like this in the system, zam even portable as stated already leaves registry keys ect.

Those 3rd party removal tools do not remove everything from an application, they never have, and i have always found left overs after trying them, it is why i do not use them but search manually the system via file explorer/local C/search local disk and by regedit/edit/find while toggling F3 to jump from one found to the next.

After doing this, i take a manual tour of system 32 ect just to make sure.

Good example of why i keep preaching of running light, and avoiding 3rd party as much as possible.

There are some stubborn registry entries even Windows regedit cannot remove

 

[JB007]

Yes, I have just checked it and added those 2 files. They are persistent, when the drivers are running, once removed, files can be safely removed.

Spoiler: CODE

sc config ZAM start= disabled
sc config ZAM_Guard start= disabled
net stop ZAM /y
net stop ZAM_Guard /y
sc delete ZAM
sc delete ZAM_Guard
reg delete "HKCU\Software\Zemana" /f
reg delete "HKLM\Software\Zemana" /f
reg delete "HKLM\Software\ZmnGlobalSDK" /f
takeown /f "%WINDIR%\System32\drivers\zam64.sys" /a
icacls "%WINDIR%\System32\drivers\zam64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zam64.sys" /s /f /q
takeown /f "%WINDIR%\System32\drivers\zamguard64.sys" /a
icacls "%WINDIR%\System32\drivers\zamguard64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zamguard64.sys" /s /f /q
takeown /f "%ProgramFiles(x86)%\Zemana AntiMalware" /a /r /d y
icacls "%ProgramFiles(x86)%\Zemana AntiMalware" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles(x86)%\Zemana AntiMalware" /s /q
rd "%LocalAppData%\Zemana" /s /q
rd "%WINDIR%\SysWOW64\config\systemprofile\AppData\Local\Zemana" /s /q
del "%WINDIR%\ZAM.krnl.trace" /s /f /q
del "%WINDIR%\ZAM_Guard.krnl.trace" /s /f /q

Thanks+++ @TairikuOkami

 

[HarborFront]

Hello @TairikuOkami ,
I just see on my Home PC that I have the same problem that @Evjl's Rain here Q&A - Zemana dropped files with persistent files ZAM.krnl.trace & ZAM_Guard.krnl.trace in C:\windows folder
Is your code always good 1 year later ?

You can use Registry DeleteEx64 to remove stubborn registry entries

Delete Locked Registry Keys with Registry DeleteEx | NoVirusThanks

 

[illumination]

There are some stubborn registry entries even Windows regedit cannot remove

If you come across these, it is generally because you have missed something, somewhere else, or you need to restart the system and then you can remove them.

 

[HarborFront]

If you come across these, it is generally because you have missed something, somewhere else, or you need to restart the system and then you can remove them.

You go and try Dr Web's products and you'll see that many entries cannot be removed the conventional way like

1) using the default uninstaller or uninstall from Windows
2) using uninstallers like Revo in Advanced mode etc
3) using registry cleaners in Deep/Advanced mode
4) Windows regedit

You'll need special registry removal software like the Registry DeleteEx64 (or similar) I mentioned. Even then such software are good for removing a handful of stubborn registries. If there are many stubborn entries, like Dr Web's products, then either you forget about them or reformat your PC. I reformatted my tablet and never use Dr Web's products again

 

[illumination]

You go and try Dr Web's products and you'll see that many entries cannot be removed the conventional way like

1) using the default uninstaller or uninstall from Windows
2) using uninstallers like Revo in Advanced mode etc
3) using registry cleaners in Deep/Advanced mode
4) Windows regedit

You'll need special registry removal software like the Registry DeleteEx64 (or similar) I mentioned. Even then such software are good for removing a handful of stubborn registries. If there are many stubborn entries, like Dr Web's products, then either you forget about them or reformat your PC. I reformatted my tablet and never use Dr Web's products again

I have not run into ones i can not remove, but was agreeing some can be stubborn. If i did run into some i could not remove like that, i would not use some 3rd party application to rip/gut things out of the registry, i would simply wipe the system and start fresh.

 

[Azure]

Many 3rd party applications leave left overs like this in the system, even zam portable as stated already leaves registry keys ect.

Those 3rd party removal tools do not remove everything from an application, they never have, and i have always found left overs after trying them, it is why i do not use them but search manually the system via file explorer/local C/search local disk and by regedit/edit/find while toggling F3 to jump from one found to the next.

After doing this, i take a manual tour of system 32 ect just to make sure.

Good example of why i keep preaching of running light, and avoiding 3rd party as much as possible.

Even uninstallers with trace functionality?

 

[illumination]

Even uninstallers with trace functionality?

I have yet to see a perfect trace functionality or installation monitor, not to mention these applications come with their own set of issues.