Assigned Uninstalling Zemana leaves Drivers behind?

This thread is being handled by a member of the staff.
Status
Not open for further replies.

Svoll

Level 13
Verified
Top poster
Well-known
Nov 17, 2016
629
I just tried uninstalling ZAL myself and its took me quite a while to narrow down where most of the left files are. Had to use 3 apps to help me somewhat remove most of them (autoruns, RevoUninstaller, and Everything). There are quite a few traces left in the registry.

In addition to what others can't remove, Everything found folders left in the syswow64 folder.

VRkE9GQ.png


Even deleting the keycrypt64, Event log still shows it tied with Wininit

LY2o9gE.png
 

WinXPert

Level 25
Verified
Helper
Top poster
Malware Hunter
Well-known
Jan 9, 2013
1,459
Manual deletion
  • Use everything, search for ZAM and Zemana and delete all folder/files found
  • Manually delete ZAM and Zemana on registry entries
 

TairikuOkami

Level 31
Verified
Top poster
Content Creator
Well-known
May 13, 2017
2,077
Code:
sc config ZAM start= disabled
sc config ZAM_Guard start= disabled
net stop ZAM /y
net stop ZAM_Guard /y
sc delete ZAM
sc delete ZAM_Guard
reg delete "HKCU\Software\Zemana" /f
reg delete "HKLM\Software\Zemana" /f
reg delete "HKLM\Software\ZmnGlobalSDK" /f
takeown /f "%WINDIR%\System32\drivers\zam64.sys" /a
icacls "%WINDIR%\System32\drivers\zam64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zam64.sys" /s /f /q
takeown /f "%WINDIR%\System32\drivers\zamguard64.sys" /a
icacls "%WINDIR%\System32\drivers\zamguard64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zamguard64.sys" /s /f /q
takeown /f "%ProgramFiles(x86)%\Zemana AntiMalware" /a /r /d y
icacls "%ProgramFiles(x86)%\Zemana AntiMalware" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles(x86)%\Zemana AntiMalware" /s /q
rd "%LocalAppData%\Zemana" /s /q
rd "%WINDIR%\SysWOW64\config\systemprofile\AppData\Local\Zemana" /s /q
 
Last edited:

KevinYu0504

Level 5
Verified
Well-known
Mar 10, 2017
229
Code:
sc config ZAM start= disabled
sc config ZAM_Guard start= disabled
net stop ZAM /y
net stop ZAM_Guard /y
sc delete ZAM
sc delete ZAM_Guard
reg delete "HKCU\Software\Zemana" /f
reg delete "HKLM\Software\Zemana" /f
reg delete "HKLM\Software\ZmnGlobalSDK" /f
takeown /f "%WINDIR%\System32\drivers\zam64.sys" /a
icacls "%WINDIR%\System32\drivers\zam64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zam64.sys" /s /f /q
takeown /f "%WINDIR%\System32\drivers\zamguard64.sys" /a
icacls "%WINDIR%\System32\drivers\zamguard64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zamguard64.sys" /s /f /q
takeown /f "%ProgramFiles(x86)%\Zemana AntiMalware" /a /r /d y
icacls "%ProgramFiles(x86)%\Zemana AntiMalware" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles(x86)%\Zemana AntiMalware" /s /q
rd "%LocalAppData%\Zemana" /s /q
rd "%WINDIR%\SysWOW64\config\systemprofile\AppData\Local\Zemana" /s /q

Thanks for your provide the code ,
it's pretty useful !
 

JB007

Level 25
Verified
Top poster
Well-known
May 19, 2016
1,445
Code:
sc config ZAM start= disabled
sc config ZAM_Guard start= disabled
net stop ZAM /y
net stop ZAM_Guard /y
sc delete ZAM
sc delete ZAM_Guard
reg delete "HKCU\Software\Zemana" /f
reg delete "HKLM\Software\Zemana" /f
reg delete "HKLM\Software\ZmnGlobalSDK" /f
takeown /f "%WINDIR%\System32\drivers\zam64.sys" /a
icacls "%WINDIR%\System32\drivers\zam64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zam64.sys" /s /f /q
takeown /f "%WINDIR%\System32\drivers\zamguard64.sys" /a
icacls "%WINDIR%\System32\drivers\zamguard64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zamguard64.sys" /s /f /q
takeown /f "%ProgramFiles(x86)%\Zemana AntiMalware" /a /r /d y
icacls "%ProgramFiles(x86)%\Zemana AntiMalware" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles(x86)%\Zemana AntiMalware" /s /q
rd "%LocalAppData%\Zemana" /s /q
rd "%WINDIR%\SysWOW64\config\systemprofile\AppData\Local\Zemana" /s /q
Hello @TairikuOkami ,
I just see on my Home PC that I have the same problem that @Evjl's Rain here Q&A - Zemana dropped files with persistent files ZAM.krnl.trace & ZAM_Guard.krnl.trace in C:\windows folder :(
Is your code always good 1 year later ?
 

TairikuOkami

Level 31
Verified
Top poster
Content Creator
Well-known
May 13, 2017
2,077
Is your code always good 1 year later ?
Yes, I have just checked it and added those 2 files. They are persistent, when the drivers are running, once removed, files can be safely removed.
Code:
sc config ZAM start= disabled
sc config ZAM_Guard start= disabled
net stop ZAM /y
net stop ZAM_Guard /y
sc delete ZAM
sc delete ZAM_Guard
reg delete "HKCU\Software\Zemana" /f
reg delete "HKLM\Software\Zemana" /f
reg delete "HKLM\Software\ZmnGlobalSDK" /f
takeown /f "%WINDIR%\System32\drivers\zam64.sys" /a
icacls "%WINDIR%\System32\drivers\zam64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zam64.sys" /s /f /q
takeown /f "%WINDIR%\System32\drivers\zamguard64.sys" /a
icacls "%WINDIR%\System32\drivers\zamguard64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zamguard64.sys" /s /f /q
takeown /f "%ProgramFiles(x86)%\Zemana AntiMalware" /a /r /d y
icacls "%ProgramFiles(x86)%\Zemana AntiMalware" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles(x86)%\Zemana AntiMalware" /s /q
rd "%LocalAppData%\Zemana" /s /q
rd "%WINDIR%\SysWOW64\config\systemprofile\AppData\Local\Zemana" /s /q
del "%WINDIR%\ZAM.krnl.trace" /s /f /q
del "%WINDIR%\ZAM_Guard.krnl.trace" /s /f /q
 

KevinYu0504

Level 5
Verified
Well-known
Mar 10, 2017
229
Yes, I have just checked it and added those 2 files. They are persistent, when the drivers are running, once removed, files can be safely removed.
Code:
sc config ZAM start= disabled
sc config ZAM_Guard start= disabled
net stop ZAM /y
net stop ZAM_Guard /y
sc delete ZAM
sc delete ZAM_Guard
reg delete "HKCU\Software\Zemana" /f
reg delete "HKLM\Software\Zemana" /f
reg delete "HKLM\Software\ZmnGlobalSDK" /f
takeown /f "%WINDIR%\System32\drivers\zam64.sys" /a
icacls "%WINDIR%\System32\drivers\zam64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zam64.sys" /s /f /q
takeown /f "%WINDIR%\System32\drivers\zamguard64.sys" /a
icacls "%WINDIR%\System32\drivers\zamguard64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zamguard64.sys" /s /f /q
takeown /f "%ProgramFiles(x86)%\Zemana AntiMalware" /a /r /d y
icacls "%ProgramFiles(x86)%\Zemana AntiMalware" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles(x86)%\Zemana AntiMalware" /s /q
rd "%LocalAppData%\Zemana" /s /q
rd "%WINDIR%\SysWOW64\config\systemprofile\AppData\Local\Zemana" /s /q
del "%WINDIR%\ZAM.krnl.trace" /s /f /q
del "%WINDIR%\ZAM_Guard.krnl.trace" /s /f /q

Thanks ;)
 
  • Like
Reactions: JB007 and upnorth
I

illumination

Many 3rd party applications leave left overs like this in the system, even zam portable as stated already leaves registry keys ect.

Those 3rd party removal tools do not remove everything from an application, they never have, and i have always found left overs after trying them, it is why i do not use them but search manually the system via file explorer/local C/search local disk and by regedit/edit/find while toggling F3 to jump from one found to the next.

After doing this, i take a manual tour of system 32 ect just to make sure.

Good example of why i keep preaching of running light, and avoiding 3rd party as much as possible.
 
Last edited by a moderator:

HarborFront

Level 62
Verified
Top poster
Content Creator
Oct 9, 2016
5,100
Many 3rd party applications leave left overs like this in the system, zam even portable as stated already leaves registry keys ect.

Those 3rd party removal tools do not remove everything from an application, they never have, and i have always found left overs after trying them, it is why i do not use them but search manually the system via file explorer/local C/search local disk and by regedit/edit/find while toggling F3 to jump from one found to the next.

After doing this, i take a manual tour of system 32 ect just to make sure.

Good example of why i keep preaching of running light, and avoiding 3rd party as much as possible.
There are some stubborn registry entries even Windows regedit cannot remove
 

JB007

Level 25
Verified
Top poster
Well-known
May 19, 2016
1,445
Yes, I have just checked it and added those 2 files. They are persistent, when the drivers are running, once removed, files can be safely removed.
Code:
sc config ZAM start= disabled
sc config ZAM_Guard start= disabled
net stop ZAM /y
net stop ZAM_Guard /y
sc delete ZAM
sc delete ZAM_Guard
reg delete "HKCU\Software\Zemana" /f
reg delete "HKLM\Software\Zemana" /f
reg delete "HKLM\Software\ZmnGlobalSDK" /f
takeown /f "%WINDIR%\System32\drivers\zam64.sys" /a
icacls "%WINDIR%\System32\drivers\zam64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zam64.sys" /s /f /q
takeown /f "%WINDIR%\System32\drivers\zamguard64.sys" /a
icacls "%WINDIR%\System32\drivers\zamguard64.sys" /grant:r Administrators:F /c
del "%WINDIR%\System32\drivers\zamguard64.sys" /s /f /q
takeown /f "%ProgramFiles(x86)%\Zemana AntiMalware" /a /r /d y
icacls "%ProgramFiles(x86)%\Zemana AntiMalware" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles(x86)%\Zemana AntiMalware" /s /q
rd "%LocalAppData%\Zemana" /s /q
rd "%WINDIR%\SysWOW64\config\systemprofile\AppData\Local\Zemana" /s /q
del "%WINDIR%\ZAM.krnl.trace" /s /f /q
del "%WINDIR%\ZAM_Guard.krnl.trace" /s /f /q
Thanks+++ @TairikuOkami (y)
 

HarborFront

Level 62
Verified
Top poster
Content Creator
Oct 9, 2016
5,100
Last edited:

HarborFront

Level 62
Verified
Top poster
Content Creator
Oct 9, 2016
5,100
If you come across these, it is generally because you have missed something, somewhere else, or you need to restart the system and then you can remove them.
You go and try Dr Web's products and you'll see that many entries cannot be removed the conventional way like

1) using the default uninstaller or uninstall from Windows
2) using uninstallers like Revo in Advanced mode etc
3) using registry cleaners in Deep/Advanced mode
4) Windows regedit

You'll need special registry removal software like the Registry DeleteEx64 (or similar) I mentioned. Even then such software are good for removing a handful of stubborn registries. If there are many stubborn entries, like Dr Web's products, then either you forget about them or reformat your PC. I reformatted my tablet and never use Dr Web's products again
 
I

illumination

You go and try Dr Web's products and you'll see that many entries cannot be removed the conventional way like

1) using the default uninstaller or uninstall from Windows
2) using uninstallers like Revo in Advanced mode etc
3) using registry cleaners in Deep/Advanced mode
4) Windows regedit

You'll need special registry removal software like the Registry DeleteEx64 (or similar) I mentioned. Even then such software are good for removing a handful of stubborn registries. If there are many stubborn entries, like Dr Web's products, then either you forget about them or reformat your PC. I reformatted my tablet and never use Dr Web's products again
I have not run into ones i can not remove, but was agreeing some can be stubborn. If i did run into some i could not remove like that, i would not use some 3rd party application to rip/gut things out of the registry, i would simply wipe the system and start fresh.
 

Azure

Level 27
Verified
Top poster
Content Creator
Oct 23, 2014
1,620
Many 3rd party applications leave left overs like this in the system, even zam portable as stated already leaves registry keys ect.

Those 3rd party removal tools do not remove everything from an application, they never have, and i have always found left overs after trying them, it is why i do not use them but search manually the system via file explorer/local C/search local disk and by regedit/edit/find while toggling F3 to jump from one found to the next.

After doing this, i take a manual tour of system 32 ect just to make sure.

Good example of why i keep preaching of running light, and avoiding 3rd party as much as possible.
Even uninstallers with trace functionality?
 
Status
Not open for further replies.