Q&A Zemana dropped files

Discussion in 'Zemana' started by Evjl's Rain, Oct 14, 2016.

  1. Evjl's Rain

    Evjl's Rain Level 29
    Trusted AV Tester

    Apr 18, 2016
    1,815
    13,229
    Vietnam
    Windows 8.1
    Avast
    #1 Evjl's Rain, Oct 14, 2016
    Last edited: Oct 14, 2016
    Build version:
    Hi, I have a problem with zemana both install and portable version

    I completely removed the install version and just use the portable version. However, as soon as zemana is executed, it immediately creates 2 files in C:\windows/system32/drivers/zamguard64.sys and zam64.sys
    a few minutes later, these 2 files will create new files ZAM.krnl.trace & ZAM_Guard.krnl.trace in C:\windows folder
    I completely closed zemana portable and made sure that there was no process and service running in the background. I tried to delete all 4 files but I could only delete the last 2 trace files, the other 2 sys files couldn't be deleted. After 2 minutes, 2 trace files were created again. Tried a second time, the result was still the same
    zemana portable is not running so why do those 2 trace files are continuously created after a few minutes? What are they doing to the system? They are running in the background to do what as zemana is not running? Is this the reason for other AV vendors detected ZAM as malware because of this malware-like behaviour?
    I noticed they did cause some battery drain and a bit increased CPU usage due to my AV scanning those zemana files

    also it is hard to get rid of those files as I had to use Autoruns to disable and delete 2 sys files, couldn't delete them still -> reboot -> deleted successfully
     
  2. shukla44

    shukla44 Level 10

    Jan 14, 2016
    480
    4,527
    India
    Windows 7
    Kaspersky
    I have portable version of Zemana & i have this too.:eek::eek:
    What is happening?
     
  3. askmark

    askmark Level 11

    Aug 31, 2016
    512
    4,201
    united kingdom
    Windows 10
    Default-Deny
    Annoying isn't it? I've mentioned it in this post where everyone else was singing the praises of ZAM...

    FileHippo News: Zemana AntiMalware: Antivirus Software That Blocks The Threat Before It Occurs

    Plus a few posts down I mentioned the ZAM.trace file which actually upset Windows Defender on my machine.

    I had to manually delete all traces of the product and as a result nothing Zemana is going back on until I can trust them again.

    Thanks for posting the problem in more detail. I really couldn't be bothered as I was that angry :mad:
     
  4. shukla44

    shukla44 Level 10

    Jan 14, 2016
    480
    4,527
    India
    Windows 7
    Kaspersky
    #4 shukla44, Oct 14, 2016
    Last edited: Oct 14, 2016
    How did you manage to stop the trace file from being created in Windows folder?

    I deleted the portable version, deleted the 2 driver files, deleted the autorun entries for 2 driver files. Is something left?

    NOTE: Will see after a reboot.
     
  5. askmark

    askmark Level 11

    Aug 31, 2016
    512
    4,201
    united kingdom
    Windows 10
    Default-Deny
    I think I deleted it after the drivers were deleted but I'm not 100% sure. I know I used Process Explorer's handle search to determine which process was holding the file open and killed it.
     
  6. Exterminator

    Exterminator Super Moderator
    Staff Member

    Oct 23, 2012
    12,279
    46,652
    USA
    Windows 10
    Kaspersky
    I know one winner from the Zemana Giveaway mentioned that the installer was flagged as a Trojan.
    Has anyone contacted Zemana or consulted @TwinHeadedEagle on this ?
     
  7. TwinHeadedEagle

    TwinHeadedEagle Removal Expert
    Staff Member

    Mar 8, 2013
    21,729
    2,655
    Malware Removal, Gaming
    Windows 7
    ESET
    #7 TwinHeadedEagle, Oct 15, 2016
    Last edited: Oct 15, 2016
    Upon execution Zemana is installing its drivers needed to get privileges in order to remove malware. Corresponding files are

    zam32.sys or zam64.sys and zamguard32.sys or zamguard64.sys

    These are called drivers and they run all the time even if you close Zam. They also create zam trace files in order to log Zemana usage in case it of some errors or problem that we can later use to see what was the issue. Until you delete driver files they will keep recreating trace files.

    Zemana also creates %localappdata%\Zemana folder that you can also remove.

    As soon as you close Zemana you can delete first its drivers and then trace files manually. I will talk with developers about this, they can probably implement some cleanup after closing.

    Hoping it is now clear what are these components for.


    EDIT: To safely remove drivers, it is recommended to reboot your system first after running Zemana.
     
    Sand, DJ Panda, DardiM and 12 others like this.
  8. askmark

    askmark Level 11

    Aug 31, 2016
    512
    4,201
    united kingdom
    Windows 10
    Default-Deny
    #8 askmark, Oct 15, 2016
    Last edited: Oct 15, 2016
    ThIs is supposed to be the portable/standalone version of the product so shouldn't be leaving any trace after being closed.

    I wonder how many inexperienced computer users unknowingly and unwitingly now have these drivers active on their systems. And will do until they reinstall their OS :(

    On my system WD went crazy trying to continually scan the trace files until I made an exclusion.

    I think Zemana should post an uninstaller on their site and make their users aware on their blog or something.
     
    nclr11111, DardiM, LabZero and 6 others like this.
  9. adnage19

    adnage19 Level 5

    Sep 22, 2016
    211
    1,009
    Poznań, Poland
    Windows 10
    Emsisoft
    I think the biggest problem is that after unistalling normal version of Zemana, there are still drivers and other stuff. The unistaller doesn't care about it at all.
     
  10. ZeroTolerance

    ZeroTolerance Level 1

    Sep 24, 2016
    21
    182
    Asia
    Windows 10
    Microsoft
    Hi, as mentioned by @Exterminator Im one of the winner from the Zemana Giveaways. Upon installing, VoodooShield prompted Zemana AM as as a trojan (false positive). So i immediately checked it on Process Explorer and they flagged zam.exe has a trojan.

    @TwinHeadedEagle Can i delete these drivers on regedit? or How do i delete this drivers?. Newbie here. :)

    Thanks
     
    DardiM, shukla44 and askmark like this.
  11. TwinHeadedEagle

    TwinHeadedEagle Removal Expert
    Staff Member

    Mar 8, 2013
    21,729
    2,655
    Malware Removal, Gaming
    Windows 7
    ESET
    You can use Autoruns to delete them. But first reboot your system after running Zemana portable:

    [​IMG]
     
    Spawn, Malakke, Exterminator and 3 others like this.
  12. Malakke

    Malakke Level 4

    Jan 29, 2013
    195
    489
    This is no good for Zemana. I had several problems for deleting those files. Finally with Autoruns and booting in secure mode i was able to deleting them, but it was no easy. Also, i've found (thanks to Autoruns) that Zemana Antilogger dropped another .sys file that uninstaller not removed. I wait for a real uninstaller and some explanations about it.
     
    Sunshine-boy, nclr11111 and askmark like this.
  13. LabZero

    LabZero Guest

    Zemana portable by its nature can not be like a normal/simple portable app.
    As already mentioned, in normal situations it is advisable to use and maintain the installable version.
     
    frogboy, DardiM and askmark like this.
  14. askmark

    askmark Level 11

    Aug 31, 2016
    512
    4,201
    united kingdom
    Windows 10
    Default-Deny
    #14 askmark, Oct 15, 2016
    Last edited: Oct 15, 2016
    I agree but it's not obvious to everyone it's not like a normal/simple portable app.

    I personally when testing new software will always choose to download the portable version if one is available. I run the program to see if it's any good and then either keep or delete it. I don't however expect any portable software to leave drivers active on my system permanently.

    Zemana needs to either remove their drivers on exit or provide an uninstaller.
     
    DardiM, shukla44, nclr11111 and 4 others like this.
  15. LabZero

    LabZero Guest

    Sure, agree on that ;)
     
  16. Berny

    Berny Level 2

    Oct 14, 2016
    75
    260
    Europe
    Windows 10
    Kaspersky
    JV16 PowerTools X + Reboot did a perfect job here ...
     
    DardiM, shukla44 and askmark like this.
  17. askmark

    askmark Level 11

    Aug 31, 2016
    512
    4,201
    united kingdom
    Windows 10
    Default-Deny
    I'm sure it did, but it shouldn't be necessary for anyone to have to use third party tools or in my case the command line to remove files that shouldn't be there in the first place.
     
    DardiM, shukla44 and nclr11111 like this.
  18. Berny

    Berny Level 2

    Oct 14, 2016
    75
    260
    Europe
    Windows 10
    Kaspersky
    I agree ...
     
    askmark likes this.
  19. Evjl's Rain

    Evjl's Rain Level 29
    Trusted AV Tester

    Apr 18, 2016
    1,815
    13,229
    Vietnam
    Windows 8.1
    Avast
    this problem has still not been solved. Trace files are still being created frequently
    Other problems:
    - ZAL still causes problem with typing/proofing tool for typing in my language after standby for 30 minutes. Reported long long time ago, was confirmed by zemana by email but not fixed in the most recent version
    - a trace file created by the free portable version after running a smart scan and a manual C: scan = ~102Mb
    - 2 trace files created by 2 ZAM drivers in portable version
     
  20. TwinHeadedEagle

    TwinHeadedEagle Removal Expert
    Staff Member

    Mar 8, 2013
    21,729
    2,655
    Malware Removal, Gaming
    Windows 7
    ESET
    I think I already explained the purpose of trace files. They log Zemana activity and help us solve the bugs. They will always be there. What we can do is to move them to some non-visible location.
     
    MalwareBlockerYT likes this.
Loading...
Similar Threads Forum Date
Q&A Do HitmanPro and Zemana Antimalware need active data connection for scanning? General Security Discussions Jan 2, 2018
Compare Protection MalwareBytes free vs. Zemana free vs. Hitman Pro vs. Emsisoft EK Best 2nd line of defence for PC? Compare Apps Dec 29, 2017
Help Me Decide Zemana Antimalware Premium vs Malwarebytes 3 Premium /win10/ Compare Apps Dec 10, 2017