Q&A Zemana dropped files

Evjl's Rain

Level 38
Content Creator
AV-Tester
Verified
Joined
Apr 18, 2016
Messages
2,720
OS
Windows 8.1
Antivirus
Avast
#1
Hi, I have a problem with zemana both install and portable version

I completely removed the install version and just use the portable version. However, as soon as zemana is executed, it immediately creates 2 files in C:\windows/system32/drivers/zamguard64.sys and zam64.sys
a few minutes later, these 2 files will create new files ZAM.krnl.trace & ZAM_Guard.krnl.trace in C:\windows folder
I completely closed zemana portable and made sure that there was no process and service running in the background. I tried to delete all 4 files but I could only delete the last 2 trace files, the other 2 sys files couldn't be deleted. After 2 minutes, 2 trace files were created again. Tried a second time, the result was still the same
zemana portable is not running so why do those 2 trace files are continuously created after a few minutes? What are they doing to the system? They are running in the background to do what as zemana is not running? Is this the reason for other AV vendors detected ZAM as malware because of this malware-like behaviour?
I noticed they did cause some battery drain and a bit increased CPU usage due to my AV scanning those zemana files

also it is hard to get rid of those files as I had to use Autoruns to disable and delete 2 sys files, couldn't delete them still -> reboot -> deleted successfully
 
Last edited:

askmark

Level 12
Verified
Joined
Aug 31, 2016
Messages
560
OS
Windows 10
Antivirus
Default-Deny
#3
Annoying isn't it? I've mentioned it in this post where everyone else was singing the praises of ZAM...

FileHippo News: Zemana AntiMalware: Antivirus Software That Blocks The Threat Before It Occurs

Plus a few posts down I mentioned the ZAM.trace file which actually upset Windows Defender on my machine.

I had to manually delete all traces of the product and as a result nothing Zemana is going back on until I can trust them again.

Thanks for posting the problem in more detail. I really couldn't be bothered as I was that angry :mad:
 
Joined
Jan 14, 2016
Messages
479
OS
Windows 7
Antivirus
Kaspersky
#4
Annoying isn't it? I've mentioned it in this post where everyone else was singing the praises of ZAM...

FileHippo News: Zemana AntiMalware: Antivirus Software That Blocks The Threat Before It Occurs

Plus a few posts down I mentioned the ZAM.trace file which actually upset Windows Defender on my machine.

I had to manually delete all traces of the product and as a result nothing Zemana is going back on until I can trust them again.

Thanks for posting the problem in more detail. I really couldn't be bothered as I was that angry :mad:
How did you manage to stop the trace file from being created in Windows folder?

I deleted the portable version, deleted the 2 driver files, deleted the autorun entries for 2 driver files. Is something left?

NOTE: Will see after a reboot.
 
Last edited:

askmark

Level 12
Verified
Joined
Aug 31, 2016
Messages
560
OS
Windows 10
Antivirus
Default-Deny
#5
How did you manage to stop the trace file from being created in Windows folder?

I deleted the portable version, deleted the 2 driver files, deleted the autorun entries for 2 driver files. Is something left?
I think I deleted it after the drivers were deleted but I'm not 100% sure. I know I used Process Explorer's handle search to determine which process was holding the file open and killed it.
 

TwinHeadedEagle

Removal Expert
MalwareTips Staff
Verified
Joined
Mar 8, 2013
Messages
22,359
OS
Windows 10
Antivirus
ESET
#7
Upon execution Zemana is installing its drivers needed to get privileges in order to remove malware. Corresponding files are

zam32.sys or zam64.sys and zamguard32.sys or zamguard64.sys

These are called drivers and they run all the time even if you close Zam. They also create zam trace files in order to log Zemana usage in case it of some errors or problem that we can later use to see what was the issue. Until you delete driver files they will keep recreating trace files.

Zemana also creates %localappdata%\Zemana folder that you can also remove.

As soon as you close Zemana you can delete first its drivers and then trace files manually. I will talk with developers about this, they can probably implement some cleanup after closing.

Hoping it is now clear what are these components for.


EDIT: To safely remove drivers, it is recommended to reboot your system first after running Zemana.
 
Last edited:

askmark

Level 12
Verified
Joined
Aug 31, 2016
Messages
560
OS
Windows 10
Antivirus
Default-Deny
#8
As soon as you close Zemana you can delete first its drivers and then trace files manually. I will talk with developers about this, they can probably implement some cleanup after closing.
ThIs is supposed to be the portable/standalone version of the product so shouldn't be leaving any trace after being closed.

I wonder how many inexperienced computer users unknowingly and unwitingly now have these drivers active on their systems. And will do until they reinstall their OS :(

On my system WD went crazy trying to continually scan the trace files until I made an exclusion.

I think Zemana should post an uninstaller on their site and make their users aware on their blog or something.
 
Last edited:
Joined
Sep 22, 2016
Messages
211
OS
Windows 10
Antivirus
Emsisoft
#9
Upon execution Zemana is installing its drivers needed to get privileges in order to remove malware. Corresponding files are

zam32.sys or zam64.sys and zamguard32.sys or zamguard64.sys

These are called drivers and they run all the time even if you close Zam. They also create zam trace files in order to log Zemana usage in case it of some errors or problem that we can later use to see what was the issue. Until you delete driver files the will keep recreating trace files.

Zemana also creates %localappdata%\Zemana folder that you can also remove.

As soon as you close Zemana you can delete first its drivers and then trace files manually. I will talk with developers about this, they can probably implement some cleanup after closing.

Hoping it is now clear what are these components for.


EDIT: To safely remove drivers, it is recommended to reboot your system first after running Zemana.
I think the biggest problem is that after unistalling normal version of Zemana, there are still drivers and other stuff. The unistaller doesn't care about it at all.
 
Joined
Sep 24, 2016
Messages
21
OS
Windows 10
Antivirus
Microsoft
#10
Hi, as mentioned by @Exterminator Im one of the winner from the Zemana Giveaways. Upon installing, VoodooShield prompted Zemana AM as as a trojan (false positive). So i immediately checked it on Process Explorer and they flagged zam.exe has a trojan.

@TwinHeadedEagle Can i delete these drivers on regedit? or How do i delete this drivers?. Newbie here. :)

Thanks
 
Joined
Jan 29, 2013
Messages
195
#12
This is no good for Zemana. I had several problems for deleting those files. Finally with Autoruns and booting in secure mode i was able to deleting them, but it was no easy. Also, i've found (thanks to Autoruns) that Zemana Antilogger dropped another .sys file that uninstaller not removed. I wait for a real uninstaller and some explanations about it.
 

askmark

Level 12
Verified
Joined
Aug 31, 2016
Messages
560
OS
Windows 10
Antivirus
Default-Deny
#14
Zemana portable by its nature can not be like a normal/simple portable app.
As already mentioned, in normal situations it is advisable to use and maintain the installable version.
I agree but it's not obvious to everyone it's not like a normal/simple portable app.

I personally when testing new software will always choose to download the portable version if one is available. I run the program to see if it's any good and then either keep or delete it. I don't however expect any portable software to leave drivers active on my system permanently.

Zemana needs to either remove their drivers on exit or provide an uninstaller.
 
Last edited:
L

LabZero

Guest
#15
I agree but it's not obvious to everyone it's not like a normal/simple portable app.

I personally when testing new software will always choose to download the portable version if one is available. I run the program to see if it's any good and then either keep or delete it. I don't however expect any portable software to leave drivers active on my system permanently.

Zemana needs to either remove their drivers on exit or provide an uninstaller.
Sure, agree on that ;)
 

Evjl's Rain

Level 38
Content Creator
AV-Tester
Verified
Joined
Apr 18, 2016
Messages
2,720
OS
Windows 8.1
Antivirus
Avast
#19
this problem has still not been solved. Trace files are still being created frequently
Other problems:
- ZAL still causes problem with typing/proofing tool for typing in my language after standby for 30 minutes. Reported long long time ago, was confirmed by zemana by email but not fixed in the most recent version
- a trace file created by the free portable version after running a smart scan and a manual C: scan = ~102Mb
- 2 trace files created by 2 ZAM drivers in portable version
 

TwinHeadedEagle

Removal Expert
MalwareTips Staff
Verified
Joined
Mar 8, 2013
Messages
22,359
OS
Windows 10
Antivirus
ESET
#20
I think I already explained the purpose of trace files. They log Zemana activity and help us solve the bugs. They will always be there. What we can do is to move them to some non-visible location.
 

Similar Threads

Similar Threads