Malwarebytes detected zamguard64.sys

[luckyblindshot]

Hey everyone, I'm new here so please bear with me and let me know what info you need.

I recently ran a Malwarebytes scan on my desktop PC. I haven't used it much in the past few months and it previously always came up clean, so I was surprised to see a detection pop up.

 

Upon visiting the location (C:\Windows\System32\drivers\zamguard64.sys) after quarantine, the file is still there. I have since gone into the Malwarebytes quarantine page and clicked "delete" for the file, but when I visited the file path the file is still there.

Also, when I look at my scan report summary, under action it says "Removal Failed."

I've done a little reading and it seems to be a file that's associated with Zemana anti-virus. I've never installed any of their products, so it doesn't make sense that it's on my computer. Further reading shows that it's a driver that can be exploited by bad actors, but I don't know how or how serious a detection this is. Some links mention a "Spyboy" virus?

Another thing that doesn't make sense is that the zamguard64.sys file appears to have been created in June 2018. Not sure if file creation date can be spoofed by malware, but it's curious because it's never come up in a scan until now.

I also found two files in C:\Windows called ZAM.krnl.trace and ZAM_Guard.krnl.trace which seem to be related. The first one was last modified in June of 2018, but the second one was modified today.

If you guys can help me understand what I'm dealing with here that'd be great. Thanks!

.

Edited November 20 by AdvancedSetup
Placed image inline

[AdvancedSetup]

Hello  and      @luckyblindshot

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

• Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
• Please follow all steps in the provided order and post back all requested logs.
• Please attach all log files to your post, unless otherwise requested.
• Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
• Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
• Before we start, please make sure that you have an external backup of all private data.
• Do not run online games while your case is ongoing. Do not do any free-wheeling of risky web-surfing.
• Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you unless requested.
• Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim.
  Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. 
  If there are any on the system you should uninstall them before we proceed.  
• If your system is running Discord, or P2P Torrent software, please be sure to Exit out of it while this case is on-going.

Do these two steps so that ALL Folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.

Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/
 

• Next, please restart Windows

• Please be patient and stick with me until I give you the "all clear" or otherwise indicate all is good

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting. This is a report only.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system security.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

 

[luckyblindshot]

I have completed the requested steps and included the Support Tool file.

mbst-grab-results.zip

[AdvancedSetup]

It was probably recently added due to recent bad actors adding software like this to do their dirty work.

Let me have you run the following, please

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.
CheckSecurity is a utility for quickly checking for the presence of vulnerable applications

• Temporarily disable Microsoft SmartScreen to download the software
• Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• If SmartScreen blocks the file from running click on More info and Run anyway
• This tool is safe.   Smartscreen is overly sensitive. You can check the VirusTotal scan of the tool from here
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck,  C:\SecurityCheck\SecurityCheck.txt

Items checked:

1. User Account Control (UAC).
2. Service pack.
3. IE version.
4. Automatic OS update. Sets of critical KB patches when updating is disabled.
5. Antivirus, firewall, other security utilities.
6. Versions of Java, Oracle Virtualbox.
7. Version of Adobe Flash Player, Adobe AIR.
8. Versions of Adobe Reader, Acrobat Reader DC, Foxit Reader.
9. Versions of media players (iTunes, AIMP, foobar2000).
10. Versions of messengers (Skype, Pidgin).
11. Versions of installed browsers (Chrome, Opera, Firefox, Yandex, SeaMonkey).
12. Versions of mail programs (The Bat, Thunderbird).
13. Checking running processes and security program services
14. Searching for installed Adware programs and optimizer programs (More than 5000).

Thank you

 

[luckyblindshot]

I have completed the requested steps and am includiSecurityCheck.txtng the requested file.

[luckyblindshot]

Formatting was strange in my last reply. Here it is again:

SecurityCheck.txt

[AdvancedSetup]

Please uninstall, update, or otherwise address the following as appropriate for your system

 

• 7-Zip 19.00 (x64) v.19.00 Warning! Download Update | Uninstall old version and install new one.
• Audacity 2.1.0 v.2.1.0 Warning! Download Update
• Discord v.0.0.309 Warning! Download Update
• Mozilla Firefox (x64 en-US) v.110.0 Warning! Download Update
• Notepad++ (32-bit x86) v.7.5.6 Warning! Download Update
• NVIDIA GeForce Experience 3.24.0.126 v.3.24.0.126 Warning! Download Update
• VLC media player v.3.0.7.1 Warning! Download Update

 

Then RESTART the computer and check for Windows Updates and install any found

 

 

[luckyblindshot]

Uninstalled:
7-zip
Audacity
Mozilla
Notepad++
VLC Media Player

Updated:
Discord
NVIDIA GeForce Experience
Windows Update

 

[luckyblindshot]

Out of curiosity, how are these updates relevant to my initial concern about the zamguard64.sys concern? Is it just to clean things up to make the diagnostic process easier?

[AdvancedSetup]

It's not directly related. As I said the addition was probably recent about Zamguard as bad actors have used it to do bad things. The logs don't indicate any obvious malware so I simply wanted to have you check and keep the system up to date as that's one way to help keep it safe.

 

[luckyblindshot]

Gotcha! Thanks for explaining.

A few more questions:

zamguard64.sys is still showing up in this file path: C:\Windows\System32\drivers\zamguard64.sys

Why is this the case if I ran the Malwarebytes scan, quarantined, and then selected "delete" from the quarantine page? How do I go about permanently removing this driver?

Also, more "zamguard" related files ZAM.krnl.trace and ZAM_Guard.krnl.trace are showing up in C:\Windows

Should I delete these and how do I go about doing it?

I am curious as to how these wound up on my computer given that I've never installed any Zemana software. Some people mentioned that it can be from "Malwarefox," but I never had that software either.

Let me know what the next steps I should be taking are.

[AdvancedSetup]

Oh, I was under the assumption that you wanted them.

You can manually remove them. If there is an issue removing them please let me know and I'll assist you

 

[luckyblindshot]

Sent them to the recycle bin and deleted them.

My main concern is that when I looked up zamguard64.sys people were saying that it's a trojan that exploits a driver from Zemana anti-virus to disable other anti-virus software and facilitate other infections. Someone on Reddit said it was a trojan that gives remote access to my computer.

Just trying to gauge what I'm dealing with here haha. Like I said, I've never had any Zemana software, so it doesn't make sense that it was on my computer. I figured this would mean it was likely of malicious origin.

Am I pretty much in the clear after deleting the driver and the other two ZAM files, then? Or are there other steps I should be taking?

[AdvancedSetup]

If Zemana drivers got on the system and you're sure you never installed any product that used them perhaps we should run a couple more scans just to be sure.

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you