Infolinks In Text Ads

How to Remove Zacurama.exe

How to remove Zacurama.exe


A few days ago I noticed autorun.inf on a USB drive that I inserted on my computer. When I tried to delete it, it is being used by another application. I concluded then that a worm must have gotten into my computer. I killed the explorer.exe (which appears on the task manager as "Explorer.Exe") after that, I was able to delete the autorun.inf.

However, I noticed this morning that the autorun.inf kept on coming back even after I have cleaned the USB disk. After updating my Avast and Malwarebytes, I scanned my computer and both programs found no threat but I know something is wrong.



After doing some manual investigation on the infected drive, I discovered that the autorun.inf is launching a worm named zacurama.exe. After discovering where the Zacurama.exe is hiding, I did the following steps.
  1. kill the explorer.exe on the task manager. I suggest you use task killer (download it from here) to do it and it will also start a fresh copy explorer.exe without the worm.
  2. From the My Computer window right click on the infected drive and select explore. (Read: How to Prevent Autorun.inf From Runing)
  3. If you can see autorun.inf delete it. If not follow the next steps. If you cannot delete  the autorun.inf go back to step 1.
  4. From the main menu select Tools -> Folder Options
  5. Click on the View tab
  6. On the Advance Settings, select Show hidden files and folders
  7.  Un-check Hide protected operating system files. Click yes on the verification message that will pop-up
  8. Click Apply
  9. From here you can now see a hidden folder NOKTE. Delete it right away.
  10. If were not able to see autorun.inf, you should be able to see it now and you can delete it.
If you want to see the zacurama.exe  follow these steps. WARNING: Be extremely careful in following these steps, you might enable the worm accidentally.!!!!
  1. If you open the NOKTE folder, you will see there the Zacurama.exe folder. However if the file extension (e.g .exe) is hidden in your computer, it will appear like a folder- which is a common ploy of worms to entice the curious users to double click on it. DO NOT DOUBLE CLICK on Zacurama.exe
  2. Delete Zacurama.exe.
After following this, your system should be free of the worm. 
As of this time, I am submitting a sample of the worm to Malwarebytes.

Originally posted: at http://tekbytes.blogspot.com
under, malware, worm, zacurama.exe



8 comments:

  1. Errata:
    I originally typed NOTKE as the folder name that contains the zacurama.exe by mistake. The correct folder name is NOKTE.

    Correction has been applied already.

    ReplyDelete
  2. thank you so much i was able to remove the worm..
    it keeps on coming back but after doing ur instructions i was able to get rid of it..

    tnx agen for dis ...

    i hope you will make more of this helpful tips on how to remove viruses, worms, etc...

    but still der is something bodering me, a folder named SVJETLA with an exe file name grada.exe kips on coming up even if i deleted it, i think its a virus, wen i scan it with an anti virus, it cannot detect the virus, if u can help me with dis pls email me or just post a comment here, my email is vonnes_vault99@yahoo.com

    tnx for ur tym.. ^^

    ReplyDelete
  3. Thanks for comment vonne.Probably you have another new work (grada.exe) in your computer, and I haven't encountered that one yet. I wish I could my hands on it.

    Worms though have similarities though the names are different, can you follow the instructions here but delete the SVJETLA folder. If it still persists trying doing it in safe mode.

    Meanwhile I'll see what I can find from the forums.

    Thanks again.

    ReplyDelete
  4. hello, its me again, vonne, i had already done the deleting process, but still it keeps on coming back,i havent told you that dis folder is not on the local disk C but on all of my usb flash drives and external hard disc, i still dont know what virus keeps dis grada.exe keep on poping out on my flash drives everytime i delete it. im bothered because it destroyed 1 of my external hard disc software so i was not able to open the disc and had no choice but to format it deleting all the important files on it.

    but i found another suspicious exe file, its the wuauclt.exe, i research it on the internet and said dat its an windows update but everytime i delete the process, it also keeps on coming back, maybe dis virus has a tree process, im still trying to figure out on how to remove dis tricky virus.

    i was not also able to tell dat everytime the windows start, internet explorer always automatically open a site related to medicine, i just cant remember the site coz i always close it immediately everytime it opens..

    i hope u can help me to remove this virus..
    tnx anyway..

    ReplyDelete
  5. Vonne,
    Thanks for visiting again. I'm still not sure what virus/malware got into your external drives, but can check these links

    http://tekbytes.blogspot.com/2010/07/how-to-prevent-autorun-from-running.html

    or go to my search tool and enter the keyword autorun view my other posts regarding autorun. They might help prevent the malware from getting into your computer again or will help you access drives that you cannot open because of a worm or virus.

    I'll be sending you an email as well with some questions and suggestions.

    ReplyDelete
  6. tekbytes,

    its me vonne,
    i already had removed the malware, i visited some antimalware scanner sites and decided to use prevx 3.0 but seems to be expensive to use so i tried using the malware scanner from the microsoft site and it was able to detect and remove the malware/virus..

    tnx for ur time..

    ReplyDelete
  7. tekbytes

    Thank you so much for you helpful info. I actually had this NOKTE forlder plus another one named kurcina (something like that) Now I'm trying to understand. If I need to create a folder named autorun.inf in order to prevent them from popping up again, does that mean that the worm is still there somewhere? Is there a way to get rid of the worm so that I don't need the folder autorun to just be there? Also, I read in your page about disableing autorun that once it runs, the worm gets into the rest of the drives. Is there a way to check this. Since obviously I have already run this file.

    ReplyDelete
  8. yes, there are ways to check if the worm is running on your system. Unfortunately, different worms behave differently. But one common thing about these worms is they disable the task explorer. Press ctl-alt-delete if the task explorer will not come up, most likely your have a worm.

    Another thing is, worms are hidden in hidden folders. If you can set your folder options to show hidden folders you'll be able to see them. If you're folder does not have the folder option, then most likely it was again disabled by the worm.

    Download Malwarebytes or Spybot Search and destroy to make sure. :)

    ReplyDelete