How to remove Zacurama.exe
A few days ago I noticed autorun.inf on a USB drive that I inserted on my computer. When I tried to delete it, it is being used by another application. I concluded then that a worm must have gotten into my computer. I killed the explorer.exe (which appears on the task manager as "Explorer.Exe") after that, I was able to delete the autorun.inf.
However, I noticed this morning that the autorun.inf kept on coming back even after I have cleaned the USB disk. After updating my Avast and Malwarebytes, I scanned my computer and both programs found no threat but I know something is wrong.
After doing some manual investigation on the infected drive, I discovered that the autorun.inf is launching a worm named zacurama.exe. After discovering where the Zacurama.exe is hiding, I did the following steps.
- kill the explorer.exe on the task manager. I suggest you use task killer (download it from here) to do it and it will also start a fresh copy explorer.exe without the worm.
- From the My Computer window right click on the infected drive and select explore. (Read: How to Prevent Autorun.inf From Runing)
- If you can see autorun.inf delete it. If not follow the next steps. If you cannot delete the autorun.inf go back to step 1.
- From the main menu select Tools -> Folder Options
- Click on the View tab
- On the Advance Settings, select Show hidden files and folders
- Un-check Hide protected operating system files. Click yes on the verification message that will pop-up
- Click Apply
- From here you can now see a hidden folder NOKTE. Delete it right away.
- If were not able to see autorun.inf, you should be able to see it now and you can delete it.
- If you open the NOKTE folder, you will see there the Zacurama.exe folder. However if the file extension (e.g .exe) is hidden in your computer, it will appear like a folder- which is a common ploy of worms to entice the curious users to double click on it. DO NOT DOUBLE CLICK on Zacurama.exe
- Delete Zacurama.exe.
As of this time, I am submitting a sample of the worm to Malwarebytes.
Originally posted: at http://tekbytes.blogspot.com
under, malware, worm, zacurama.exe