To heal your computer from the trojan follow these steps:-
- The first thing you need to do is empty your temp folder where this trojan maybe stored with different names like 604.exe etc. For this open the run prompt and type %temp% and delete all the executable files in that.
- Now you have to delete the actual sysdate.exe file and for that you will have to manually delete it from the RECYCLER folder but the folder is a hidden and system folder so you can not see it in the c drive. So just execute the attrib command with parameters -r -h -s to remove the the attributes(r(Read-only) ,-h(Hidden) ,-s(System)).
To do the aforementioned task, open the command prompt and type the following command.
attrib -r -h -s C:/RECYCLER
Also you have to repeat this step with the actual folder containing the sysdate.exe under the recycler folder. Execute the following command
attrib -r -h -s C:/RECYCLER /S-1-5-21-832453443-4443154761-431384085-6428
Here the folder name may vary because the trojan might be stored with a different folder name.
- Now actually to delete the file sysdate.exe, you would have to first kill the explorer.exe process from the task manager. Press ctrl+alt+del , Now from the processes tab select explorer.exe process and press delete key or click on end process. Now in the task-manager go to the file menu and select new task and then click on the browse button and navigate to the folder under the Recycler folder containing the file sysdate.exe and Shift+Delete it. Now delete the Recycler folder as well, Don't worry the recycler folder will come back so there's no risk in deleting it.
- Now in the new task menu of task manager, type regedit and then navigate to the following key
Now from the right window pane delete the Taskman key. Press F5 to check whether it reappears or not. If it does not then you would have successfully removed the trojan.
- Now navigate to the following registry key.
and modify the shell key by removing anything that follows the explorer.exe.
- Now in the new task menu of task manager type explorer which will restart the explorer process and your system would be free from the trojan.
The attrib command can be skipped if you have a dual boot os then just mount the windows partition and delete the files under the recycler folder with ease.
Note: It is always recommended before opening the external drive just open it under the command prompt and delete the autorun.inf file from it.