Backdoor.Korplug.D is a Trojan infection that opens a back door on the PCs that it infects. It creates the following files on infected systems:
- %AllUsersProfile%\ DRM\ emproxy\ RasTls.dll
- %AllUsersProfile%\ DRM\ emproxy\ RasTls.exe
- %AllUsersProfile%\ DRM\ emproxy\ talztocitchx
In addition to creating these files, it creates the following registry entries:
- HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ emproxy\ “ImagePath” = %AllUsersProfile%\ DRM\ emproxy\ RasTls.exe
- HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ emproxy\ “Type” = “110”
- HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ emproxy\ “Start” = “2”
- HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ emproxy\ “ErrorControl” = “0”
- HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ emproxy\ “DisplayName” = “emproxy”
- HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ emproxy\ “ObjectName” = “LocalSystem”
- HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ emproxy\”Description” = “McAfee Email Proxy Service”
- HKEY_CURRENT_USER\ Software\ BINARY\ “RasTls.dll.msc” = “[HEXADECIMAL VALUE]”
Finding these files and these registry settings is an indication that you are infected with this Trojan. Before removing the infection, backup your registry following the steps here.
Then, remove the infection as follows:
- Press [Windows Key] + [R], type REGEDIT and click OK.
- Navigate to the registry key: HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ emproxy
- Delete the registry value: “ImagePath” = %AllUsersProfile%\ DRM\ emproxy\ RasTls.exe
- Delete the registry value: “Type” = “110”
- Delete the registry value: “Start” = “2”
- Delete the registry value: “ErrorControl” = “0”
- Delete the registry value: “DisplayName” = “emproxy”
- Delete the registry value: “ObjectName” = “LocalSystem”
- Delete the registry value: “Description” = “McAfee Email Proxy Service”
- Navigate to the registry key: HKEY_CURRENT_USER\ Software\ BINARY
- Delete the registry value: “RasTls.dll.msc” = “[HEXADECIMAL VALUE]”
- Close the Registry Editor and re-boot your PC.