Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

jrpkid.dll and Others


  • Please log in to reply
2 replies to this topic

#1 flmason

flmason

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 03 September 2010 - 02:43 AM

Hi All,
Antimalware Doctor infected me the other day. Thought I'd gotten rid of all it's parts. But I noticed my Firefox browser seemed to bring back a blank screen occasionally and say "Done" in the status bar. Struck me as odd behavior.

So I went trolling around looking for modules that had a "Date Modified" date and time matching my infection date and time.

I found some things in C:\Windows\System32 that seem related by that date and time. However... if I rename jrpkid.dll... can't even ping www.google.com. Rename it back, and it works...

Thing is, the Properties > Details doesn't list it as Microsoft...

and... jrpkid shows up in the Registry in the Protocol_Catalog9 entries in several of the numbered entries as some sort of protocol.

Leads me to believe I've still got some corrupted protocol code running, but don't know what to do about it.

I figure I'm probably being monitored for financial data or something of the like.

Any thoughts? Know fixes?

Searches on jrpkid find literally nothing.

Some of the other .dll's are:

l4pnvtl9n.dll
msippsth.dll
ew46pa.dll
wvsgg.dll
lognlot.dll
idfialb.dll

Process explorer definitely shows various Windows programs using some of these DLL's.

At present I've renamed them all but jrpkid.dll since it seems critical at the moment for getting onto the 'net.

I guess I'll wipe the rest out over time if I don't see any adverse affects, but that still leaves jrpkid.dll in there doing something... something that even prevents the ping command from working when it is renamed. (!!!)

Edited by hamluis, 03 September 2010 - 10:15 AM.
Moved from Vista to Am I Infected forum ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 flmason

flmason
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 03 September 2010 - 03:23 AM

Did some additional digging with the netsh winsock show catalog command and found that jrpkid.dll is some sort of Layered Service Provider.

Still not sure if it's legitimate or some form of intercept:

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Layered Service Provider
Description: jrpkid
Provider ID: {C285D288-25A2-142D-A7D1-EB4C6E001E3D}
Provider Path: C:\Windows\system32\jrpkid.dll
Catalog Entry ID: 1043
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 0
Protocol: 0
Protocol Chain Length: 0


#3 flmason

flmason
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 03 September 2010 - 03:54 AM

OK, here's what I think the deal was.

jrpkid.dll was installed by AntiMalwareDoctor as an LSP, for whatever purposes. Perhaps to intercept attempts to get to the web and get information on removing AMD, LOL!

Anyway, I made the leap of faith, based on the modified date, that is was a rogue LSP. So netsh winsock reset catalog was used, and the .dll deleted, along with the others mentioned above.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users