What causes corrupted winsock files?

Posted on 2006-11-08
Medium Priority
Last Modified: 2012-06-27
On more than a few occasions, I have been called to fix computers that fail to connect to the Internet.  First, I always check to assure that the network connection is working properly by doing a status check and repair (Start>Control Panel>Network Connections) on the connected network.  Clicking Repair makes Windows goes through a series of resets after which the connection should work but often doesn't.

I then run a free repair utility, Winsock XP Fix, which always seems to correct the problem.  I assume this utility performs the same action as Microsoft's "netsh winsock reset" command that changes some registry settings.

My question is what causes the apparent corruption of the winsock files and why doesn't the network connection "repair" function fix these errors?
Question by:bobengel

Expert Comment

ID: 17901210
Generally caused by Adware or Malware

Expert Comment

ID: 17901221
I will detail in a moment, on the phone
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 17901398
darrenakin is correct.  99% of the time, it's malware.  if winsock is corrupt, it's also a good idea to do a malware scan.
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

LVL 19

Expert Comment

ID: 17901413
Some sypware/trojans insert themselves into the network settings . . when you remove the spyware, you also take out the network settings . . winsock fix restores those settings

Expert Comment

ID: 17901429
Very well put simpswr, What really gets corrupted is the Registry Winsock settings
LVL 12

Accepted Solution

netsmithcentral earned 500 total points
ID: 17901578
When a malware program infects your winsock layer by adding it's own LSP (Layered Service Provider) entry, it has one of a couple of goals.  In the case of one of the most notorious perpetrators, new.net, the goal is "advanced" name translation granting access to .shop, .xxx, .club, .ltd, and many other TLD's.  Obviously IANA has not approved these TLD's (and probably won't any time soon).  So, the new.net LSP changes any request for such a website, say www.my.shop, and translates it to www.my.shop.new.net BEFORE the request is made to public DNS servers.  Because the owner of the my.shop domain name bought it from new.net, new.net's DNS servers have an appropriate record, and the user seemlessly arrives in the right place.

The problem is, new.net and it's clones normally cause their fair share of problems.  People try to remove them (often unsuccessfully), and leave traces behind.  Even worse, a poorly written LSP might never work properly, even in it's original and unadulterated state.  When the LSP breaks (for lack of a file, because it was deleted without deleting it's reference in the winsock layer say), internet access stops working.  The requests don't know what to do when they get to that point of the winsock layer, so they give up.

What these LSPFix/Winsock fix programs do is examine your LSP chain to see if there's any potential problems.  If they find a missing file, for example, they'll delete the relevant entry.  Most of them will try to leave good (non-OS critical) LSP's in place, although I don't know that any such LSP's exist.  Conversely, the netsh winsock reset command rebuilds the winsock layer to it's default state, and obliterates ANY LSP references, good or bad, that may have been put in place.

I personally use LSPFix (providex by counter-exploitation) for winsock issues.  It's a graphical format that actually shows me my winsock layer and the action it plans to take before doing it. More: (taken from http://www.cexx.org/lspfix.htm):

LSP-Fix is a free Windows utility to repair a loss of Internet access associated with certain types of software. This type of software, known as a Layered Service Provider or LSP, typically handles low-level Internet-related tasks, and data is passed through a chain of these programs on its way to and from the Internet. However, due to bugs in the LSP software or deletion of the software, this chain can get broken, causing the Internet connection to become inaccessible.

Unfortunately, problematic LSP software, including malware/spyware, is sometimes quietly installed by unrelated products such as file-sharing programs, sneaking onto a system unannounced. In fact, in many cases, the user does not know of its existence until something goes wrong, and he/she can no longer access Web sites. Historically, New.net* (NEWDOTNET) and WebHancer* (often bundled with file-sharing utilities, DVD player software, and other free downloads) have been the worst offenders, but the problem can be caused by any improperly-written Layered Service Provider software, or the deletion of any LSP program's files. LSP-Fix repairs the LSP chain by removing the entries left behind when LSP software is removed by hand (or when errors in the software itself break the LSP chain), and removing any gaps in the chain.

Author Comment

ID: 17901649
Hi netsmithcentral:

I'm awading you the points because you provided a comprehensive and detailed answer that I was hoping for.  I also appreciate the quick responses from others.  

Incidentally, the last computer I worked on with this problem did show a message indicating that the computer was infected.  This did not seem to be generated by Norton's security software and the owner indicated that he performed a full scan prior to contacting me.

After fixing the winsock, I did a Live Update on Norton and had him run another full scan.  I did not wait around to see if it found any infection because if the long scan time so I don't know if Norton found an quarantined it.
LVL 12

Expert Comment

ID: 17901738
Glad to be of service.  If you're interested in learning more about windows networking (tcp/ip) I'd reccomend the free guide by Microsoft: "TCP/IP Fundamentals" (http://www.microsoft.com/technet/itsolutions/network/evaluate/technol/tcpipfund/tcpipfund.mspx).  I don't think it covers winsock/lsp in depth, but it does cover the many other aspects of Windows networking (and accordingly, how they can manage to get screwed up).

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
In this tutorial, we’re going to learn how to convert Youtube to mp3 for Free. We'll show you how easy it is to make an mp3 from your video clips so that you can enjoy them offline.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question