Solved

What causes corrupted winsock files?

Posted on 2006-11-08
8
2,231 Views
Last Modified: 2012-06-27
On more than a few occasions, I have been called to fix computers that fail to connect to the Internet.  First, I always check to assure that the network connection is working properly by doing a status check and repair (Start>Control Panel>Network Connections) on the connected network.  Clicking Repair makes Windows goes through a series of resets after which the connection should work but often doesn't.

I then run a free repair utility, Winsock XP Fix, which always seems to correct the problem.  I assume this utility performs the same action as Microsoft's "netsh winsock reset" command that changes some registry settings.

My question is what causes the apparent corruption of the winsock files and why doesn't the network connection "repair" function fix these errors?
0
Comment
Question by:bobengel
8 Comments
 
LVL 5

Expert Comment

by:darrenakin
ID: 17901210
Generally caused by Adware or Malware
0
 
LVL 5

Expert Comment

by:darrenakin
ID: 17901221
I will detail in a moment, on the phone
0
 
LVL 42

Expert Comment

by:zephyr_hex (Megan)
ID: 17901398
darrenakin is correct.  99% of the time, it's malware.  if winsock is corrupt, it's also a good idea to do a malware scan.
0
 
LVL 19

Expert Comment

by:simpswr
ID: 17901413
Some sypware/trojans insert themselves into the network settings . . when you remove the spyware, you also take out the network settings . . winsock fix restores those settings
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 5

Expert Comment

by:darrenakin
ID: 17901429
Very well put simpswr, What really gets corrupted is the Registry Winsock settings
0
 
LVL 12

Accepted Solution

by:
netsmithcentral earned 125 total points
ID: 17901578
When a malware program infects your winsock layer by adding it's own LSP (Layered Service Provider) entry, it has one of a couple of goals.  In the case of one of the most notorious perpetrators, new.net, the goal is "advanced" name translation granting access to .shop, .xxx, .club, .ltd, and many other TLD's.  Obviously IANA has not approved these TLD's (and probably won't any time soon).  So, the new.net LSP changes any request for such a website, say www.my.shop, and translates it to www.my.shop.new.net BEFORE the request is made to public DNS servers.  Because the owner of the my.shop domain name bought it from new.net, new.net's DNS servers have an appropriate record, and the user seemlessly arrives in the right place.

The problem is, new.net and it's clones normally cause their fair share of problems.  People try to remove them (often unsuccessfully), and leave traces behind.  Even worse, a poorly written LSP might never work properly, even in it's original and unadulterated state.  When the LSP breaks (for lack of a file, because it was deleted without deleting it's reference in the winsock layer say), internet access stops working.  The requests don't know what to do when they get to that point of the winsock layer, so they give up.

What these LSPFix/Winsock fix programs do is examine your LSP chain to see if there's any potential problems.  If they find a missing file, for example, they'll delete the relevant entry.  Most of them will try to leave good (non-OS critical) LSP's in place, although I don't know that any such LSP's exist.  Conversely, the netsh winsock reset command rebuilds the winsock layer to it's default state, and obliterates ANY LSP references, good or bad, that may have been put in place.

I personally use LSPFix (providex by counter-exploitation) for winsock issues.  It's a graphical format that actually shows me my winsock layer and the action it plans to take before doing it. More: (taken from http://www.cexx.org/lspfix.htm):

LSP-Fix is a free Windows utility to repair a loss of Internet access associated with certain types of software. This type of software, known as a Layered Service Provider or LSP, typically handles low-level Internet-related tasks, and data is passed through a chain of these programs on its way to and from the Internet. However, due to bugs in the LSP software or deletion of the software, this chain can get broken, causing the Internet connection to become inaccessible.

Unfortunately, problematic LSP software, including malware/spyware, is sometimes quietly installed by unrelated products such as file-sharing programs, sneaking onto a system unannounced. In fact, in many cases, the user does not know of its existence until something goes wrong, and he/she can no longer access Web sites. Historically, New.net* (NEWDOTNET) and WebHancer* (often bundled with file-sharing utilities, DVD player software, and other free downloads) have been the worst offenders, but the problem can be caused by any improperly-written Layered Service Provider software, or the deletion of any LSP program's files. LSP-Fix repairs the LSP chain by removing the entries left behind when LSP software is removed by hand (or when errors in the software itself break the LSP chain), and removing any gaps in the chain.
0
 

Author Comment

by:bobengel
ID: 17901649
Hi netsmithcentral:

I'm awading you the points because you provided a comprehensive and detailed answer that I was hoping for.  I also appreciate the quick responses from others.  

Incidentally, the last computer I worked on with this problem did show a message indicating that the computer was infected.  This did not seem to be generated by Norton's security software and the owner indicated that he performed a full scan prior to contacting me.

After fixing the winsock, I did a Live Update on Norton and had him run another full scan.  I did not wait around to see if it found any infection because if the long scan time so I don't know if Norton found an quarantined it.
 
0
 
LVL 12

Expert Comment

by:netsmithcentral
ID: 17901738
Glad to be of service.  If you're interested in learning more about windows networking (tcp/ip) I'd reccomend the free guide by Microsoft: "TCP/IP Fundamentals" (http://www.microsoft.com/technet/itsolutions/network/evaluate/technol/tcpipfund/tcpipfund.mspx).  I don't think it covers winsock/lsp in depth, but it does cover the many other aspects of Windows networking (and accordingly, how they can manage to get screwed up).
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now