Improve company productivity with a Business Account.Sign Up


What causes corrupted winsock files?

Posted on 2006-11-08
Medium Priority
Last Modified: 2012-06-27
On more than a few occasions, I have been called to fix computers that fail to connect to the Internet.  First, I always check to assure that the network connection is working properly by doing a status check and repair (Start>Control Panel>Network Connections) on the connected network.  Clicking Repair makes Windows goes through a series of resets after which the connection should work but often doesn't.

I then run a free repair utility, Winsock XP Fix, which always seems to correct the problem.  I assume this utility performs the same action as Microsoft's "netsh winsock reset" command that changes some registry settings.

My question is what causes the apparent corruption of the winsock files and why doesn't the network connection "repair" function fix these errors?
Question by:bobengel

Expert Comment

ID: 17901210
Generally caused by Adware or Malware

Expert Comment

ID: 17901221
I will detail in a moment, on the phone
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 17901398
darrenakin is correct.  99% of the time, it's malware.  if winsock is corrupt, it's also a good idea to do a malware scan.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

LVL 19

Expert Comment

ID: 17901413
Some sypware/trojans insert themselves into the network settings . . when you remove the spyware, you also take out the network settings . . winsock fix restores those settings

Expert Comment

ID: 17901429
Very well put simpswr, What really gets corrupted is the Registry Winsock settings
LVL 12

Accepted Solution

netsmithcentral earned 500 total points
ID: 17901578
When a malware program infects your winsock layer by adding it's own LSP (Layered Service Provider) entry, it has one of a couple of goals.  In the case of one of the most notorious perpetrators,, the goal is "advanced" name translation granting access to .shop, .xxx, .club, .ltd, and many other TLD's.  Obviously IANA has not approved these TLD's (and probably won't any time soon).  So, the LSP changes any request for such a website, say, and translates it to BEFORE the request is made to public DNS servers.  Because the owner of the domain name bought it from,'s DNS servers have an appropriate record, and the user seemlessly arrives in the right place.

The problem is, and it's clones normally cause their fair share of problems.  People try to remove them (often unsuccessfully), and leave traces behind.  Even worse, a poorly written LSP might never work properly, even in it's original and unadulterated state.  When the LSP breaks (for lack of a file, because it was deleted without deleting it's reference in the winsock layer say), internet access stops working.  The requests don't know what to do when they get to that point of the winsock layer, so they give up.

What these LSPFix/Winsock fix programs do is examine your LSP chain to see if there's any potential problems.  If they find a missing file, for example, they'll delete the relevant entry.  Most of them will try to leave good (non-OS critical) LSP's in place, although I don't know that any such LSP's exist.  Conversely, the netsh winsock reset command rebuilds the winsock layer to it's default state, and obliterates ANY LSP references, good or bad, that may have been put in place.

I personally use LSPFix (providex by counter-exploitation) for winsock issues.  It's a graphical format that actually shows me my winsock layer and the action it plans to take before doing it. More: (taken from

LSP-Fix is a free Windows utility to repair a loss of Internet access associated with certain types of software. This type of software, known as a Layered Service Provider or LSP, typically handles low-level Internet-related tasks, and data is passed through a chain of these programs on its way to and from the Internet. However, due to bugs in the LSP software or deletion of the software, this chain can get broken, causing the Internet connection to become inaccessible.

Unfortunately, problematic LSP software, including malware/spyware, is sometimes quietly installed by unrelated products such as file-sharing programs, sneaking onto a system unannounced. In fact, in many cases, the user does not know of its existence until something goes wrong, and he/she can no longer access Web sites. Historically,* (NEWDOTNET) and WebHancer* (often bundled with file-sharing utilities, DVD player software, and other free downloads) have been the worst offenders, but the problem can be caused by any improperly-written Layered Service Provider software, or the deletion of any LSP program's files. LSP-Fix repairs the LSP chain by removing the entries left behind when LSP software is removed by hand (or when errors in the software itself break the LSP chain), and removing any gaps in the chain.

Author Comment

ID: 17901649
Hi netsmithcentral:

I'm awading you the points because you provided a comprehensive and detailed answer that I was hoping for.  I also appreciate the quick responses from others.  

Incidentally, the last computer I worked on with this problem did show a message indicating that the computer was infected.  This did not seem to be generated by Norton's security software and the owner indicated that he performed a full scan prior to contacting me.

After fixing the winsock, I did a Live Update on Norton and had him run another full scan.  I did not wait around to see if it found any infection because if the long scan time so I don't know if Norton found an quarantined it.
LVL 12

Expert Comment

ID: 17901738
Glad to be of service.  If you're interested in learning more about windows networking (tcp/ip) I'd reccomend the free guide by Microsoft: "TCP/IP Fundamentals" (  I don't think it covers winsock/lsp in depth, but it does cover the many other aspects of Windows networking (and accordingly, how they can manage to get screwed up).

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Introduction Often we come across situations wherein our batch files would be needing to reboot Windows for a variety of reasons. A few of them would be like: (1) Setup files have been updated whose changes can take effect only after a reboot …
Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question