Go Premium for a chance to win a PS4. Enter to Win

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2697
  • Last Modified:

What causes corrupted winsock files?

On more than a few occasions, I have been called to fix computers that fail to connect to the Internet.  First, I always check to assure that the network connection is working properly by doing a status check and repair (Start>Control Panel>Network Connections) on the connected network.  Clicking Repair makes Windows goes through a series of resets after which the connection should work but often doesn't.

I then run a free repair utility, Winsock XP Fix, which always seems to correct the problem.  I assume this utility performs the same action as Microsoft's "netsh winsock reset" command that changes some registry settings.

My question is what causes the apparent corruption of the winsock files and why doesn't the network connection "repair" function fix these errors?
1 Solution
Generally caused by Adware or Malware
I will detail in a moment, on the phone
zephyr_hex (Megan)DeveloperCommented:
darrenakin is correct.  99% of the time, it's malware.  if winsock is corrupt, it's also a good idea to do a malware scan.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Some sypware/trojans insert themselves into the network settings . . when you remove the spyware, you also take out the network settings . . winsock fix restores those settings
Very well put simpswr, What really gets corrupted is the Registry Winsock settings
When a malware program infects your winsock layer by adding it's own LSP (Layered Service Provider) entry, it has one of a couple of goals.  In the case of one of the most notorious perpetrators, new.net, the goal is "advanced" name translation granting access to .shop, .xxx, .club, .ltd, and many other TLD's.  Obviously IANA has not approved these TLD's (and probably won't any time soon).  So, the new.net LSP changes any request for such a website, say www.my.shop, and translates it to www.my.shop.new.net BEFORE the request is made to public DNS servers.  Because the owner of the my.shop domain name bought it from new.net, new.net's DNS servers have an appropriate record, and the user seemlessly arrives in the right place.

The problem is, new.net and it's clones normally cause their fair share of problems.  People try to remove them (often unsuccessfully), and leave traces behind.  Even worse, a poorly written LSP might never work properly, even in it's original and unadulterated state.  When the LSP breaks (for lack of a file, because it was deleted without deleting it's reference in the winsock layer say), internet access stops working.  The requests don't know what to do when they get to that point of the winsock layer, so they give up.

What these LSPFix/Winsock fix programs do is examine your LSP chain to see if there's any potential problems.  If they find a missing file, for example, they'll delete the relevant entry.  Most of them will try to leave good (non-OS critical) LSP's in place, although I don't know that any such LSP's exist.  Conversely, the netsh winsock reset command rebuilds the winsock layer to it's default state, and obliterates ANY LSP references, good or bad, that may have been put in place.

I personally use LSPFix (providex by counter-exploitation) for winsock issues.  It's a graphical format that actually shows me my winsock layer and the action it plans to take before doing it. More: (taken from http://www.cexx.org/lspfix.htm):

LSP-Fix is a free Windows utility to repair a loss of Internet access associated with certain types of software. This type of software, known as a Layered Service Provider or LSP, typically handles low-level Internet-related tasks, and data is passed through a chain of these programs on its way to and from the Internet. However, due to bugs in the LSP software or deletion of the software, this chain can get broken, causing the Internet connection to become inaccessible.

Unfortunately, problematic LSP software, including malware/spyware, is sometimes quietly installed by unrelated products such as file-sharing programs, sneaking onto a system unannounced. In fact, in many cases, the user does not know of its existence until something goes wrong, and he/she can no longer access Web sites. Historically, New.net* (NEWDOTNET) and WebHancer* (often bundled with file-sharing utilities, DVD player software, and other free downloads) have been the worst offenders, but the problem can be caused by any improperly-written Layered Service Provider software, or the deletion of any LSP program's files. LSP-Fix repairs the LSP chain by removing the entries left behind when LSP software is removed by hand (or when errors in the software itself break the LSP chain), and removing any gaps in the chain.
bobengelAuthor Commented:
Hi netsmithcentral:

I'm awading you the points because you provided a comprehensive and detailed answer that I was hoping for.  I also appreciate the quick responses from others.  

Incidentally, the last computer I worked on with this problem did show a message indicating that the computer was infected.  This did not seem to be generated by Norton's security software and the owner indicated that he performed a full scan prior to contacting me.

After fixing the winsock, I did a Live Update on Norton and had him run another full scan.  I did not wait around to see if it found any infection because if the long scan time so I don't know if Norton found an quarantined it.
Glad to be of service.  If you're interested in learning more about windows networking (tcp/ip) I'd reccomend the free guide by Microsoft: "TCP/IP Fundamentals" (http://www.microsoft.com/technet/itsolutions/network/evaluate/technol/tcpipfund/tcpipfund.mspx).  I don't think it covers winsock/lsp in depth, but it does cover the many other aspects of Windows networking (and accordingly, how they can manage to get screwed up).

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now