Solved

What causes corrupted winsock files?

Posted on 2006-11-08
8
2,158 Views
Last Modified: 2012-06-27
On more than a few occasions, I have been called to fix computers that fail to connect to the Internet.  First, I always check to assure that the network connection is working properly by doing a status check and repair (Start>Control Panel>Network Connections) on the connected network.  Clicking Repair makes Windows goes through a series of resets after which the connection should work but often doesn't.

I then run a free repair utility, Winsock XP Fix, which always seems to correct the problem.  I assume this utility performs the same action as Microsoft's "netsh winsock reset" command that changes some registry settings.

My question is what causes the apparent corruption of the winsock files and why doesn't the network connection "repair" function fix these errors?
0
Comment
Question by:bobengel
8 Comments
 
LVL 5

Expert Comment

by:darrenakin
ID: 17901210
Generally caused by Adware or Malware
0
 
LVL 5

Expert Comment

by:darrenakin
ID: 17901221
I will detail in a moment, on the phone
0
 
LVL 42

Expert Comment

by:zephyr_hex
ID: 17901398
darrenakin is correct.  99% of the time, it's malware.  if winsock is corrupt, it's also a good idea to do a malware scan.
0
 
LVL 19

Expert Comment

by:simpswr
ID: 17901413
Some sypware/trojans insert themselves into the network settings . . when you remove the spyware, you also take out the network settings . . winsock fix restores those settings
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 5

Expert Comment

by:darrenakin
ID: 17901429
Very well put simpswr, What really gets corrupted is the Registry Winsock settings
0
 
LVL 12

Accepted Solution

by:
netsmithcentral earned 125 total points
ID: 17901578
When a malware program infects your winsock layer by adding it's own LSP (Layered Service Provider) entry, it has one of a couple of goals.  In the case of one of the most notorious perpetrators, new.net, the goal is "advanced" name translation granting access to .shop, .xxx, .club, .ltd, and many other TLD's.  Obviously IANA has not approved these TLD's (and probably won't any time soon).  So, the new.net LSP changes any request for such a website, say www.my.shop, and translates it to www.my.shop.new.net BEFORE the request is made to public DNS servers.  Because the owner of the my.shop domain name bought it from new.net, new.net's DNS servers have an appropriate record, and the user seemlessly arrives in the right place.

The problem is, new.net and it's clones normally cause their fair share of problems.  People try to remove them (often unsuccessfully), and leave traces behind.  Even worse, a poorly written LSP might never work properly, even in it's original and unadulterated state.  When the LSP breaks (for lack of a file, because it was deleted without deleting it's reference in the winsock layer say), internet access stops working.  The requests don't know what to do when they get to that point of the winsock layer, so they give up.

What these LSPFix/Winsock fix programs do is examine your LSP chain to see if there's any potential problems.  If they find a missing file, for example, they'll delete the relevant entry.  Most of them will try to leave good (non-OS critical) LSP's in place, although I don't know that any such LSP's exist.  Conversely, the netsh winsock reset command rebuilds the winsock layer to it's default state, and obliterates ANY LSP references, good or bad, that may have been put in place.

I personally use LSPFix (providex by counter-exploitation) for winsock issues.  It's a graphical format that actually shows me my winsock layer and the action it plans to take before doing it. More: (taken from http://www.cexx.org/lspfix.htm):

LSP-Fix is a free Windows utility to repair a loss of Internet access associated with certain types of software. This type of software, known as a Layered Service Provider or LSP, typically handles low-level Internet-related tasks, and data is passed through a chain of these programs on its way to and from the Internet. However, due to bugs in the LSP software or deletion of the software, this chain can get broken, causing the Internet connection to become inaccessible.

Unfortunately, problematic LSP software, including malware/spyware, is sometimes quietly installed by unrelated products such as file-sharing programs, sneaking onto a system unannounced. In fact, in many cases, the user does not know of its existence until something goes wrong, and he/she can no longer access Web sites. Historically, New.net* (NEWDOTNET) and WebHancer* (often bundled with file-sharing utilities, DVD player software, and other free downloads) have been the worst offenders, but the problem can be caused by any improperly-written Layered Service Provider software, or the deletion of any LSP program's files. LSP-Fix repairs the LSP chain by removing the entries left behind when LSP software is removed by hand (or when errors in the software itself break the LSP chain), and removing any gaps in the chain.
0
 

Author Comment

by:bobengel
ID: 17901649
Hi netsmithcentral:

I'm awading you the points because you provided a comprehensive and detailed answer that I was hoping for.  I also appreciate the quick responses from others.  

Incidentally, the last computer I worked on with this problem did show a message indicating that the computer was infected.  This did not seem to be generated by Norton's security software and the owner indicated that he performed a full scan prior to contacting me.

After fixing the winsock, I did a Live Update on Norton and had him run another full scan.  I did not wait around to see if it found any infection because if the long scan time so I don't know if Norton found an quarantined it.
 
0
 
LVL 12

Expert Comment

by:netsmithcentral
ID: 17901738
Glad to be of service.  If you're interested in learning more about windows networking (tcp/ip) I'd reccomend the free guide by Microsoft: "TCP/IP Fundamentals" (http://www.microsoft.com/technet/itsolutions/network/evaluate/technol/tcpipfund/tcpipfund.mspx).  I don't think it covers winsock/lsp in depth, but it does cover the many other aspects of Windows networking (and accordingly, how they can manage to get screwed up).
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now