Winsock LSP hijack

[Kevin Severud]

I appears that MSAS beta 1 does nothing about fixing a winsock stack
that's been trojaned with spyware LSP's. I had to use WinsockXPFix.exe
(for some reason the command 'netsh winsock reset catalog' did not work
on the XPHome computer) in order to get the user's NIC working following
partial removal of the malware. MSAS is severely hobbled if it cannot
detect and clean these rogue LSPs and put winsock back to a good state.

 

[Andre Da Costa]

To use Windows to rebuild the LSP configuration data



1. Log on to your computer with an account that is part of the
Administrators group.

2. Open a command prompt window. To do this, click Start, click Run, type
cmd, and click OK.

3. At the command prompt, type netsh Winsock reset and press ENTER.

4. When the Winsock reset is finished, The command window shows the
following message:

Successfully reset the Winsock Catalog. You must restart the machine in
order to complete the reset.

If you see this message, restart your machine.

If you are not logged in with an administrator group, you will receive the
following error message:

Unable to reset the Winsock Catalog. Access is denied.

If you receive this message, log off of your computer, and log on with an
account that is part of the Administrators group. Repeat steps 2-4.

5. After you restart your computer, see the KB article at
support.microsoft.com/?scid=kb;en-us;892350 for more information.



In some instances third-party applications can be affected while connecting
to the Internet or network after you follow these steps. If you notice that
third-party applications are not properly accessing the Internet or network,
you should reinstall the application to restore network functionality.

 

[Bill Sanderson]

I believe Microsoft is aware of this, and expect to see some change in a
future beta build. What kind of change, I have no idea!

 

[Kevin Severud]

Andre, you miss the point (actually it looks like an automated
response!). Microsoft is not sending you and me to people's computers
to fix these problems. Instead they're creating this tool which is
supposed to do it for our non-tech savvy friends/colleagues/relatives.
Thanks for the instructions but it should be clear from my original post
that I already know how to do this. The real issue is why can't MS
Antispyware?

P.S. As I stated, the netsh command did not seem to have the option to
'reset winsock' on the XP home machine that I was called to fix. I
don't know why this was and don't really care since I rarely support
XPHome and have yet to have a problem running the command on XPPro. But
again I ask, why doesn't MSAS handle this as part of its
scan/detection/cleaning algorithm?

 

[Ron Chamberlin]

Hi Kevin,
Yup. It would be nice to see a 'LSP health check and fix it' built into the
program.

Ron Chamberlin
MS-MVP

 

[Andre Da Costa]

So the best you can do is just wait. Thats one of the give and takes of
betas.