WinSock1 and 2 corruption

Joshex · July 24, 2014, 11:38:05 AM

Hi everyone today I'm going to give a how to on fixing even the worst corrupted winsocks, if you don't know what winsock is it's a registration of your internet protocols without which or if damaged you wont be able to get online.

1 known maleware that can cause such corruption is the hao123.com/.biz virus (DO NOT GO TO THOSE WEBSITE NAMES!!)

hao123 sometimes installs with other programs such as drivers gotten from untrusted websites or even direct IP attacks (go offline when you don't ahve to be online), it will corrupt your winsock1 and winsock2 leaving an entry called 000000000070 under HKEY_LOCAL_MACHINE\System\(ControlSet001 and ControlSet002 and CurrentControlSet)\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\

the entry is created by the hao123 toolbar, it will not uninstall by uninstalling from control panel, but it is suggestedd to do such. hao123 also hijacks your webbrowser settign the default search engine and startpages to itself. 360 SE a common webbrowser will install with it if left unchecked over time, that webbrowser is a Keylogger, meaning it collects information from your keypresses and uploads them to a server, it does not only log keyboard presses while using the webbrowser but everywhere on your entire computer! so beware.

360SE and hao123 are products of baidu.com a Chinese search engine and company, they have not been sued for this yet but it's possible for anyone to win in a lawsuit against them. even with what I will type below it's nearly impossible to fix your webbrwosers after getting rid of the virus, it's "permanent" no matter how many times you delete firefox, IE chrome opera or any other then reinstall it the homepage will always be hao123, some articles online will instruct you to change settings in your webbrowser or registry to fix this, however the settings for it are hidden in the fat tables not the registry.

lets go over how to get rid of it, first run lots of different anti-maleware, VIPRE rescue scanner, and malewarebytes can do alot, next go into your registry by typing regedit in the run program/find field of the start menu.

in reg edit use search to find and delete any entries with "baidu" "360se" "hao123" anywhere in them, if it's your firefox start page edit the registry to read what you want you homepage to be or leave it blank (this will not fix it yet, your homepage will still be hao123, I'll talk about several ways to fix it later)

before I continue, hao123 is a timebomb type virus, and is currently being spread by ISP direct IP attacks (they attack your ISP with the virus source and an uplaoder and make it upload the virus to anyone who doesn't have an active anti-maleware protection module to catch it) malewarebytes protection module works to block it, but it's not free forever. So even if you are having no internet troubles or homepage renaming troubles now it wouldn't be a bad idea to check for the entries listed above in your registry as they could activate several months from now. the first symptoms are the homepage redirect, the second symptom is your inernet becoming 'limited connectivity' or"can't connect" or "no internet" every few minutes, then eventually just KO it all together.

lets continue removing this illegal Chinese company spying tool shall we? (please do note the Chinese government has nothing to do with it, they are unaware of Baidu's tactics)

search your computer for any folders called "baidu" "360" or "hao[anything]" and delete them and thier contents also check your browser addons to see if there is anything named such there and remove it. if a file will not delete I suggest FileAssassin

Now get Piriform CCleaner and clean your registry.

no you're not done, your registry is still infected.

in regedit navigate to the registry directory mentioned earlier "HKEY_LOCAL_MACHINE\System\(ControlSet001 and ControlSet002 and CurrentControlSet)\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\"

why? because 000000000070 was created with special full permissions unavailable to you, it's contents are hidden in your fat table attempts to delete it will yield a large variety of errors;

"insufficient permissions" when logged in as a special hidden administrator account "net user administrator /active:yes" typed in cmd.exe (run as administrator) will give you said access if you need it.

"000000000070 cannot be opened. an error is preventing this key from being opened/deleted, details The system cannot find the file specified." - the entry was written leaving only "CREATOR OWNER" with special permissions to access it or change it.

so your computer is scrap right? wrong, rename the parent folder from "Catalog_Entries" to something else more suitable like "DeleteMe"

You can perform a rollback or system restore, but as hao123 could have been installed months ago it's possible this wont help or will only help temporarily for a few more months.

you cannot delete the entry so don't try, instead you need someone who has a known clean winsock installation and the same type of OS as you win7, XP etc. other than that it can be 64 or 32 bit or any edition. though it will be a little different it will still work, to copy thier registry rightclick the 3 winsock1 registry folders and the 3 winsock2 registry folders and click export. save them onto a USB harddisk or something to transfer them to the infected computer, one on the infected computer right click them and select Merge and click "ok" or whatever on the pop-ups.

this will kill the nasty internet killing ;portion of the virus permanently unless you get it again (do be careful)

the registry entry under DeleteMe will still be there and your startpage will still be hao123, there is only one way known to delete it, somehow boot linux on the computer and use wine then run regedit to delete the DeleteMe folder (windows can't complain if it's offline).

the hao123 redirect is definitely on the fat tables though no clue how to undo that, I do know that a rollback wroks so they must link to something in the registry but it isn't named obviously, it must just be a jumble of numbers. A rollback will undo it, and if not theres the possibility of completely deleting firefox and all it's files and registry then reinstalling it. you wold have to do the same with any other browsers, so keep in mind that you should download thier installers BEFORE you uninstall them.

that should fix the situation.

The Fifth Horseman · July 24, 2014, 01:15:14 PM

The term is malware . Mal as in sickness, illness... evil or simply malice. Maleware would be something like this (NSFH).
virus != trojan. There are different types of malware, and if you're not sure what you're dealing with, it's best to not attempt sticking arbitrarily picked labels on it.

"FAT Tables"? Either you're confusing something or your knowledge is terribly out of date. FAT = File Allocation Table = an old file system format that mostly went out of use since Windows XP.

Yes, checking several anti-malware programs will help - eg MBAM, DrWeb CureIt, Spybot.

Quotethe hao123 redirect is definitely on the fat tables though no clue how to undo that, I do know that a rollback wroks so they must link to something in the registry but it isn't named obviously, it must just be a jumble of numbers. A rollback will undo it, and if not theres the possibility of completely deleting firefox and all it's files and registry then reinstalling it. you wold have to do the same with any other browsers, so keep in mind that you should download thier installers BEFORE you uninstall them.

Something to check would be the proxy settings - in your connection, in your browser, in Internet Explorer separately too - your DNS settings (setting the latter to 8.8.8.8 and/or 8.8.4.4 will use Google Public DNS) and your hosts file, as that can also be leveraged to redirect you to malicious sites (again, fairly common strategy).
Check your autorun and services - there are diagnostic tools for that such as HijackThis, SysInternals Autoruns and SysInternals Process Explorer.

Malware replacing system files with altered versions is not uncommon, might be why a rollback can help in this case (then again, registry itself would also be rolled back...).

Eoraptor · July 26, 2014, 08:36:14 PM

Additionally, ever since Windows XP SP2, there has been a simple command line entry to rebuild the winsock.

open a command line (CMD.exe or Powershell.exe) ((in vista and newer you will have to do this with admin rights by right clicking the appropriate exe and selecting "run as administrator"))

then, type in

Code Select

netsh winsock r hit enter and then restart your PC.

additional CMD commands can also help fix fubarred network stack issues

Code Select

netsh i i r r

Code Select

netsh i i de ar

Code Select

ipconfig /flushdns

but seriously, just get a better AV. Avast works quite well for free, as does Malware Bytes. and stop downloading junk folders and rapid fire OKing your way through the TOS

Joshex · August 04, 2014, 10:47:02 AM

netsh and alot of the other stuff was the first thing I tried. netsh hangs for 24 hours only to output a generic error saying it couldn't complete. this is due to the registry entry listed.

I am aware of the typo, typed it late at night and lost net before I could change it.

I will try the google DNS thing suggested by fifth, right now I'm trying to find a blank DVD to burn a opensuse iso to to delete the registry value while windows is offline.

I say "fat tables" what I mean is the disk labels and file start and end labels thats where it's hiding

Joshex · August 04, 2014, 02:33:24 PM

Quote from: The Fifth Horseman on July 24, 2014, 01:15:14 PM
The term is malware . Mal as in sickness, illness... evil or simply malice. Maleware would be something like this (NSFH).
virus != trojan. There are different types of malware, and if you're not sure what you're dealing with, it's best to not attempt sticking arbitrarily picked labels on it.

"FAT Tables"? Either you're confusing something or your knowledge is terribly out of date. FAT = File Allocation Table = an old file system format that mostly went out of use since Windows XP.

Yes, checking several anti-malware programs will help - eg MBAM, DrWeb CureIt, Spybot.
Something to check would be the proxy settings - in your connection, in your browser, in Internet Explorer separately too - your DNS settings (setting the latter to 8.8.8.8 and/or 8.8.4.4 will use Google Public DNS) and your hosts file, as that can also be leveraged to redirect you to malicious sites (again, fairly common strategy).
Check your autorun and services - there are diagnostic tools for that such as HijackThis, SysInternals Autoruns and SysInternals Process Explorer.

Malware replacing system files with altered versions is not uncommon, might be why a rollback can help in this case (then again, registry itself would also be rolled back...).

set IPv4 to google, what about IPv6? 8.8.8.8 is invalid

The Fifth Horseman · August 04, 2014, 05:02:11 PM

2001:4860:4860::8888
2001:4860:4860::8844

Hyperstrike · August 14, 2014, 10:57:41 AM

Honestly,

While it could be taken as an admission of defeat, if something has its hooks into the system THIS bad?

I prefer to simply offload any necessary data to an external hard drive, nuke the system from orbit, and reload.

With a decent backup copy and Acronis True Image, booted from CD, I can be mostly reloaded inside half an hour and then back up to date shortly after that.
Then I just make sure my AV is fully up to date and scan the living crap out of the hard drive offload before pulling anything back to the system.

Joshex · August 17, 2014, 06:15:08 PM

this thing seems unkillable, I tried everything, its host program doesn't show up in any sysinternals or anything, I can't find whats running it. I tried linux got a dvd and all and found my zipdrive was too small to install open suse on.... so that has put a serious hamper on checking if i can delete it from linux.

I tried reinstalling oracle VM virtual box, it wont run now???? must be the registry key, anythign that asks for that registry slot is denied. I tried all sorts of registry scanners, I'm down to another thing from sysinternals called regdelnull which might work as it seems to handle null entries. testing now.

Fail

even that can't see the entry, I need a program that can delete it or a method to delete it from a binary level, please Fifth or such please help!

hey found this, might work, but can't download it cause china blocks blogspot: http://www.winsite.com/go/download/251424/

The Fifth Horseman · August 17, 2014, 10:37:42 PM

Quote from: Joshex on August 17, 2014, 06:15:08 PMthis thing seems unkillable, I tried everything, its host program doesn't show up in any sysinternals or anything, I can't find whats running it.

Try this: http://support.microsoft.com/kb/929833

Quote from: Joshex on August 17, 2014, 06:15:08 PMthis thing seems unkillable, I tried everything, its host program doesn't show up in any sysinternals or anything, I can't find whats running it. I tried linux got a dvd and all and found my zipdrive was too small to install open suse on.... so that has put a serious hamper on checking if i can delete it from linux.

No, it didn't. Get something that can run as a Live CD instead of a distro you need to install first.
Here's several different bootable tool CDs:
http://www.gfi.com/blog/top-5-free-rescue-discs-for-your-sys-admin-toolkit/
https://www.raymond.cc/blog/13-antivirus-rescue-cds-software-compared-in-search-for-the-best-rescue-disk/

Quotehey found this, might work, but can't download it cause china blocks blogspot: http://www.winsite.com/go/download/251424/

That link just goes to a domain that redirects to a blog on blogspot. No apparent software download there.

Quoteeven that can't see the entry, I need a program that can delete it or a method to delete it from a binary level, please Fifth or such please help!

TBH, what Hyperstrike said is fairly accurate: Nuke from the orbit. IIRC it should be possible to install a second copy of Windows on the same partition. Use that to backup what's important, then format and reinstall.

Joshex · August 18, 2014, 05:12:04 AM

Quote from: The Fifth Horseman on August 17, 2014, 10:37:42 PM
Try this: http://support.microsoft.com/kb/929833No, it didn't. Get something that can run as a Live CD instead of a distro you need to install first.
Here's several different bootable tool CDs:
http://www.gfi.com/blog/top-5-free-rescue-discs-for-your-sys-admin-toolkit/
https://www.raymond.cc/blog/13-antivirus-rescue-cds-software-compared-in-search-for-the-best-rescue-disk/That link just goes to a domain that redirects to a blog on blogspot. No apparent software download there.TBH, what Hyperstrike said is fairly accurate: Nuke from the orbit. IIRC it should be possible to install a second copy of Windows on the same partition. Use that to backup what's important, then format and reinstall.

I'll try the live CD options,

this happens to be my computer with CoH installed, I really want to protect that installation, I know I can install it manually with links provided here on titan, but it's more of a sentimental value thing, this install was the one I played on, if I get the downloadable install then it's differentish and looses what makes it special.

but on the other hand, I /NEED/ this computer's net operational for mmo testing.. there is one option I've put on the back burner as a last resort, I have a new computer with windows 8, I have heard theres a rollback that allows you to make it windows 7, I might do that for speed so I can get working again then keep the CoH machine for later fixing.

there also is a possibility the computer will fix itself when I leave china and get on western DNS and such. seriously the internet here is terrible, between DNS not parsing CSS sheets properly and periodic random net resets and 114s china has a long way to go at being self-reliant to provide internet service.

EDIT!

I managed to unlock it with regdelnull! or at least one of the 3 folders, after using regdelnull hku -s [registrylocation] on CurrentControlSet it unlocked ControlSet002's 000000000070 entry showing there are indeed 3 entries!

one is a a (Default) REG_SZ (value not set)

another is a PackedCatalogItem REG_Binary, not sure how to read it's hex values as characters @oh, hex to text converter duh, will do after updating this post. hex is 25 53 79 73 74 65 6d 52 6f 6f 74 25 5c 73 79 73 74 65 6d 73 77 73 6f 63 6b 2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00... (goes on for infinity) translates to:
%SystemRoot%\systemswsock.dll��

the last is a ProtocolName listing REG_SZ MSAFD NetBIOS [\Device\Tcip_{F9DA404A-F939-40DE-AD2B-FECDDCD6B3CF}] DATAGRAM0

what can I kill or are none of these the culprit ddo I have to unlock ControlSet001 and CurrentControlSet? these are questions I'm pondering.

systemwsock.dll in the system root, it's a rootkit or a corrupt system root file. I think replacing it with a clean one might help a bit. and maybe I should remove those infinite ��'s

what do you think fifth?

Update, the dll is not present in the specified location, I made a blank dll file to fill it but no effect, deleting the registry keys has no effect. unlocking the other 2 is crucial but can't be done by regdelnull oddly.

Ice Trix · August 19, 2014, 03:14:16 AM

Quote from: Hyperstrike on August 14, 2014, 10:57:41 AM
Honestly,

While it could be taken as an admission of defeat, if something has its hooks into the system THIS bad?

I prefer to simply offload any necessary data to an external hard drive, nuke the system from orbit, and reload.

With a decent backup copy and Acronis True Image, booted from CD, I can be mostly reloaded inside half an hour and then back up to date shortly after that.
Then I just make sure my AV is fully up to date and scan the living crap out of the hard drive offload before pulling anything back to the system.

This is the correct manner, assuming back ups are done regularly it will be far faster too.

The Fifth Horseman · August 19, 2014, 06:58:41 AM

Quote from: Joshex on August 18, 2014, 05:12:04 AMthis happens to be my computer with CoH installed, I really want to protect that installation, I know I can install it manually with links provided here on titan, but it's more of a sentimental value thing, this install was the one I played on, if I get the downloadable install then it's differentish and looses what makes it special.

Just copy it to a pendrive. You can copy it back after the OS is reinstalled, it'll work.[/quote]

Joshex · August 19, 2014, 04:13:13 PM

well, what started as a howto, got even more indepth and lasted longer than I wanted it to.

I went searching through error logs to see if I could spot what was going wrong, I did indeed spot it, there are 2 dns redirects that are failing (4 techincally) dns.msftncsi.com is timing out and cloud.daddymami.net is timing out.

I don't trust these connections by the sound of them they seem fishy, but after checking the first one online it appears legit and it timing out could be causing my internet troubles. this might be a simple registry fix after all.

so far so good. I have been able to use the internet uninterrupted for several hours straight now, I am typing this on said computer, we'll see how it goes after a day or so. I am about to leave it unattended and see what happens later.

Joshex · August 20, 2014, 07:29:22 AM

Critical update;

it hit again as soon as the screensaver started, and continued to be triggered by any lock-down or password log-in screen. Windows troubleshooter claimed it was the wireless router (I have reset it) Critical info there, when I reset the router I was perma banned from titan! "your ISP hosts too many spammers".

I still had network troubles so I reset the router again and KOed my laptop's wireless services for a short time then turned them on again- it wouldn't even connect to titan eternally loading until I cleared the cookies.

This appears to be an ISP related problem, it's only showing up on my computer because I am treating it as malware and trying to rectify it.

I will be leaving china-net/telecom soon in 4 days, for safety's sake I will take 2 computers and probably finally attempt the live CD in America if the problem persists. And if that fails I'll try to fix those registry entries mentioned earlier (the internet worked earlier because I removed an adware application that was blocking it with vipre rescue).

if all else fails I'll do a data transfer and nuke operation.

for now it's stable again, lets see for how long.

The Fifth Horseman · August 20, 2014, 07:35:35 PM

Quote from: Joshex on August 20, 2014, 07:29:22 AMit hit again as soon as the screensaver started, and continued to be triggered by any lock-down or password log-in screen. Windows troubleshooter claimed it was the wireless router (I have reset it) Critical info there, when I reset the router I was perma banned from titan! "your ISP hosts too many spammers".
(...)
This appears to be an ISP related problem, it's only showing up on my computer because I am treating it as malware and trying to rectify it.

Guessing that the router reset caused your ISP to assign you a new IP and part of their IP range is banned and part isn't.

Joshex · August 22, 2014, 10:12:04 AM

I installed a live CD to my flash drive I chose falcon four's, I booted from it and it ran as described, however the registry keys were still not deleteable, it's not a program protecting them they have a series of null characters in the key name, regdelnull only replaces 1 null character at a time and usually gives an error instead because the name can't be edited that way.

Unless someone here will tell me how to find and edit the system restore file(s) I will have to do a nuke operation in a couple days when I'm back to the states. I'm sure system restore would work if I can edit the system restore file to exclude these registry entries. I know how to edit .reg files so it shouldn't be a problem. guide my hands please.

edit sys restore file?

or

nuke?

if nuke I need 3 things:

1: How to find my product key from inside windows (I have the sticker but it's too worn to read)
2: How to make a repair/install disk from my current OS
3: Suggestions, repair? or formatt and completely reinstall?

I will only have 2 computers, one thats slower than slow and 1 dev machine, though I can transfer all my files to the slow machine I cannot do dev on it 3d stuff doesn't even run lol.

Relitner · August 22, 2014, 12:39:40 PM

Sorry to hear about your pc problems, Joshex
After a little research, I found this little tidbit. Maybe it will help? http://malwaretips.com/blogs/remove-hao123-virus/

The blog does not say what it is, but my guess is that it is a rootkit. Many of the nasty browser hijackers are these days. And rootkits are difficult to kill.

Honestly, the best option is to nuke/reformat/reinstall windows. You can get a pretty fair priced windows OEM from Newegg.

Joshex · August 27, 2014, 09:04:13 AM

American internet had less disconnect problems but the latent problem is still there, however I got a USB wifi card for the time being to see if that would work.

it does work, which means I baked my network adapter physically which is the reason for these errors, I should probably fix the system too but at least I can get working net on my dev machine, I should focus on the development of the server now.