Fixing a broken Layered Service Provider (LSP)
 

Solution ID:

 EN-122496

Product:

 All Products - N/A
Operating System:
 Red Hat 7.2; Windows 2000 Server; Windows XP; Powered by UnitedLinux 1.0

Published:

 11/19/2008 5:20 PM 
 

Problem:

What is LSP?

A Layered Service Provider (LSP) is a piece of software that can be inserted into the Windows TCP/IP handler like a link in a chain. However, due to bugs in the LSP software or deletion of the software in case of a malware, this chain can get broken, rendering the user unable to access the Internet.
 

Solution:
Public
 

Fixing a broken LSP

Fixing broken LSP involves removing the entries left behind when LSP software is manually removed by the user (or when errors in the software itself break the LSP chain), and removing any gaps in the chain.

This procedure fixes the problem wherein a user has no Internet connection after a manual removal of the spyware.

    1. Run regedit.exe in the command line to start the Windows registry editor.

    2. Go to this registry key:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\ WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries.

        Click here for a bigger image.

    3. Count the number of in this registry key.

    4. Locate and delete any of the numbered folders that refer to the malicious file(s) in their Library Path line(s).

          Click here for a bigger image.

    5. If needed, rename each numbered folder so that they are all consecutive. For example, if there were 4 folders and you deleted the first 2, you need to rename the remaining folders 000000000001 and 000000000002. Maintain the number of digits of the folder-names; do not delete any zeros in the folder name.

    6. Select this registry key:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\ WinSock2\Parameters\NameSpace_Catalog5.

        Click here for a bigger image.

    7. Double-click Num_Catalog_Entries in the small pop-up window. Select Decimal and edit the value of the number on the left to reflect the number of remaining folders (in the case of the example above, you would enter 2).


The next procedure is the same as that of steps 1 - 7 above, but it refers to this registry entry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\ WinSock2\Parameters\Protocol_Catalog9.

    1. Go to the following registry key:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\ WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries.

        Click here for a bigger image.

    2. Count the number of folders in this registry key.

    3. Locate and delete any of the numbered folders that refer to the malicious file(s) in their PackedCatalogItem line(s).

    Note: To read the binary entry of PackedCatalogItem, right-click on it and select Modify in order to view the binary to text translation.

    Click here for a bigger image.

    4. If needed, rename each numbered folder so that they are all consecutive. For example, if there were 4 folders and you deleted the first 2, you will need to rename the remaining folders 000000000001 and 000000000002. Maintain the number of digits of the folder-names; do not delete any zeros in the folder name.

    5. Select this registry key:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services \WinSock2\Parameters\Protocol_Catalog9.

        Click here for a bigger image.

    6. Double-click Num_Catalog_Entries in the small pop-up window. Select Decimal and edit the value of the number on the left to reflect the number of remaining folders.

    7. Close the registry editor.

    8. Restart your system.

  
Rate this Solution
Did this article help you?
   Yes       No
Comments:
This form uses an automated system and does not provide feedback.