Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Sign in to follow this  
Guest wsxedcrfv

What is the "winsock fix" ?

Recommended Posts

Guest wsxedcrfv

I've come across some references (and some downloads) for something called the "winsock 2 fix for Win9x". One such file-name is "winsock9x2Kfix.exe" which I can't unpack (not even using 7-zip). It seems to have been a piece of custom software written by Boston University.

Is this just a microsoft patch that's been re-packaged, or are there really third-party releases of a fix for known winsock problems for windows 98 winsock that microsoft has never released a fix for?

And by the way, regarding windows 98 and IPv6, the winsock wikipedia entry says this:

"Trumpet Winsock 5.0 is available for Windows 95/98 and Windows NT and includes a Winsock 1.1 compliant IPv6 stack for these operating systems"

Share this post


Link to post
Share on other sites

Guest wsxedcrfv

Well, I'll post a link to this file so someone can pick this thing apart and figure out what it is:

http://rapidshare.com/files/415353781/winsock9x2Kfix.exe

Someone was having a problem configuring their cable modem and getting it to work with win-98, and the above file was posted by someone else as being a solution. I scanned it on VirusTotal, but only one program (eSafe) flagged it as malware (so it might be a false-positive). It's about 61kb in size.

Share this post


Link to post
Share on other sites

I ran the winsock fix on VPC. It deletes DUN and the Winsock keys, reboots, reinstalls both from the Windows CD, then reboots again. It seems to be a valid repair utility that automates the process.

There's still a few versions of Winsockfix available. Most are from several years ago when certain types of malware replaced the winsock files with their own. If the malware was removed by something like SpyBot or AAW, the replaced winsock files were also removed, breaking the PCs ability to access the web. The version of Winsockfix I still have was by Option^Explicit Software Solutions and contained the winsock files, eliminating the need for the CD. It got a lot of use at spyware removal forums when this type of malware was common.

Share this post


Link to post
Share on other sites

Thanks for the info herbalist!

I just Googled and found it at BrotherSoft!

Though I never seem to get spyware that horrible (no cliche will be used) it seems like something to have in one's stock.

Share this post


Link to post
Share on other sites

If I remember right, some of his winsockfix were OS specific. I haven't seen this type of malware in several years. "NewDotNet" was one of them. There were others. As long as the malware file that replaced the winsock was present, the PC had normal internet access, as did the adware/malware that installed it. A lot of the malware then was quite different than what we have now. A lot of it was very "in your face", literally daring you to try to remove it. This was before the days of HIPS and other process controlling security apps. I remember a couple of them that used several processes, each protecting and restarting the others. If you didn't kill the entire group of processes in one shot, you couldn't delete any of them. If I'm remembering right, the old versions of Kazaa would add this and a lot more to your system.

Today, malware hides very well. Often there's no visible indications that your system is infected. If your AV missed it, you could remain infected for a long time and never know it.

Share this post


Link to post
Share on other sites

Here's a mirror of the old Simtel archives, specifically for Trumpet Winsock (versions 2 through 5).

ftp://ftp.sunet.se/pub/simtelnet/trumpet/winsock/

As part of the Simtel archive, these should be the original Trumpet files, as opposed to GOK files (God Only Knows), which one might find elsewhere.

I scanned them with Clamwin, and they came up clean. I haven't had a chance to look at them more closely, or scan them with anything else.

IIRC I could not extract the .exe files (versions 3 - 5) with either WinRAR or 7zip.

Share this post


Link to post
Share on other sites

I've been using IZarc for many months now artemus, and it might work.

I do not think the latest few versions support 9x any longer, so one would have to

find an earier version which does;FileHippo being where I found it.

It might work for those .exe files, as you can allow it to be associated with a great many kinds of files that have been compressed/zipped.

Share this post


Link to post
Share on other sites

Well, I'll post a link to this file so someone can pick this thing apart and figure out what it is:

http://rapidshare.com/files/415353781/winsock9x2Kfix.exe

Someone was having a problem configuring their cable modem and getting it to work with win-98, and the above file was posted by someone else as being a solution. I scanned it on VirusTotal, but only one program (eSafe) flagged it as malware (so it might be a false-positive). It's about 61kb in size.

That file is a compiled executable, MSVC++ v5/6, nothing but code. Nothing to dissect or extract.

As herbalist stated, it will probably add/delete registry keys and call other API and shell functions (like reboot) so they can be very dangerous. Use a test computer to capture the reg changes.

The main key (on Win9x) to backup and save is:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2]

These Winsock adjustments almost always replace the data found in a subkey:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries]

If you have registry backups it is simple enough to manually grab these 'catalogs' and replace them at will.

P.S. There are no spaces in those registry key names. I see at least one in the preview though! Buggy forum software apparently.

Share this post


Link to post
Share on other sites

P.S. There are no spaces in those registry key names. I see at least one in the preview though! Buggy forum software apparently.

It's no bug, it's so you can't post a super long ''word'' that would cause your post to be super wide. Any ''word'' longer than a certain length gets spaces inserted so it will wrap down a line. This is a common mechanism in lots of forum and comment posting systems on the internet.

Queue

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×