Changes in the LSP stack

Changes in the LSP stack

What does LSP stand for?

LSP is short for Layered Service Provider. A Layered Service Provider is a file (.dll) using the Winsock API to insert itself into the TCP/IP stack. There, all the traffic between the internet and a computers applications can be intercepted, filtered and even modified.

That sounds dangerous! Well, it can be.

For example, it is being used by malware to redirect web browsers to certain websites. On the other hand, it is also in use by security programs that can scan network traffic for viruses or other threats.

Can Malwarebytes Anti-Malware remove the bad guys from my stack?

We can, but we are very careful when we take the risk that comes with breaking the chain.

The Winsock Service Provider Interface (SPI) API provides a mechanism for layering providers on top of each other. So the problem here is that there can be several LSPs in your stack. The order of all the layered providers is kept in the Winsock Catalog.

If we would rip out one LSP, let’s say, because it belongs to a hijacker, we would run the risk of breaking your internet connection and that would make things worse.

Most of the time when people are disconnected they are on their own, and incorrect removal could result in corruption of the Winsock catalog in the registry, and break the connection to the network and the internet.

What other options do we have to get rid of them?

If the LSP was introduced by potentially unwanted programs (PUPs) the first thing you should try is uninstalling the application using the generic uninstall. You can usually find these in the Windows Control Panel > Programs > Uninstall a program.

warning1

Mezaa is an example of a PUP that uses the LSP stack to deliver advertisements

Since the LSP feature was deprecated starting Windows Server 2012, most Windows 8 style “Metro” apps will skip all LSPs. So, if you are using Windows 8 (or 10) there may be no need to look further into this matter.

In case of failure, what you should have handy in case the internet connection is broken, is this procedure:

  • Go to Start -> Programs -> Accessories -> right click on the Command Prompt and choose Run as administrator.
  • Type “netsh winsock reset catalog” in the Command Prompt window, and then press the Enter key.
  • Restart the computer when prompted.
  • After the reboot you can manually delete the associated files.

Please note that this will not only remove the unwanted program from your LSP stack, but everything else, that was added to the default entries, as well.

It is a reset to the standard Windows configuration of the winsock catalog, which means all LSPs that were added later, will be skipped. So if you were using benevolent third-party LSPs the associated programs may have to be re-installed or repaired.

Check the catalog

If you want to check the elements in your winsock catalog you can use the command netsh winsock show catalog in the Command Prompt window.

showCatalog

The result will look like a list of the above entries

Summary

The Windows LSP stack is basically a set of dll’s that can monitor, filter and alter the data coming in through your internet connection. Unwanted elements can be removed by using the uninstaller in case of PUPs or by resetting the winsock catalog if that fails.

Recommended reading:

http://windowsxp.mvps.org/winsock.htm

http://technet.microsoft.com/en-us/library/cc753591(v=ws.10).aspx

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.