Outbound Port 80 access stops working after about 5-10 minutes aft

[Guest]

I'm trying to track down a problem. My computer appears that it has a virus.
After about 5 to 10 minutes after reboot I can no longer access any web
pages. Port 80 seems to be the only port affected.
I can ping sites, resolve dns, and even visit secure (https sites. I ran a
packet sniffer whenever, for example, I go to www.google.com, Ethereal
reports its seeing a packet with the source of www.google.com on port 80
trying to go to 209.87.208.60 on port 8083.
The same will come up if I tried another site but with that site as the
source IP.
I looked up that destination and it seems to be part of ZoneAlarm's company
ZoneLabs. Someone probably doesn't like them much.

Anyways...
I had Symantic Client Firewall and Anti-virus regularly updated. I've done
the quick scans and nothing gets flagged. I ran Spy-Bot and AdAware and all
they spotted were cookies. Also, Rootkit Revealer only to the point it
finishes scanning the registry (I'll let it scan the whole drive sometime
later)
I tried netsh int ip reset c:\tcp.log
reboot, no help.
Safe Mode with Networking might not be suffering the same problem, I wasn't
running in it long enough to be sure.
Looking thought taskmanager, I couldn't find any processes that shouldn't be.
I tried stopping most running services.
windows\System32 doesn't have any recently modified files of interest

I don't know where to look next.
Any ideas?

-Chris

 

[Chuck]

I'm trying to track down a problem. My computer appears that it has a virus.
After about 5 to 10 minutes after reboot I can no longer access any web
pages. Port 80 seems to be the only port affected.
I can ping sites, resolve dns, and even visit secure (https sites. I ran a
packet sniffer whenever, for example, I go to www.google.com, Ethereal
reports its seeing a packet with the source of www.google.com on port 80
trying to go to 209.87.208.60 on port 8083.
The same will come up if I tried another site but with that site as the
source IP.
I looked up that destination and it seems to be part of ZoneAlarm's company
ZoneLabs. Someone probably doesn't like them much.

Anyways...
I had Symantic Client Firewall and Anti-virus regularly updated. I've done
the quick scans and nothing gets flagged. I ran Spy-Bot and AdAware and all
they spotted were cookies. Also, Rootkit Revealer only to the point it
finishes scanning the registry (I'll let it scan the whole drive sometime
later)
I tried netsh int ip reset c:\tcp.log
reboot, no help.
Safe Mode with Networking might not be suffering the same problem, I wasn't
running in it long enough to be sure.
Looking thought taskmanager, I couldn't find any processes that shouldn't be.
I tried stopping most running services.
windows\System32 doesn't have any recently modified files of interest

I don't know where to look next.
Any ideas?

-Chris

Chris,

The "netsh int ip reset c:\tcp.log" command is only 1 of 6 possible solutions
for an LSP / Winsock problem. You have to try all 6, in sequence and repeated,
sometimes.
<http://nitecruzr.blogspot.com/2005/05/problems-with-lsp-winsock-layer-in.html>
http://nitecruzr.blogspot.com/2005/05/problems-with-lsp-winsock-layer-in.html

Did you do a thorough malware scan? Not just RKR (and there are other Rootkit
scanners too), AA, SSD. Maybe tried HijackThis and expert malware advice?
<http://nitecruzr.blogspot.com/2005/05/dealing-with-malware-adware-spyware.html>
http://nitecruzr.blogspot.com/2005/05/dealing-with-malware-adware-spyware.html
<http://nitecruzr.blogspot.com/2006/03/malware-detection-and-removal-version.html>
http://nitecruzr.blogspot.com/2006/03/malware-detection-and-removal-version.html

Is your computer the only one on your network? How is the computer connected to
the Internet?

I still like the LSP / Winsock possibility, but you have to try more than one
tool.