Strange Cookie Problem With Gmail

[opalhort]

Three PCs, all XP pro SP3. Cookie settings are all identical.

On one PC I suddenly can not log-in to Gmail on the web (claiming cookies are not enabled - they are enabled!)

Other sites using cookies, like ThaiVisa appear to have no problem.

From some sites I get the norpmal pop-up asking for permission to install one.

Systemrestore is not a good option since it was probably more than a month ago that I used this PC for Gmail.

Ran AV and malware software to no avail.

Any idea where to look?

opalhort

[welo]

Try to wipe the cookie cache with CTRL-SHIFT-DEL or better the whole temporary files cache just to be sure.

Had a different problem with GMail once where it kept redirecting/reloading, and this solved it.

welo

[MTH]

I would start with clearing the IE cache. Tools -> Internet Options -> Delete

At minimum clear Cookies and Temporary Internet Files. (I would clear it all).

Reboot and then try to log into Google again.

[lopburi3]

I keep one window open with Chrome for Gmail. This solves a problem I have with other browsers getting the calendar option to load - in Chrome it is immediate - in FF always has errors.

Is it the same browser/version of all computers?

[opalhort]

Thanks for all the replies.

Did google for help and followed instructions.

cleared cache even offline content as advised by google help but left cookies alone (too much info would be lost) because they do work with other sites.

The problem PC has IE6.

One has IE6 and Chrome and one has IE7, they both work OK.

I have a feeling this PC has a problem.

Since about 2-3 weeks I also get this pop-up when starting the PC. It takes 60-80 sec. to clear.

(All other PCs use ZoneAlarm and do not show this Pop-up)

Have run all tests and cleaners I can think of but nothing was found.

opalhort

[MTH]

Well I think that you have a corrupt cookie for Google, So my initial suggestion should work.

However if you don't want to delete all you cookies. Go to the folder:

C:\Documents and Settings\<username>\Cookies\

(Assuming Windows is installed on the C: drive)

And delete all cookies that have to do with Google. Look for:

<username>@google...

<username>@www.google...

Reboot and try to log into Google.

[opalhort]

I did clean all Google cookies and in the end I cleaned all cookies. No luck.

Did a restore 2 months back, could log in and view everything but when signing out got the message "you have been automatically signed out because someone else on your computer has logged in".

Could not stay with this restore point because it lost two folders I created later, so it was back to current settings, got my folders back but now I can not sign in again.

I am now sure that this PC has caught a bug.

When I start msconfig in the DOS window BOclean tells me it found the trojan 'Virtumonde(Vundo)35'

Googled for it but could not find a reliable solution.

Now I am looking for a good FREE cleaner which can help with this one.

I did run AVG, AVAST and Spybot S&D but none found any problem.

opalhort

[astral]

It is worth running Ccleaner to keep your machine tidy

and free of junk.

[welo]

'Virtumonde' seems to be a nasty one. Check out http://en.wikipedia.org/wiki/Vundo

If a System Restore worked for you, why don't you backup the folder that would be removed by reverting back to the restore point, and then do the restore.

You could also do a system image before reverting, in case System Restore messes up you can restore your PC with this image.

Trojans usually try to infiltrate System Restore so that a restore will not get rid of the infection. It might be worth a try (with the complete system image as backup).

If you haven't done a complete backup of your data by now, do it NOW! (no excuses!)

but when signing out got the message "you have been automatically signed out because someone else on your computer has logged in".

This sometimes happens to me if I log out again too quick before the full gmail user interface has been loaded. But in any other case I would consider it not normal and a sign of something going wrong.

Do virus scans from 'Safe Mode' (F8).

Try Malwarebytes' Anti-Malware.

I personally also like rescue CDs since the virus has no chance interfering with the scan. You can run Kaspersky rescue CD (free). Connect the computer by ethernet cable before booting form the cd in order for the update to work (requires DHCP on your router enabled), wireless will not work. The CD should contain updates from end of last year, but more recent updates are always better.

On Zonealarm...

Found a hint from ZoneAlarms user forum about the startup message you posted. (The ZoneAlarm forum is currently down though )

PLEASE try the following, if you are interested, but remember you will LOSE your CUSTOMIZATIONS. This will bring the firewall back to the original settings.

I think is your Zone Alarm database has gotten corrupt and does not remember your Zones settings. Reset your database and see if that will fix it. Reset the database this way; you will lose your customizations and will need to reconfigure Zone Alarm.

1. Boot your computer into the Safe Mode.

2. Navigate to the c:\windows\internet logs folder.

3. Delete the backup.rdb and iamdb.rdb files in the folder.

4. Reboot into the normal mode.

source: http://74.125.155.132/search?q=cache:EsyN5...lient=firefox-a

Re-installing might fix the problem, too. But if you are suspecting a trojan infection i would NOT do it right now, things might get worse.

Anyway, Zonealarm is probably less of a problem right now. It might also be related to your infection, maybe the trojan trying to mess around with ZoneAlarm to hide itself.

welo

[opalhort]

Thanks for all your replies.

Data on this PC is safe and not an issue (all is backed up double and also have the last image of about three months ago) since this PC is only used for browsing, googleing and checking our digicam photos.

Even Gmail I visit only once or twice a month via the web to check if anything ended up in the spam what is real mail and to do some cleaning.

I get all gmail via POP3 and send via SMTP using OE6 from another PC. No problem there.

Will work on finding the root cause of the problem over the next few days (short of time right now due to REAL work) and get back to this topic as soon as I figured out where the problem is.

Thanks again for all your suggestions about what programs to use for cleaning, will certainly follow them one after another.

opalhort

[opalhort]

Update after working on it this weekend (sorry for lengthy post):

First: all other PCs (XP with IE6 and IE7 and Vista & IE7, Chrome, FF) have no problem with Gmail. Also the Problem PC (XP IE6) has no problem when using Chrome.

1) Did run CCleaner with very selective cleaning (but did a full reg clean). It did a great job. WIN start-up time reduced by almost half! and I got about 10GB of HDD space back. Also ZoneAlarm starts now fast as usual. But it did not solve the Gmail log-in issue.

2) Ran Malwarebytes' Anti-Malware and it found only one reg entry 'AdwareTryMedia-Systems', removed but no change.

I did look at the info about the virus mentioned above in wikipedia but none of the symtoms appear to apply here apart from Gmail log-in. Google search, Facebook, hotmail are all no problem.

Could it be that Boclean gave me a false positive?

When I use RUN and msconfig -> no problem.

If I use RUN cmd and then msconfig in the DOS window msconfig pops up for a few second and then I get this:

On other PCs msconfig does not even start under the cmd (not recognized command) in the DOS window!

Question aside from the above:

When I ran CCleaner I found that there were 6 months worth of restore points of which I deleted the oldest 3 months.

Now I'm wondering if the restore points are cumulative or stand-alone. If cumulative then the ones I have left are probably no good and I should start with a clean slate of restore points .

opalhort

[welo]

When I use RUN and msconfig -> no problem.

If I use RUN cmd and then msconfig in the DOS window msconfig pops up for a few second and then I get this

That's weird. Honestly, I understand too little about how BOClean and this trojan works to decide whether this points towards a false alarm or an infection.

Some thoughts after reading more on BOClean:

• BOClean is a signature/definition based scanner, not a behavioral scanner AFAIK. Meaning if msconfig.exe would give a false alarm it should have been fixed already. -> pointing towards a TRUE INFECTION, however...
  
• Hasn't BOClean been discontinued? I've read that they have rewritten the Malware module completely and it's part of Commodo Internet Security now. Updates for BOClean standalone have been discontinued last year... -> pointing towards FALSE POSITIVE
  

I recommend:

• Upload msconfig.exe to virustotal.com. This will scan the executable with all major antivirus scanners available.
  
• Download Hitman Pro. This is a very fast cloud based scanner (buzz alert!) that will upload suspicious files to a 'cloud' of computers that eventually scans the file against 5 major antivirus scanners.
  
• Download Kaspersky's rescue CD, write it to a CD and boot from it.
  

Notes:

If Malwarebytes didn't pick up anything chances are high that is is a false positive. However, in case of a rootkit infection all scanners running under the infected OS will have a very hard time detecting anything, both Option 1 + 2 (virustotal and hitman) fight a hopeless battle.

A rescue CD accessing the harddrive with its own (uninfected) drivers should be able to detect the infection. There are special rootkit scanners out there, however, I'm lacking personal experience to recommend if they do a better job than a rescue CD.

welo

Edited February 15, 2010 by welo

[bendejo]

Looks like a good argument for going over to Firefox. I use FF almost exclusively, and have a few add-ins for deleting or preserving cookies.

I also have more than one gmail account, and if I log out of one account I'll clear all gmail cookies before using the other one. If I don't reload the gmail login page after clearing the cookies I get that same message you do about cookies not being enabled -- of course they are enabled, but gmail is not seeing the cookie it expected to find. When I reload the gmail page it's back to normal. Maybe this tidbit will lead you to another path to your solution.

There are portable versions of both Firefox and Chrome that you can run from your machine without it putting files in your user settings. You can run one of these from the troubled machine just to see if you can connect from it.

I only run IE (Incredibly Evil) for communications with MS, like updates and such. The little shites who make malware usually depend on you using IE, something to bear in mind. Once in an internet place I tried installing FF on a machine and got a pop-up saying "Use Internet Explorer, stupid!" Regardless of what MS's lawyers may say, I consider IE to be an integral part of Windows, and via ActiveX etc it means there is a direct path between this internet browser and the OS itself. Scary!

Edited February 15, 2010 by bendejo

[opalhort]

Thanks for your replies.

To WELO:

Did run msconfig through virustotal and it found 6 bugs (Trojan.Patched).

The msconfig on this PC is very old (2005) and located in the system32 folder. All other PCs have it in Service Pack Files/i386 folder (version 2008), no msconfig in the system32 folder of any other PC.

Located it on the problem PC in same folder and renamed the one in system32 folder.

Now all is working okay as far as msconfig is concerned.

Yes Boclean is no longer supported (last update Sep.'09), should probably get rid of it.

I'm now quite sure that I do not have a bug.

But the log-in issue on only this PC persits in IE6.

To bendejo:

I have no intention to go with FF. My son has it and has nothing but problems, probably related to his games which don't support FF. As for us we have to stick with IE since we have to frequently upload data to Thai government websites which only support IE.

I guess I'll have to dump IE6 on the problem PC and install IE7.

In any case we still have chrome which works OK (except with some Thai government websites!).

My main concern was that the PC cought a bug but this appears not to be the case now.

opalhort

[welo]

To WELO:

Did run msconfig through virustotal and it found 6 bugs (Trojan.Patched).

You probably mean that 6 virus engines reported that this file is infected. 6 is not a high number, I think virustotal checks against 24 engines in total. If there is more than 2 major vendors (like Kaspersky, ESET, Norton, etc) I'd vote for a true infection.

The msconfig on this PC is very old (2005) and located in the system32 folder. All other PCs have it in Service Pack Files/i386 folder (version 2008), no msconfig in the system32 folder of any other PC.

Checked on my WinXP SP3 virtual machine and found msconfig.exe in C:\WINDOWS\pchealth\helpctr\binaries and in C:\Windows\System32\dllcache. There shouldn't be a copy in C:\Windows\System32 directly.

Sometimes malware copies infected executables to the system32 folder and assign a name that is similiar or the same as common windows programs. system32 is one of the standard locations that is searched if you run commands or programs without the complete path. This might explain why you got the virus message when running from command line but not when executing the file from the run menu (WIN-R). Wait... checking....

Bingo! Just tested in my XP virtual machine, the behavior/order of searched folders differs between running a command from WIN-R and running it from the command line. Well, I certainly didn't know that.

(You don't believe me? Just copy and then rename e.g. calc.exe in your system32 folder to msconfig.exe. If you run msconfig from WIN-R the real msonfig will popup. Running 'msconfig' from the command line will bring up the calculator...)

Now all is working okay as far as msconfig is concerned.

Long story short: I definitely think that this msconfig copy (if located in the system32 folder) was a true infection. (see above)

Yes Boclean is no longer supported (last update Sep.'09), should probably get rid of it.

Get Avira free and run Malwarebytes 1-2 times a month.

I'm now quite sure that I do not have a bug.

If you don't do any sensitive tasks on this PC (online banking and such) you could let it go. Otherwise I would check with Kaspersky (see my previous post), it's not really hard to run.

But the log-in issue on only this PC persits in IE6.

Get rid of IE6! Really, no excuses, this thing is ancient history (released in 2001!). To be fair IE6 is (and for some time more) will still be supported by MS, but IE6 has some serious security flaws, e.g. being closely coupled with the explorer shell process and making activeX a security nightmare. Btw any IE version has to be updated regularly (Windows Update) anything else is a crime.

To bendejo:

I have no intention to go with FF. My son has it and has nothing but problems, probably related to his games which don't support FF. As for us we have to stick with IE since we have to frequently upload data to Thai government websites which only support IE.

I guess I'll have to dump IE6 on the problem PC and install IE7.

IE6. Get rid of it! Get rid of it!

In any case we still have chrome which works OK (except with some Thai government websites!).

From a security point of view any other browser is better than IE. Not necessarily because it's better - IE is just the number 1 target browser out there because most people use it.

My main concern was that the PC cought a bug but this appears not to be the case now.

Sure sure?

opalhort