Google Website is in Czech
I have a customer who can only get the Czech version of the Google website. Malwarebytes turned up no malware and Eset's online scanner found only a Java exploit. I have tried flushing DNS, resetting the TCP/IP stack and resetting Winsock. IPCONFIG shows that the DNS server is the local router. It is unlilkely that the router has been hacked because it is provided by Verizon and the default administrative password is the router's serial number.
The OS is Windows XP SP3.
It seems that only the Google website is affected and both IE8 and Firefox exhibit this behavior.
What can cause this redirection?
The OS is Windows XP SP3.
It seems that only the Google website is affected and both IE8 and Firefox exhibit this behavior.
What can cause this redirection?
Google also uses super cookies for settings. These di not get removed by deleting cookies, and are for tracking. to control, manage and remove that crude which have .sol extensions you can download the 'betterPrivacy' addon for Firefox.
If you blow al the garbage Google has put on the computer you should be able to start fressh and set preferences and options.
Cd&
If you blow al the garbage Google has put on the computer you should be able to start fressh and set preferences and options.
Cd&
Can you ping www.google.com in a command window and see what the IP resolves to?
Is it possible someone has just changed the Interface Settings to Czech and they are infact on the correct regional IP just with the wrong language?
Is it possible someone has just changed the Interface Settings to Czech and they are infact on the correct regional IP just with the wrong language?
ASKER
Tracert from the customer site ends with a .cz extension.
Tracert from my site to his IP address ends with a local (.com) extension.
Better Privacy and the Adobe tool look like they may prevent future problems, but they will not clean up the current mess.
I will do a search for .sol extensions to see if that bears any fruit.
Tracert from my site to his IP address ends with a local (.com) extension.
Better Privacy and the Adobe tool look like they may prevent future problems, but they will not clean up the current mess.
I will do a search for .sol extensions to see if that bears any fruit.
rhavey--This may help
http://support.google.com/websearch/bin/answer.py?hl=en&answer=873
It is not entirely clear when this is happening.
When doing a search on Google?
Google.com is homepage?
When entering www.google.com in Address line?
http://support.google.com/websearch/bin/answer.py?hl=en&answer=873
It is not entirely clear when this is happening.
When doing a search on Google?
Google.com is homepage?
When entering www.google.com in Address line?
ASKER
Google.com is not the home page in any of the browsers.
There is a Google search on the Firefox start page, but it does not appear to be the Google site.
The problem becomes apparent when I enter www.google.com into the URL block (Address Line) on IE, Firefox, or Safari.
None of that should make a difference because www.google.com resolves to www.google.cz in the DNS. Tracert confirms this.
There is a Google search on the Firefox start page, but it does not appear to be the Google site.
The problem becomes apparent when I enter www.google.com into the URL block (Address Line) on IE, Firefox, or Safari.
None of that should make a difference because www.google.com resolves to www.google.cz in the DNS. Tracert confirms this.
Have you checked your hosts file
c:\windows\sytem32\drivers
You have have had a piece of malware that added the IP for the Czech google
If it's there - just remove it (normally there should not be very much in the hosts file)
c:\windows\sytem32\drivers
You have have had a piece of malware that added the IP for the Czech google
If it's there - just remove it (normally there should not be very much in the hosts file)
ASKER
I had already checked the Hosts file. I should have mentioned it. There is nothing unusual in the hosts file.
Malware was my first suspicion.
Neither McAfee, Malwarebytes, nor Eset's online scanner revealed any malware. I suppose I could try supper antspyware and/or Combofix.
Malware was my first suspicion.
Neither McAfee, Malwarebytes, nor Eset's online scanner revealed any malware. I suppose I could try supper antspyware and/or Combofix.
ASKER
I am doing this remotely. When the customer is home, I will have him reset the router. This is Verizon FiOS, so the router is provided by the ISP.
I have also filed a report with Google. They say that they might be detecting the IP adress wrong.
If I don't seem to be paying attention for a while, it's because I am waiting for Superantispyware and Combofix results.
I have also filed a report with Google. They say that they might be detecting the IP adress wrong.
If I don't seem to be paying attention for a while, it's because I am waiting for Superantispyware and Combofix results.
What happens if you do an nslookup on google.com ?
Is the router the DNS server for the affected computer or is there a DNS server somewhere?
Is the router the DNS server for the affected computer or is there a DNS server somewhere?
rhavey--Did you read the "Reporting incorrect IP detection" section of the link I provided?
http://support.google.com/websearch/bin/answer.py?hl=en&answer=873
http://support.google.com/websearch/bin/answer.py?hl=en&answer=873
ASKER
I have reported the incorrect address to Google. They say it could take a month to fix it. They did provide a work-around.
The router is the DNS server. The customer is still not home to physically reset the router.
NSLookup returns the address 87.125.87.99. Tracert from the customer location and mine shows 13 steps to something called r3-bb2.coolhousing.net, which according to Google at my site is a server in Prague.
Super Antispyware turned up nothing. I have not run Combofix and I will hold off on that until I can get the router reset.
The router is the DNS server. The customer is still not home to physically reset the router.
NSLookup returns the address 87.125.87.99. Tracert from the customer location and mine shows 13 steps to something called r3-bb2.coolhousing.net, which according to Google at my site is a server in Prague.
Super Antispyware turned up nothing. I have not run Combofix and I will hold off on that until I can get the router reset.
ASKER
Resetting the router did nothing. I rebooted the computer while the router was resetting and I ran IPCONFIG /flushdns before I checked the status of Google.
The result was the same. www.google.com resolved to the coolhousing.net server in Prague.
Google provided www.google.com/ncr as a work around. That for the moment is as good as it gets.
If someone has an idea, I will try it. Otherwise all I can do is wait for Google to finish their "investigation".
The result was the same. www.google.com resolved to the coolhousing.net server in Prague.
Google provided www.google.com/ncr as a work around. That for the moment is as good as it gets.
If someone has an idea, I will try it. Otherwise all I can do is wait for Google to finish their "investigation".
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That comes under the heading "Why didn't I think of that. It's still a workaround, but it will be good until Google gets their act together.
One problem though. Hosts was read-only. I was unable to uncheck the Read-Only box - access denied. I was also unable to change the attribute with attrib -s hosts - Not Resetting File. I was able to rename the file, edit the renamed file, and save it as Hosts. I must have redone the hosts file on my own machine at some point because it is not read-only. Is this level of protection normal for the hosts file in XP? Or, am I looking at an indication of more trouble - malware?
One problem though. Hosts was read-only. I was unable to uncheck the Read-Only box - access denied. I was also unable to change the attribute with attrib -s hosts - Not Resetting File. I was able to rename the file, edit the renamed file, and save it as Hosts. I must have redone the hosts file on my own machine at some point because it is not read-only. Is this level of protection normal for the hosts file in XP? Or, am I looking at an indication of more trouble - malware?
I don't recall hosts ever having that level of security by default.
Nothing else in there that looks untoward?
Nothing else in there that looks untoward?
ASKER
Other than an enty that I don't understand.
::1 <tab> local host
There is no other indication of problems.
::1 <tab> local host
There is no other indication of problems.
rhavey--www.google.com/ncr is mentioned in http://support.google.com/websearch/bin/answer.py?hl=en&answer=873
My HOSTS folder has no attributes checked.
My HOSTS folder has no attributes checked.
Open Folder c:\windows\system32\driver
Right mouse on hosts - Properties
Under Security tab edit permissions and check full control for User
Then you can edit it
When Done reverse the process - (MS put that in as a means to reduce malware from accessing the file)
Right mouse on hosts - Properties
Under Security tab edit permissions and check full control for User
Then you can edit it
When Done reverse the process - (MS put that in as a means to reduce malware from accessing the file)
ASKER
This is a workaround. It will work until Google gets around to fixing the real problem.
It might be worth checking that the public IP of the router is what you expect.
A quick way is www.whatismyip.org