Google Website is in Czech

I have a customer who can only get the Czech version of the Google website.  Malwarebytes turned up no malware and Eset's online scanner found only a Java exploit.  I have tried flushing DNS, resetting the TCP/IP stack and resetting Winsock.  IPCONFIG shows that the DNS server is the local router.  It is unlilkely that the router has been hacked because it is provided by Verizon and the default administrative password is the router's serial number.

The OS is Windows XP SP3.

It seems that only the Google website is affected and both IE8 and Firefox exhibit this behavior.

What can cause this redirection?
LVL 1
rhaveyAsked:
Who is Participating?
 
Don ThomsonCommented:
If your hosts file  looks okay - why don't you try using it to redirect to google.com
Add the following to your hosts file

74.125.226.14    <tab>  www.google.com   <tab> google.com

use the actual IP that google.com should be (each region can be directed to a different ip address at google for load balancing and for regional detection
0
 
Tony JLead Technical ArchitectCommented:
Google use GEOIP to determine the location of the browser.

It might be worth checking that the public IP of the router is what you expect.

A quick way is www.whatismyip.org
0
 
COBOLdinosaurCommented:
Google also uses super cookies for settings.  These di not get removed by deleting cookies, and are for tracking.  to control, manage and remove that crude which have .sol extensions you can download the 'betterPrivacy' addon for Firefox.

If you blow al the garbage Google has put on the computer you should be able to start fressh and set preferences and options.

Cd&
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
☠ MASQ ☠Commented:
Can you ping www.google.com in a command window and see what the IP resolves to?
Is it possible someone has just changed the Interface Settings to Czech and they are infact on the correct regional IP just with the wrong language?
0
 
rhaveyAuthor Commented:
Tracert from the customer site ends with a .cz extension.

Tracert from my site to his IP address ends with a local (.com) extension.

Better Privacy and the Adobe tool look like they may prevent future problems, but they will not clean up the current mess.

I will do a search for .sol extensions to see if that bears any fruit.
0
 
jcimarronCommented:
rhavey--This may help
http://support.google.com/websearch/bin/answer.py?hl=en&answer=873

It is not entirely clear when this is happening.  
When doing a search on Google?
Google.com is homepage?
When entering www.google.com in Address line?
0
 
rhaveyAuthor Commented:
Google.com is not the home page in any of the browsers.

There is a Google search on the Firefox start page, but it does not appear to be the Google site.

The problem becomes apparent when I enter www.google.com into the URL block (Address Line) on IE, Firefox, or Safari.

None of that should make a difference because www.google.com resolves to www.google.cz in the DNS.  Tracert confirms this.
0
 
Don ThomsonCommented:
Have you checked your hosts file
c:\windows\sytem32\drivers\etc\hosts

You have have had a piece of malware that added the IP for the Czech google
If it's there - just remove it (normally there should not be very much in the hosts file)
0
 
rhaveyAuthor Commented:
I had already checked the Hosts file.  I should have mentioned it.  There is nothing unusual in the hosts file.

Malware was my first suspicion.

Neither McAfee, Malwarebytes, nor Eset's online scanner revealed any malware.  I suppose I could try supper antspyware and/or Combofix.
0
 
rhaveyAuthor Commented:
I am doing this remotely.  When the customer is home, I will have him reset the router.  This is Verizon FiOS, so the router is provided by the ISP.

I have also filed a report with Google.  They say that they might be detecting the IP adress wrong.

If I don't seem to be paying attention for a while, it's because I am waiting for Superantispyware and Combofix results.
0
 
Tony JLead Technical ArchitectCommented:
What happens if you do an nslookup on google.com ?

Is the router the DNS server for the affected computer or is there a DNS server somewhere?
0
 
jcimarronCommented:
rhavey--Did you read the "Reporting incorrect IP detection" section of the link I provided?
http://support.google.com/websearch/bin/answer.py?hl=en&answer=873
0
 
rhaveyAuthor Commented:
I have reported the incorrect address to Google.  They say it could take a month to fix it.  They did provide a work-around.

The router is the DNS server.  The customer is still not home to physically reset the router.

NSLookup returns the address 87.125.87.99.  Tracert from the customer location and mine shows 13 steps to something called  r3-bb2.coolhousing.net, which according to Google at my site is a server in Prague.

Super Antispyware turned up nothing.  I have not run Combofix and I will hold off on that until I can get the router reset.
0
 
rhaveyAuthor Commented:
Resetting the router did nothing.  I rebooted the computer while the router was resetting and I ran IPCONFIG /flushdns before I checked the status of Google.

The result was the same.  www.google.com resolved to the coolhousing.net server in Prague.

Google provided www.google.com/ncr as a work around.  That for the moment is as good as it gets.

If someone has an idea, I will try it.  Otherwise all I can do is wait for Google to finish their "investigation".
0
 
rhaveyAuthor Commented:
That comes under the heading "Why didn't I think of that.  It's still a workaround, but it will be good until Google gets their act together.

One problem though.  Hosts was read-only.  I was unable to uncheck the Read-Only box - access denied.  I was also unable to change the attribute with attrib -s hosts - Not Resetting File.  I was able to rename the file, edit the renamed file, and save it as Hosts.  I must have redone the hosts file on my own machine at some point because it is not read-only.  Is this level of protection normal for the hosts file in XP?  Or, am I looking at an indication of more trouble - malware?
0
 
Tony JLead Technical ArchitectCommented:
I don't recall hosts ever having that level of security by default.

Nothing else in there that looks untoward?
0
 
rhaveyAuthor Commented:
Other than an enty that I don't understand.

::1 <tab> local host

There is no other indication of problems.
0
 
jcimarronCommented:
rhavey--www.google.com/ncr is mentioned in http://support.google.com/websearch/bin/answer.py?hl=en&answer=873

My HOSTS folder has no attributes checked.
0
 
Don ThomsonCommented:
Open Folder c:\windows\system32\drivers\etc

Right mouse on hosts - Properties
Under Security tab  edit permissions  and check full control for User

Then you can edit it

When Done reverse the process - (MS put that in as a means to reduce malware from accessing the file)
0
 
rhaveyAuthor Commented:
This is a workaround.  It will work until Google gets around to fixing the real problem.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.