Is this a real Google thing?
September 24, 2011 1:34 PM   Subscribe

Is this a real Google-thing or some kind of malware scam? Google search suddenly isn't working for me, sometimes.

For the past 4 days, each afternoon at about 4:00 (and continuing for a couple hours), I've gotten a very puzzling result when I try to do a Google search. After I type in the search term and hit Enter, instead of getting the expected first page of search results, I get a mostly white page that asks me to type in a captcha, then says this:

About this page

Our systems have detected unusual traffic from your computer network. This page checks to see if it's really you sending the requests, and not a robot. Why did this happen?

Then it gives my IP address, the time, and this url:


The "why did this happen?" is a link, but Im hesitant to click on it. I can't. I just can't. Not unless Metafilter says it's OK. So, click, or don't click? I'm curious, of course, but also suspicious. My level of computer savviness is, uh, very limited, and I hate hate hate trying to fix things that have gotten bolluxed up. So I don't want to risk a click-and-bolux.

Any idea what this is all about? Is it really Google? Why could there be "unusual traffic?" I'm the only person with access to this computer. It's not on a wireless network. I haven't been doing anything unusual. Other times of the day, I don't get this weirdness. If I just ignore it, will it go away? I am not a robot. I swear. I do have a Roomba, but I'm pretty sure it hasn't been using the internet.

What should I do?
posted by Corvid to Computers & Internet (28 answers total) 4 users marked this as a favorite
Your computer might been infected by malware. Assuming you are using Windows, start by installing and running Microsoft Security Essentials (freeware).
posted by Foci for Analysis at 1:42 PM on September 24, 2011

Did you try using a different browser? I would also download ccleaner and run that to clean out all your temp files and anything that might be hanging out in your computer. It may be a good idea to run a virus scan too.
posted by yb2006shasta at 1:43 PM on September 24, 2011

Would you please post the "why did this happen?" link. Right-click on it and choose Copy link location. You could have some malware, software that may be spamming or posting crap onto blogs from your pc. If you have antivirus software installed, make sure it's up to date, and run it. Or run Malwarebytes. If you don't have an anti-virus program, MS Security Defenders, linked above, is well-recommended.
posted by theora55 at 1:45 PM on September 24, 2011

If the link is actually on the domain, rather than showing you link text that displays but actually leading to, then you're pretty safe to visit it.

The link you pasted above looks to be just your search results. Which are fine and safe -- I just visited them.

If you're not sure about the 'why did this happen link', right click on it, choose to copy the link address and paste it into a blank document somewhere and take a look at it. As long as the URL is actually at it should be safe, but if you want to paste it here so we can take a look, we can.

I agree with the others -- I suspect you've already got malware on your system, and this is the result of that, rather than the source of it.
posted by jacquilynne at 1:47 PM on September 24, 2011

Best answer: Here's the Google support page on the issue.

You're getting the captcha. Sounds legit, but read the rest of that page.
posted by Edogy at 1:48 PM on September 24, 2011

Best answer: I need to fill out a CAPTCHA to search google.
What Triggers Google CAPTCHA Requests When Searching
posted by theora55 at 1:48 PM on September 24, 2011

It is a Google thing. It means Google's getting hit with unusual queries or a high query rate from your IP address.

I have occasionally trigged this via hand-entered queries, but I use a lot of the advanced operators on occasion and am pretty fast. It might happen once every year or two.

Unless you are a real power user at the times Google is throwing this error, it is more likely that either:
  • your computer has malware that is querying Google
  • you have a neighbor or roommate who is sharing your IP address (perhaps b/c they're on the same wireless network) who also:
    • has malware that is querying Google
    • is performing extensive or unusual queries on Google

posted by zippy at 1:53 PM on September 24, 2011

It is a legitimate Google page that you've been redirected to but the reason is almost certainly due to you having some malware on your system which is querying Google in the background.

As theora55 suggests download and run Malwarebytes anti-Malware.

There is a chance that it is a TDSS rootkit that you have in which case I'd go and download the Kaspersky TDSSKiller
posted by electricinca at 1:56 PM on September 24, 2011

I was getting this too but I did a sweep and had no malware. Googling - when I *could* - suggested restarting my router to get a new IP address. Worked like a charm.
posted by CunningLinguist at 2:01 PM on September 24, 2011

I'm having the same problem. Could it be a fuck up on the Google end?
posted by prefpara at 2:09 PM on September 24, 2011

See also this past AskMe, which seems relevant.
posted by Admiral Haddock at 2:12 PM on September 24, 2011

Best answer: Since your example search string has search?client=safari I'm going to go out on a limb and say you're running a Mac so any malware recommendations above for Windows based Malware apps aren't going to help. If you have malware, I'd be surprised as most malware is directed to Windows systems. The Google recommended MacScan might detect something. However, the MacDefender malware should be detected and removed by Snow Leopard and Lion. And the new PDF based Malware discovered last week doesn't actually seem to do anything, let alone zombie traffic on Google. If it turns out you do have malware on your mac, please let Apple know so they can get it out of the ecosystem in a future update.

It could be your ISP. If it isn't the specific issue in that discussion thread, it could still be some sort of proxying on your ISP's part. Again, assuming you're using a Mac go to System Preferences from the Apple Menu, click on the Network icon. Now, under the list of Network (Airport/Wifi, Ethernet, etc), click on the one with the green light on it as the active network. Then click the "Proxies" box and see if you're running through a proxy. If any of those boxes are checked your ISP may be putting your through a Proxy/Acceleration server and what is happening is that proxy is caching Google and when the Google server sees it, it looks like your network has malware on it, hence the captcha. On most ISPs, you don't need to use a proxy or acceleration server at all so you can uncheck the boxes. And in some, like in the link from Google, it won't matter since it is something your ISP is doing on its network before it goes out into the internet. If you type gibberish into the URL bar in your browser, do you get a Safari error or does it redirect to your ISP's not-always-helpful "Sorry the website [gibberish] cannot be found and lists what you could mean powered by X" In my case, my ISP gives me sponsored ads from Yahoo. But that could be a clue their DNS does some redirecting. Setting your DNS servers to Google's will fix that if that's what it is, you change your settings in the same Network Tab, but instead select the DNS tab instead of Proxies.
posted by birdherder at 2:25 PM on September 24, 2011 [1 favorite]

Response by poster: This is a Mac, so no Windows problems. Browser is Safari. I've been thinking of changing to a different browser, but that gets potentially close to the sort of computer fiddling that is a pretty reliable migraine trigger if it doesn't go totally smoothly. It's not that I'm too stupid to figure it out, but I'm sufficiently inexperienced that it (sometimes) requires more mental energy than I can afford to spend.

I don't even know if I have or need anti-malware software--that's why I bought a Mac, because Everyone said if I had a Mac I wouldn't have to worry about those things. Right? Right?

Here's the result of the "copy link" operation. Looks like real Google?

Interestingly, the suggestion to restart my router made me realize that this started happening the day after I DID, inadvertently, restart my router, after a cable outage. Would that have given me a new IP address, and could that be the source of the problem?
posted by Corvid at 2:34 PM on September 24, 2011

This happens to me when I use TOR. Could that be the issue?
posted by futz at 2:35 PM on September 24, 2011

I am not an expert in this area but from everything I've read in this thread Zippy's comment above seems like your best bet. If you're using a Mac which are less likely to be infected or zombied (I have *all* OS categories at home so I'm not taking sides), and if you just reset your router, could it be you undid whatever security (parental) settings on it. I read in your post that it's not wireless but I'm not clear on whether you are alone in your home or others live with you. 4 PM is a classic "get home from school" time when all heck breaks loose on the Web.

Just my 2 cents. I could be wrong.
posted by forthright at 2:43 PM on September 24, 2011

This tends to happen because someone on your network is sending tons of queries. It used to happen when I did SEO work if you didn't throttle programs enough. If you're on a wireless network, it could be someone else. Where are you at 4pm everyday? At home or at Starbucks?
posted by yerfatma at 2:46 PM on September 24, 2011

I've been getting this too, just in the last week. (Mac, Firefox, not using a wireless network.) I'm guessing it's something on Google's end.
posted by neroli at 2:49 PM on September 24, 2011

Changing your browser won't make a difference. I am 99.9% certain you don't have malware on your Mac.

I am pretty sure it is your ISP. Restarting the router may make fix it or not. If your ISP uses proxies or altered its DNS for some reason to get between you and google and giving the appearance everyone on your network is one person. Some ISPs let you opt out of their proxy/acceleration bullshit, others do not. And as that link I provided above, some ISPs will alter their DNS for some reason to redirect google's DNS entry through an IP address they own, so from Google's perspective everyone from that ISP looks like a network making lots of queries at non-human rates. As Google suggests, you can change your DNS settings to Google's DNS servers to circumvent this from happening.
posted by birdherder at 3:07 PM on September 24, 2011

Good catch on Safari, birdherder. So, pretty unlikely that it's malware on your Mac. Try restarting your router; unplug it and wait 30 seconds before plugging it back in. Also, try bypassing the router and connect directly to the cablemodem. See if it still happens. If it does, call your ISP. After an outage, you may have gotten the IP address previously used by someone with malware. Your ISP should be able to observe your traffic, and possibly give you a different IP address. Sorry about the migraines; this sort of thing is quite annoying.
posted by theora55 at 3:53 PM on September 24, 2011

I've gotten this when searching by hand (no malware). For me it's most likely to show up when I'm searching for lots of numbers, so things like "blah 1990..1993", especially if I start trying to tweak the numbers and do a bunch of related searches. I haven't seen it in a while, though.
posted by anaelith at 4:41 PM on September 24, 2011

Does that page always have the same link, and if so, have you ever searched for "cat megacolon"? I wonder if that query could have gotten stuck in Safari's top sites, or something else like that.
posted by Nonsteroidal Anti-Inflammatory Drug at 4:44 PM on September 24, 2011

Best answer: Does your ISP happen to be Earthlink? If so, I think the problem is exactly what birdherder suggested. I'm an Earthlink customer and this started happening to me on Thursday. Finally today I figured out that Earthlink is, for whatever reason, routing Google search requests through some weird IPs. Other Earthlink customers have experienced the problem as well.
posted by gimleteye at 5:14 PM on September 24, 2011 [3 favorites]

Best answer: Oh, yes, sorry, the suggestion above that this could be your ISP is correct. Until recently, many ISPs including mine were doing a man-in-the-middle attack between Google and users, rewriting the Google results to include new ads.

You can test whether your connection is compromised this way by running the ICSI Netalyzer from UC Berkeley. It can detect whether your ISP is stepping in between you and Google.

Details: ISPs were messing with the DNS results for Google and pointing users to a non-Google IP run by Paxfire. Paxfire would then retrieve the results from Google (an automated query), repackage them with new ads, possibly store the search on their servers associated with your IP, and then return the result to your browser.

Google picked up on this and leaned heavily on ISPs not to do this, so most don't mess with Google anymore, but they were still futzing with Yahoo and Bing.

I left my old ISP as a result of this meddling.

posted by zippy at 5:18 PM on September 24, 2011 [5 favorites]

I don't even know if I have or need anti-malware software--that's why I bought a Mac, because Everyone said if I had a Mac I wouldn't have to worry about those things. Right? Right?

PCs get more malware mostly for game theory reasons (there are more of them). There is nothing keeping a parasite from from deciding to go after a smaller niche, particularly if it hasn't evolved as sophisticated an immune response. Somebody out there wrote a virus for the Siemens Programmable Logic Controller after all.

Unfortunately, I know nothing about good Mac hygiene.
posted by Kid Charlemagne at 7:19 PM on September 24, 2011

Response by poster: Thanks to all - I'm reassured that I can sort it out from all the good info you've provided. I haven't dug into it yet, but I'm quite sure it'll turn out to be the ISP, which is indeed Earthlink.

The "cat megacolon" was my own search, so that part makes sense. My "network" is just me, casually using just this one Mac mini, hardwired, so it's hard to see how it could be anything other than something the ISP is doing. If it keeps happening, I'll just use the captcha and move on. No migraines, no nail biting.

Now I have to go clean up cat barf.
posted by Corvid at 8:49 PM on September 24, 2011

By the way, you can route around this ISP malarkey by using Google's free DNS service. Just drop in the servers and and Google, instead of Earthlink, will send you IP addresses for ''

Google has an excellent privacy policy for their DNS service, in case you're wondering.
posted by zippy at 8:57 PM on September 24, 2011

However, the MacDefender malware should be detected and removed by Snow Leopard and Lion.

FWIW, I don't believe MacDefender ever did any sort of bot-ish activity like this. All it did was throw a pop-up to the user, warning them their computer was infected, and prompted them to "buy" MacDefender software. Basically phishing for a credit card number. It definitely didn't slam Google's server behind the scenes.
posted by Thorzdad at 9:51 AM on September 25, 2011

If you are at work, it could also mean you are behind an internet proxy through which all requests are being routed through.
posted by bbyboi at 1:09 PM on October 22, 2011

« Older mp3 - WAV conversion: how does this work?   |   Exploring the everglades for a couple of days Newer »
This thread is closed to new comments.