Herger, thanks for your quick response!
I am not sure what you mean by rebuilding my Internet connection. I have tried creating a new "location" thinking that may reset the ip/DNS settings, it didn't work.
I have tried it via LAN cable, wifi, and using my iPads 3G and tethering vis USB. All of which have the same problems, though the USB tethering seems to have th least issue (occurrences of being redirected are more seldom)
Open the System Preferences and click on Network. With your Ethernet connection in the left column selected, click Advanced at the lower right. Click on the DNS tab. If there are any DNS Server addresses there other than your router's address, delete them. Your router will always be a local domain, the same as, or similar to 192.168.0.1. Leave that one and remove any others.
Just add the new ones above; the greyed out ones will be ignored or even replaced. I would suggest the DNS servers from OpenDNS, which are patched against DNS poisoning/redirects.
You don't need to go to the OpenDNS site to use OpenDNS. Simply open Network>Advanced>DNS in Sys Prefs and enter the following numbers for the interface you use, e.g. Airport or Ethernet,
Hit OK and then Apply. Make sure those numbers are entered above any others you may have there.
To check to see if it's working
EDIT: The greyed out ones are from China Telecom. That would appear to explain the redirects.
Message was edited by: WZZZ
After trying out a bunch of things, I was still having the issue of searches being redirected, but I discovered that the issue now seems to be only when using MS's BING search engine. Google and Yahoo don't seem to be redirected any more. I guess China just hates microsoft?
Also, using my VPN (Astrill) prevents the redirect from occurring. Very strange problem that i think i can manage now (just don't use Bing).
If any of you have more thoughts on this, please share! But for now... I'm going to give up trying to figure it out as it was starting to feel like I was beeting my head against the wall.
There are no OpenDNS servers in China., closest is Singapore.
Run all of the free 10.6 OnyX maintainence and cache cleaning routines and reboot at the end.
Disconnect from the network, create a new Admin account, log into it and create a new location and then connect directly to the router and reset it so it gets a new IP address.
Run through the list of fixes here, especially #8 Reinstall Just OS X then Software update fully.
I'm seeing the infamous 'greyed out' DNS addresses showing up. I can't delete them, or at least i don't know how. They are 220.127.116.11 and 18.104.22.168.
They appear to be legit DNS servers belonging to CHINANET Shanghai province network, almost certainly provided by your ISP.
There could be entries in your hosts file for Bing which will override DNS.
In the Finder select Go->Go to Folder... and type "/etc/" without the quotes in the "Go to
In the "Go to the folder:" box type "/etc/" without quotes and click the "Go" button.
Select "hosts" and double-click to open it in TextEdit. If it says more than:
# Host Database
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
you are infected. Copy and paste the rest of what you see here.
Just had a corporate user come back from China with the same issue on his Lion MacBook Air. Same wo.com.cn URL up to the end part, where it referenced our corporate reporting site rather than facebook. Using Chrome, anytime he tried to access the reports it took him to the same Chinese website with popups and popunder windows. The corporate report URL could be used just fine in Safari, and I checked the Network Pref pane Advanced settings to confirm that no proxy settings were changed systemwide. So the problem was just the single redirected the link in Chrome.
Fix was to delete all browsing data (which includes cookies) in Chrome and restart Chrome. I tried just deleting all the cookies from the wo.com.cn site and restarting Chrome, but that didn't work. So the scope was different from what was reported above by the OP, but the problem was the same basic URL from using hotel networks in China.
I am living in China and getting the same thing. Its very recent but it seems ChinaUnicom are trying to takover Google, BBC, NYT and other URL's and point you to their own web services (of course fully supported by the Chinese Government). Behaviour is very sporadic, sometimes Chrome, but mostly Firefox. I have checked host files, dns, everything and the only way to stop it is to delete all cookies and history from the browser after infection and restart. Its a total pain as I have the Google double sign in system turned on and I have to re-authenticate twice to get into my Gmail.
I also have the greyed out DNS entries but they are legit servers - Google 22.214.171.124 and our company one. Maybe they are taking over the google 126.96.36.199 in the Great firewall of China? However once infected and I am in my office (has a tunnel throught the Chinese Firewall) I still get the re-direct and from reading this thread users returning to the USA still are infected so it can not be the GFC!
The thing that makes me think its not DNS is, on the same system I can have it happen in Firefox but not Chrome at the same time, unless the cookies can somehow override DNS.
I can also see that a site actually begins to load and then sometime through the page load (before it completes) the redirect happens.
I would love to know how they are doing this but I dont want to share my cookies with the world! I am 90% convinced this is where its happening.
Any ideas from any of the big brains out there.
I have now opened the cookies.sqlite-wal and found a load of code in there with the same URL as my redirect - http://lndnserror2.wo.com.cn:8080/issueunziped/baiduln121107/index2.jsp?UserUrl= mail.google.com close to references to BBC, Google, Youtube etc.
As I said I dont want to publically share my cookies contents as I am paranoid about security but I am now 99.9% sure the cookies are being altered in the browsers to redirect all traffic to google / BBC and others. Lovely, lovely China.
Why cant the guys at anonymous do something usefull and bring down the Chinese internet system!
oh - just in case anyone is reading this - delete your cookies and restart the browser, only way to fix the problem.
HOLD THE PRESS!
Just spotted something else in firefox.
Go to the help menu, troubleshooting information
In the displayed list look at your important modified preferences. I had a modified preference for Keyword seach which looked very strange, anyway I pressed the "reset firefox" button and voila all fixed without deleting cookies.
Cool, lets hope I have found an easy fix for firefox.