Either I'm going crazy or this is one of the cleverest (and most annoying) spyware/scumware tricks I've ever seen.
The other day, after returning from vacation, I noticed that when I did a search in the Google toolbar the results page looked a little funny. The font was different and the link description text would reach all the way across the screen to the Sponsored Link "boxes". Also, there was a pop-up ad! I had the G toolbar installed, so it didn't actually load, but I saw the block icon flash.
At first I assumed Google just did another update (they finally gave into pop-ups?! no!) - until I looked at the actual results. They were all typical spam topics, and almost none of them were even close to what I was searching for. Obviously somebody spoofed Google, right?
So then I do my URL check on the IE toolbar and what do I see? "http://www.google.com/search?....". Not "google.spamsite.com" or anything of the sort. I was stumped until I remember reading about the IE vulnerability making it possible to spoof a URL in the address bar.
But that's not all. As far as I can tell everything else on the results page is "real". The Sponsored Adwords links look to be the actual results that you'd see on a real Google results page. All other links (Images, Groups, Directory, etc) take you to the actual real Google pages.
However, the "greatest" (if that's what you can call it) feature of this fake site is the Result page number links (at the bottom of the page, where it says "G o o o o o o o g l e"). Naturally it says the current fake results page is page number 1 (of x number of results pages). But when you click on number 2, it takes you to the REAL number 1 on the REAL G.com! Then, when you get to the real number 1 results page, if you scroll down, you seel that it is also marked as the first page (of x pages).
All Windows and IE security patches have been installed. I have updated and run Adaware and Spybot numerous times. I have removed the G-Toolbar several times, thinking it may have been infected somehow. However, even if I search directly through G.com, I get the same fake page. If it wasn't so annoying, it'd be funny. I've searched the forums and the web, but have found no mention of this particular Google spoof.
Has anybody ever heard of this before? If so, I would really love to get this cr*p off my system. The only consolation I've had is that I am able to wow co-workers at the complexity of my infected system. =P
PS: If anybody wants a screen shot, sticky or email me.