homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Google / Google Desktop Tools and Google Labs Projects
Forum Library, Charter, Moderator: open

Google Desktop Tools and Google Labs Projects Forum

The Most Complex Google Spoof Ever?
I think my G-Toolbar and even G.com results have been hijacked

 6:15 pm on Jan 8, 2004 (gmt 0)

Either I'm going crazy or this is one of the cleverest (and most annoying) spyware/scumware tricks I've ever seen.

The other day, after returning from vacation, I noticed that when I did a search in the Google toolbar the results page looked a little funny. The font was different and the link description text would reach all the way across the screen to the Sponsored Link "boxes". Also, there was a pop-up ad! I had the G toolbar installed, so it didn't actually load, but I saw the block icon flash.

At first I assumed Google just did another update (they finally gave into pop-ups?! no!) - until I looked at the actual results. They were all typical spam topics, and almost none of them were even close to what I was searching for. Obviously somebody spoofed Google, right?

So then I do my URL check on the IE toolbar and what do I see? "http://www.google.com/search?....". Not "google.spamsite.com" or anything of the sort. I was stumped until I remember reading about the IE vulnerability making it possible to spoof a URL in the address bar.

But that's not all. As far as I can tell everything else on the results page is "real". The Sponsored Adwords links look to be the actual results that you'd see on a real Google results page. All other links (Images, Groups, Directory, etc) take you to the actual real Google pages.

However, the "greatest" (if that's what you can call it) feature of this fake site is the Result page number links (at the bottom of the page, where it says "G o o o o o o o g l e"). Naturally it says the current fake results page is page number 1 (of x number of results pages). But when you click on number 2, it takes you to the REAL number 1 on the REAL G.com! Then, when you get to the real number 1 results page, if you scroll down, you seel that it is also marked as the first page (of x pages).

All Windows and IE security patches have been installed. I have updated and run Adaware and Spybot numerous times. I have removed the G-Toolbar several times, thinking it may have been infected somehow. However, even if I search directly through G.com, I get the same fake page. If it wasn't so annoying, it'd be funny. I've searched the forums and the web, but have found no mention of this particular Google spoof.

Has anybody ever heard of this before? If so, I would really love to get this cr*p off my system. The only consolation I've had is that I am able to wow co-workers at the complexity of my infected system. =P

PS: If anybody wants a screen shot, sticky or email me.



 6:32 pm on Jan 8, 2004 (gmt 0)

Just discovered that whatever has infected my IE is spoofing Yahoo! results as well.

I found a webpage that said an app called CWShredder may be able to get rid of the problem, so I'm about to try it out. I'll post my results.


 6:38 pm on Jan 8, 2004 (gmt 0)



 6:49 pm on Jan 8, 2004 (gmt 0)

pmac, I found that thread after I made my initial post, but it still doesn't solve the problem. Neither AdAware or Spybot worked. However, I am currently trying the third program I mentioned in my second post.

Thanks, though. :)


 6:52 pm on Jan 8, 2004 (gmt 0)

Check and see what BHO (Browser Helper Objects) you have installed:



 6:59 pm on Jan 8, 2004 (gmt 0)

Well it seems CWShredder is the tool to use! i seem to now be spyware free and the big G is working as usual again. It looks like I'll be keeping 3 spyware/adware removal tools from now on.

Thanks for your help bcolflesh and pmac. I appreciate it.


 7:21 pm on Jan 8, 2004 (gmt 0)

Your particular bug was probably created by Odysseusmarketing(.com).


 10:54 am on Jan 9, 2004 (gmt 0)

CWShredder is available at merijn.org and it works a treat


 10:37 pm on Jan 9, 2004 (gmt 0)

Well, CWShredder didn't work for me and my problem but I used HijackThis.exe to see all the BHOs running on my comp...Deleted the odd looking ones and the problem is solved.


 11:00 pm on Jan 9, 2004 (gmt 0)

I should add that CWShredder didn't work for me at first, but everything was fine after a restart.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Google / Google Desktop Tools and Google Labs Projects
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved