Welcome to WebmasterWorld Guest from

Forum Moderators: open

Message Too Old, No Replies

The Most Complex Google Spoof Ever?

I think my G-Toolbar and even G.com results have been hijacked



6:15 pm on Jan 8, 2004 (gmt 0)

10+ Year Member

Either I'm going crazy or this is one of the cleverest (and most annoying) spyware/scumware tricks I've ever seen.

The other day, after returning from vacation, I noticed that when I did a search in the Google toolbar the results page looked a little funny. The font was different and the link description text would reach all the way across the screen to the Sponsored Link "boxes". Also, there was a pop-up ad! I had the G toolbar installed, so it didn't actually load, but I saw the block icon flash.

At first I assumed Google just did another update (they finally gave into pop-ups?! no!) - until I looked at the actual results. They were all typical spam topics, and almost none of them were even close to what I was searching for. Obviously somebody spoofed Google, right?

So then I do my URL check on the IE toolbar and what do I see? "http://www.google.com/search?....". Not "google.spamsite.com" or anything of the sort. I was stumped until I remember reading about the IE vulnerability making it possible to spoof a URL in the address bar.

But that's not all. As far as I can tell everything else on the results page is "real". The Sponsored Adwords links look to be the actual results that you'd see on a real Google results page. All other links (Images, Groups, Directory, etc) take you to the actual real Google pages.

However, the "greatest" (if that's what you can call it) feature of this fake site is the Result page number links (at the bottom of the page, where it says "G o o o o o o o g l e"). Naturally it says the current fake results page is page number 1 (of x number of results pages). But when you click on number 2, it takes you to the REAL number 1 on the REAL G.com! Then, when you get to the real number 1 results page, if you scroll down, you seel that it is also marked as the first page (of x pages).

All Windows and IE security patches have been installed. I have updated and run Adaware and Spybot numerous times. I have removed the G-Toolbar several times, thinking it may have been infected somehow. However, even if I search directly through G.com, I get the same fake page. If it wasn't so annoying, it'd be funny. I've searched the forums and the web, but have found no mention of this particular Google spoof.

Has anybody ever heard of this before? If so, I would really love to get this cr*p off my system. The only consolation I've had is that I am able to wow co-workers at the complexity of my infected system. =P

PS: If anybody wants a screen shot, sticky or email me.


6:32 pm on Jan 8, 2004 (gmt 0)

10+ Year Member

Just discovered that whatever has infected my IE is spoofing Yahoo! results as well.

I found a webpage that said an app called CWShredder may be able to get rid of the problem, so I'm about to try it out. I'll post my results.


6:38 pm on Jan 8, 2004 (gmt 0)


6:49 pm on Jan 8, 2004 (gmt 0)

10+ Year Member

pmac, I found that thread after I made my initial post, but it still doesn't solve the problem. Neither AdAware or Spybot worked. However, I am currently trying the third program I mentioned in my second post.

Thanks, though. :)


6:52 pm on Jan 8, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Check and see what BHO (Browser Helper Objects) you have installed:



6:59 pm on Jan 8, 2004 (gmt 0)

10+ Year Member

Well it seems CWShredder is the tool to use! i seem to now be spyware free and the big G is working as usual again. It looks like I'll be keeping 3 spyware/adware removal tools from now on.

Thanks for your help bcolflesh and pmac. I appreciate it.


7:21 pm on Jan 8, 2004 (gmt 0)

10+ Year Member

Your particular bug was probably created by Odysseusmarketing(.com).


10:54 am on Jan 9, 2004 (gmt 0)

10+ Year Member

CWShredder is available at merijn.org and it works a treat


10:37 pm on Jan 9, 2004 (gmt 0)

10+ Year Member

Well, CWShredder didn't work for me and my problem but I used HijackThis.exe to see all the BHOs running on my comp...Deleted the odd looking ones and the problem is solved.


11:00 pm on Jan 9, 2004 (gmt 0)

10+ Year Member

I should add that CWShredder didn't work for me at first, but everything was fine after a restart.

Featured Threads

Hot Threads This Week

Hot Threads This Month