Welcome to WebmasterWorld Guest from 54.145.80.57

Forum Moderators: open

Message Too Old, No Replies

The Most Complex Google Spoof Ever?

I think my G-Toolbar and even G.com results have been hijacked

     
6:15 pm on Jan 8, 2004 (gmt 0)

New User

10+ Year Member

joined:Mar 4, 2003
posts:33
votes: 0


Either I'm going crazy or this is one of the cleverest (and most annoying) spyware/scumware tricks I've ever seen.

The other day, after returning from vacation, I noticed that when I did a search in the Google toolbar the results page looked a little funny. The font was different and the link description text would reach all the way across the screen to the Sponsored Link "boxes". Also, there was a pop-up ad! I had the G toolbar installed, so it didn't actually load, but I saw the block icon flash.

At first I assumed Google just did another update (they finally gave into pop-ups?! no!) - until I looked at the actual results. They were all typical spam topics, and almost none of them were even close to what I was searching for. Obviously somebody spoofed Google, right?

So then I do my URL check on the IE toolbar and what do I see? "http://www.google.com/search?....". Not "google.spamsite.com" or anything of the sort. I was stumped until I remember reading about the IE vulnerability making it possible to spoof a URL in the address bar.

But that's not all. As far as I can tell everything else on the results page is "real". The Sponsored Adwords links look to be the actual results that you'd see on a real Google results page. All other links (Images, Groups, Directory, etc) take you to the actual real Google pages.

However, the "greatest" (if that's what you can call it) feature of this fake site is the Result page number links (at the bottom of the page, where it says "G o o o o o o o g l e"). Naturally it says the current fake results page is page number 1 (of x number of results pages). But when you click on number 2, it takes you to the REAL number 1 on the REAL G.com! Then, when you get to the real number 1 results page, if you scroll down, you seel that it is also marked as the first page (of x pages).

All Windows and IE security patches have been installed. I have updated and run Adaware and Spybot numerous times. I have removed the G-Toolbar several times, thinking it may have been infected somehow. However, even if I search directly through G.com, I get the same fake page. If it wasn't so annoying, it'd be funny. I've searched the forums and the web, but have found no mention of this particular Google spoof.

Has anybody ever heard of this before? If so, I would really love to get this cr*p off my system. The only consolation I've had is that I am able to wow co-workers at the complexity of my infected system. =P

PS: If anybody wants a screen shot, sticky or email me.

6:32 pm on Jan 8, 2004 (gmt 0)

New User

10+ Year Member

joined:Mar 4, 2003
posts:33
votes: 0


Just discovered that whatever has infected my IE is spoofing Yahoo! results as well.

I found a webpage that said an app called CWShredder may be able to get rid of the problem, so I'm about to try it out. I'll post my results.

6:38 pm on Jan 8, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 26, 2001
posts:1422
votes: 0

6:49 pm on Jan 8, 2004 (gmt 0)

New User

10+ Year Member

joined:Mar 4, 2003
posts:33
votes: 0


pmac, I found that thread after I made my initial post, but it still doesn't solve the problem. Neither AdAware or Spybot worked. However, I am currently trying the third program I mentioned in my second post.

Thanks, though. :)

6:52 pm on Jan 8, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 21, 2003
posts:2355
votes: 0


Check and see what BHO (Browser Helper Objects) you have installed:

definitivesolutions.com/bhodemon.htm

6:59 pm on Jan 8, 2004 (gmt 0)

New User

10+ Year Member

joined:Mar 4, 2003
posts:33
votes: 0


Well it seems CWShredder is the tool to use! i seem to now be spyware free and the big G is working as usual again. It looks like I'll be keeping 3 spyware/adware removal tools from now on.

Thanks for your help bcolflesh and pmac. I appreciate it.

7:21 pm on Jan 8, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 3, 2002
posts:75
votes: 0


Your particular bug was probably created by Odysseusmarketing(.com).
10:54 am on Jan 9, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 23, 2003
posts:77
votes: 0


CWShredder is available at merijn.org and it works a treat
10:37 pm on Jan 9, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 4, 2002
posts:418
votes: 0


Well, CWShredder didn't work for me and my problem but I used HijackThis.exe to see all the BHOs running on my comp...Deleted the odd looking ones and the problem is solved.
11:00 pm on Jan 9, 2004 (gmt 0)

New User

10+ Year Member

joined:Mar 4, 2003
posts:33
votes: 0


I should add that CWShredder didn't work for me at first, but everything was fine after a restart.