Just to clarify, I don’t know the specific program you’re dealing with, and I’ve never had an opportunity to take it apart and see what it does. I’m speaking of what it could be programmed to do.
When I say the program would “act,” I’m speaking of virus-like behavior. Viruses have what’s known as a trigger and a payload. The trigger could be any number of things, like the clock registering a certain time and date, or a certain program being run. In the case of this spyware, the trigger would likely be Google’s domain name appearing as the location of an incoming HTML page.
The payload is what I called “acting” in my earlier post, and it just refers to running a different part of the program (or a different program entirely).
It could be doing exactly that. Caution: I’m simplifying the bejeebers out of this process in the following description!
Nanoda described the layering system in Windows, and all modern operating systems have layered architectures of some sort. The advantage of that structure is that you don’t have to program the details of creating a socket or resolving a domain name into every single program that accesses the Internet. Think of it like this:
At the highest level is your Web browser. When you tell it to fetch www.google.com, it passes that command down a layer. The next layer down handles what it can, and then passes the rest down a layer. This process repeats until your request has been turned into TCP/IP packets and shipped out your network (or modem) port. When information starts coming back in that port, the lowest level sorts out which higher-level processes should get that information. The HTML for the Google web site is assembled and passed back up through the layers until it reaches your Web browser.
Let’s assume the spyware program has inserted itself between the Web browser and the next-lowest level. It looks at each incoming Web page and checks to see whether it’s Google search results. If not, it passes it on unchanged. If it is a search result page, it unleashes the payload process.
The payload process parses the page to find the search terms (trivially easy to do), and the inserts the fabricated results you mentioned in between the real results.
I don’t know if this is how the actual program you were infected by is working, but it’s certainly one way to do it.
If this thing is actually viral, it could attach itself to your Web browser and change the browser’s behavior. That would be much more complicated to create, as it would have to understand each version of each Web browser that you might possibly be running. The way I first described it, it would affect any browser program you used, even the ones embedded in other programs.