“Google's search engine has started warning users that they've installed certain malware. "Your computer appears to be infected," a banner will proclaim across the top of every Google search whenever the malware is detected. Clicking a link in the banner leads to instructions on how to find an appropriate anti-virus program to remove the software.” – arstechnica
This is the warning (image from Neowin.net):
Actually, the link leads to a Google search page which lists many antivirals which may or may not do the job, and which may or may not be “real” antivirals.
Google isn’t doing an “instantaneous” scan of your hard disk. It’s simply detecting whether your browser has been routed through proxies controlled by the distributors and creators of the malware used to hijack your browser through these proxies which are generally transparent to users. While this is a minor privacy breach, the motives are pure. The malware which was installed before hand, most likely by the fake antivirus modifies the user's hosts file so that domain names can be looked up without having to use a DNS server.
So Google is doing a good deed, right? Yes and no.
Letting folks know this is theoretically a good thing, but one of the first signs you’ve arrived at a phishing site is a notification that “Your PC is Infected!” which leads to a phony scan and malware installation. That’s how the “MacShield” and “WindowsProtector” (came with variants and various names) operated.
While a minor privacy breach, the detection came from a good motive:
“Damian Menscher, who works for Google as a security engineer said, "we hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections.”" – Neowin.net
I do think that the search page the browser is led to by clicking the link should have been well screened for phishing/malware links, though.
Also, the criminals are, I’m sure already changing their proxies.