While troubleshooting, I noticed an odd phenomenon: I couldn’t get through to any anti-spyware sites to download anything. I’d get “Page Not Available” errors. CNN came up fine, but sites like Lavasoft and even GRC just wouldn’t work.
Ad-Aware was already installed, so I fired it up and had it check for updates. It came back very quickly and said no updates were available. I was suspicious because I knew this employee wasn’t in the habit of running Ad-Aware (hence her problem).
Turns out I’d fallen for the oldest trick in the book — a hacked HOSTS file. I cracked it open, and — sure enough — the app had written a list of perhaps 200 anti-spyware sites and sent them off into oblivion (127.0.0.2, 127.0.0.3, etc.). So it wasn’t that Ad-Aware had the latest data file, it was that it coudln’t contact its mothership for an update (you think it would have thrown an error message rather than just announcing that no updates were available).
In the end, this was a nasty one to get rid of. You needed to fix the HOSTS file, shut off all start-up tasks, reboot in Safe Mode, delete the executables (in a hidden directory, naturally), and put dummy files in their place, named the same and set to read-only.
A real mess, but that HOSTS file thing was what really got me. How friggin’ slimy can you get? And this wasn’t a blantant malware app on the surface — it made all sorts of claims that it provided “important benefits” to the user and that it wasn’t spyware.
So, why exactly do you need to prevent the user from visiting a site that may help them uninstall you, again? I feel so naive.