A contact suffered a trojan infection on his Windows XP machine the other day. He was alerted to the infection by Windows Defender, but the Remove or Quarantine actions offered by Defender did not work. If he removed the trojan, it reappeared on the next reboot. The installed AVG security suite sat there unconcerned.
I am not sure exactly what path he took, but he did some clicking of links and ended up at a site which offered software that promised to fix the issue. The software was called SpyHunter, from Enigma Software. He purchased and installed SpyHunter, which proved no more effective than Defender. At this point he asked me to look at his machine.
A person who has discovered a virus on their PC will be anxious about the attack and its unknown consequences, and will want to fix it urgently. That makes them vulnerable to ill-considered downloads and purchases; and searching the web for assistance with a virus can be like trying to cure alcoholism with drinking. That said, there is good advice to be had; but assessing the authority and reliability of the assistance offered is critical.
My advice in general is only to visit sites that you know to be trusted, such as official Microsoft support, major security software vendors, and only those community sites with which you are already familiar. It is difficult advice to follow though, particularly for non-technical users.
The best course of action after a confirmed infection is to flatten and rebuild the operating system. Larger organizations do this efficiently by restoring a pre-configured image to standardised hardware, but this too is difficult for individuals and SMEs who want to get on with their work.
I digress. My first question: was SpyHunter bona fide, or could it have made the problem worse? The only quick way to find out: back to the search engines, source of all good and all evil. The top entries for SpyHunter on both Google and Bing are the official company site and a Wikipedia entry. Bing has Wikipedia first, while Google puts the company site top.
Note the large role Google (or your favourite search engine) is playing here, both in leading users to possible solutions, and in assessing their value. Although the high placement of the company site is somewhat reassuring, in that Google would probably try not to give a high ranking to known malware, it would be a mistake to rely entirely on a detail like this. Google makes no guarantees concerning the content of the sites it indexes.
Naturally I was more interested in the Wikipedia entry. The entry is annotated with warnings that the article is near-orphaned (though the search engines find it readily enough) and that it reads like an advertisement. There is little detail and it is out-of-date. Further, the language seems strange:
In early 2004, SpyHunter was blamed for producing false positives and using aggressive advertising techniques. This resulted in a lot of bad SpyHunter reviews published. Some of them were harsh, but fair, while others were simply ridiculous. We confirm that SpyHunter was promoted aggressively by some affiliates, but all of them were eventually banned by program makers in late 2004. Early SpyHunter versions had some obvious drawbacks. The product’s version 2.0 resolved all these issues.
This is a quote from a supposedly independent review on a site called 2-software.com. I don’t like the site, which seems (as are so many) dominated by its affiliate links.
SpyHunter is probably harmless, though ineffective. I used the Sophos command-line tool to remove the trojan, and deleted some rogue registry entries; the machine seems OK now though that might just mean that the other trojans are doing a better job of hiding. I also removed SpyHunter of course.
The state of security on the Internet remains lamentable, and security software is a partial solution at best. What interests me here though is the combination of two things:
1. The inadequacy of Wikipedia as an authoritative source, particularly in its less trafficked topics.
2. The high ranking accorded to seemingly any Wikipedia article by the leading search engines.
It is a dangerous combination – not only for virus victims, but for kids doing homework, or anyone researching anything.