Poor Defenders

Some anti-spyware companies use confusing ads, and our tests show their $20-$60 products are less effective than free competitors.

Freelance writer Mary Landesman did testing for this story.

Andrew Brandt

You've almost certainly encountered the ads: A dialog box pops up on your system, bearing the message "Warning! Your computer may be infected with spyware" and suggesting that you scan your computer immediately. Click it, and you often reach a Web site providing a "free spyware scanner" that finds all sorts of malware on your PC--and then offers to sell you software that will clean it all up.

Should you buy these products? Based on our tests, our opinion is no. Following complaints from several PC World readers, we tested seven heavily advertised spyware-removal tools-- MyNetProtector, NoAdware, PAL Spyware Remover, SpyAssault, SpyBlocs, Spyware Stormer, and XoftSpy--and found that none were as effective as reputable free products such as Spybot Search & Destroy. A couple even installed new spyware.

While bills addressing spyware work their way through Congress, spyware-removal marketing has already caught the attention of the Federal Trade Commission. In October the FTC filed suit against Sanford Wallace--a former self-styled spam king--Seismic Entertainment, and Smartbot.net, saying that they took advantage of browser security holes to plant code that displayed ads promoting, among other products, their own $30 spyware remover (variously called Spy Wiper or Spy Deleter). The FTC is asking Seismic to return any "ill-gotten gains" to its customers.

Volunteer Help

These advertising tactics don't sit well with Eric L. Howes, a University of Illinois at Urbana-Champaign library science graduate student who analyzes anti-spyware utilities for SpywareWarrior.com. The volunteer-run site is associated with the Alliance of Security Analysis Professionals, a network of organizations that dole out free advice about security, including info about spyware and spyware-removal programs. (Howes himself is not a member of ASAP.)

Howes says that the ads for some spyware-removal applications suggest that they have scanned your PC and found spyware when in fact they "just plain haven't done any scans whatsoever."

Leighann Smith, a homemaker from Independence, Kentucky, was among those who complained to us. She bought NoAdware hoping it would address her computer's spyware symptoms, including crashing and a home page that kept changing to child porn sites.

NoAdware "removed some stuff, but it also deleted something on the hard drive so the computer couldn't reboot," Smith says. After reinstalling Windows, Smith sent multiple messages to NoAdware requesting a refund, which she received four months after her initial request.

Ineffective Tools

To see for ourselves how well NoAdware and the others worked, we installed Windows XP on a clean hard drive, patched it, and then infected the system with six spyware applications chosen as a representative sample of the hundreds that exist. While our test is not comprehensive, the six programs include frequently used and widely available types of adware and spyware, including Browser Helper Objects and executable files.

The programs engage in a wide range of typical spyware behavior, such as changing a browser's home page, modifying Windows' Hosts file, downloading additional adware apps, and putting references to themselves into the Registry so that they'll launch when Windows does.

No spyware-removal utility is perfect; in our experience, even free tools we've found effective in previous tests, such as Spybot Search & Destroy, will fail to detect spyware that another good program might find. But we felt any spyware remover worth its salt should be able to detect and remove most of these common adware apps. After infecting the PC, we scanned it with one of the anti-spyware tools, starting the process over again for each one. As a control, we also ran the test using Spybot Search & Destroy.

Spyware programs put keys in the Windows Registry that are usually benign; they also install executable and DLL files, which are more dangerous. Ideally, anti-spyware software should remove both the keys and the files. But three products we tested removed browser cookies but no other files or Registry keys; one removed keys for two out of a possible six applications, but no files; and three removed files for some apps but left others untouched (see the chart).

SpyBlocs and PAL Spyware Remover not only failed to detect or remove any of our planted spyware, they identified legitimate parts of Windows or other applications as spyware and deleted them. SpyBlocs, for example, deleted a critical system folder where Windows stores its signed device drivers, which on some PCs might have resulted in an unrecoverable system crash. (The vendor says this was due to a bug that will be corrected in future versions.)

Even more remarkable, two other programs we tested installed spyware applications on our system. SpyAssault left a file called FavoriteMan, a browser hijacker listed in online spyware databases such as SpywareGuide.com. MyNetProtector installed a whopping 57 files, including 19 that attempted to make connections to the Internet--in some cases within seconds of installation. Among the programs it loaded were BargainBuddy, EZula, and PurityScan, all of which (according to SpywareGuide.com's database) display pop-up ads and change browser settings on PCs.

Our free control application, Spybot Search & Destroy, removed Registry keys for four applications, and executable and DLL files associated with five spyware apps.

We attempted to contact the companies that make the applications we tested, via multiple e-mail messages and telephone calls to the addresses and phone numbers listed in the Whois registration information for each company's domain name. At press time, only a few had replied.

Companies Respond

Nathan Shafer, answering our e-mail message to Spyware Stormer, challenged our test methodology. Shafer wrote that Spyware Stormer detects "over 20,000 variants of spyware and adware," and that its performance with the six applications we chose was therefore "hardly representative in any way."

PAL Solutions, which produces PAL Spyware Remover, responded to questions about the test results by saying that a yet-to-be-released version of its software would detect as many as 5000 spyware applications, compared with the 600 programs the version we tested was supposed to detect. Similarly, a representative of Network Dynamics, which makes SpyBlocs, said that a newer version of the product had been released after our testing cut-off date.

We were unable to reach NoAdware, but the Better Business Bureau of Upstate New York reported that it had received 22 complaints about the company, which is not a member of the BBB, by early October. Network Dynamics has a clean record as a member of Southern California's BBB. The BBB's complaint database contained no record of complaints for the remainder of the companies whose products we tested.

Hard Sell

Aside from their shortcomings as spyware removers, many of these utilities use aggressive marketing tactics in pop-up ads, spam, and keyword ads appearing alongside Google search results.

Some companies use pop-ups that mimic the appearance of Windows dialog boxes but include the word advertisement in light gray text in a corner, where it might easily escape a PC user's notice.

Some companies employ a domain name that contains the name or names of better-known competing programs. For example, the Web site www.spybot-virus-scan.com, which some consumers might expect to be associated with Spybot Search & Destroy, promotes PAL Spyware Remover.

Still other companies buy ads on Google pages displaying search results for the names of popular competitors. When we searched for "Ad-Aware," for example, we found an ad for NoAdware.

Protect Your PC

To find out more about other people's experiences with spyware-removal tools, check sources such as the message boards on sites listed at ASAP's page.

The Better Business Bureau's Web site is another good source: There you can type in a company's URL to search for records and complaints.

Howes recommends avoiding products promoted in ads that appear designed to increase your anxiety level, such as pop-up ads that look similar to Windows dialog boxes. He suggests using a combination of free spyware removers first-- Spybot and Ad-Aware SE Personal. If you continue to experience any unexpected changes to your computer system, try a commercial application such as PestPatrol, which detected all of the spyware on our test system.

Don't let marketing tactics scare you into paying for an anti-spyware product that may not do as good a job of protecting your PC as a free application. It pays to do a little homework before you punch in those credit card numbers.

Disappointing Anti-Spyware Tools (chart)

Commercial products promoted in spam and pop-up ads work less well than quality freeware.

Congress Versus Spyware

Although the political parties have agreed on little else this year, curbing spyware has been something everyone can get behind. The House of Representatives passed a couple of anti-spyware bills on near-unanimous votes; a third advanced beyond the committee stage in the Senate and may be up for a vote by the time you read this. In the meantime, California and Utah have recently enacted their own laws against spyware (Utah's law is on hold pending a state court review of its constitutionality). But whether any of these laws will succeed in suppressing spyware remains unclear.

Here is a rundown of the three major federal bills; you can track their status at thomas.loc.gov.

Software Principles Yielding Better Levels of Consumer Knowledge (SPYBLOCK) Act (S. 2145): Sponsored by Senator Conrad Burns (R-Montana) and others, this act makes it illegal to load a program onto a PC without the user's knowledge and consent, and requires software vendors to clearly explain, prior to installation, what the program does and what types of information it collects. The bill also requires a clear uninstall procedure and sets out penalties for violators. The Federal Trade Commission would handle enforcement and administration. Status: out of committee, awaiting Senate vote.

Securely Protect Yourself Against Cyber Trespass (SPY ACT) (H.R. 2929): Sponsored by Representative Mary Bono (R-California) and others, this comprehensive bill prohibits transmission of spyware to a computer without clear authorization by the user or owner of the computer. Among other things, it also outlaws taking over a PC for the purpose of sending unsolicited information to others (setting up a zombie PC); changing a browser's home page or otherwise loading pages other than those the user intended to request; and distributing adware that won't stop serving ads and creating new pop-ups unless the user shuts down the browser or the PC. The bill sets out penalties for violations and places the FTC in charge of enforcement and setting standards for what constitutes user authorization and the like. Status: passed the House, awaiting Senate action.

Internet Spyware Prevention (I-SPY) Act (H.R. 4661): Sponsored by Representative Robert Goodlatte (R-Virginia) and others, the bill introduces new penalties ranging from fines to two to five years in prison for parties who cause spyware to be downloaded or copied onto a computer without authorization, either to compromise the computer's security or to use the information gained to defraud or injure a person. It prohibits civil suits based on violations, however. Status: passed the House, awaiting Senate action.

Anush Yegyazarian

How We Tested Spyware-Removal Applications

We started by installing Windows XP Professional and all of its current security patches on a PC with a 1.3-GHz AMD Athlon 1300 processor, 256MB of RAM, and a 30GB hard drive. We then installed Adobe Reader, for viewing the online manuals or documentation for some of the anti-spyware tools; InCtrl, a utility that logs important details about the software environment of the computer; Ahead Nero Burning ROM, for copying relevant files or logs to CD-R discs; and Norton Ghost, which we used to create a disk image of the hard drive so that we could restore the PC to its original state before testing each spyware-removal application. We then installed six different spyware apps.

What Was Tested

Every spyware application adds two types of items to a computer that a spyware remover should remove or reverse: files, such as.exe (program executables) and.dll (additional instructions used by the executables) files, and keys (or entries) to the Windows Registry. The number and types of files and keys varies among spyware applications.

Some spyware applications copy themselves to two different locations on a hard drive and place a key in the Registry that instructs Windows to run one copy of the spyware. If Windows doesn't find the program referenced in the Registry (say, because you deleted that spyware program), the spare copy makes a copy of itself and then puts that where the original copy had been, so the spyware will sucessfully start up again the next time you reboot your computer. Because of this, we deemed that an anti-spyware tool had removed a spyware application's files only if it removed all files associated with the application.

Registry keys are less dangerous than program files because they cannot do anything without the files. Again, we determined that a spyware remover had successfully eliminated Registry keys for an application only if it eliminated all Registry entries associated with the application.

About the Spyware Apps We Used

The spyware applications we installed on the test PC engage in several behaviors commonly associated with spyware, including adding entries to Internet Explorer's Favorites; installing toolbars and other elements into IE's interface; downloading additional software; and automatically launching pop-up ads, even when the infected PC isn't running a browser--or isn't even connected to the Internet.

Several of the spyware applications we used also made modifications to the Hosts file, where a browser looks up the IP address associated with a domain name. This alteration typically means that a user requesting a popular Web page could receive a completely different page. For example, a user who typed in "www.google.com" might unwittingly go to an alternate search engine.

All of the spyware applications we used made changes that ensured they would be activated the next time the computer booted up. Many of them changed Internet Explorer's security settings and/or kept track of the history of sites the PC had browsed, as well.

Free Versus Fee Scanners

Vendors for each of the spyware removers we tested (except Spybot Search & Destroy, our free reference application) provided a no-cost, downloadable scanning application that was supposed to determine what, if any, spyware was on a user's PC. We used the free scanner to test our infected system, recorded the results, and then paid for the full version of the scanner and software. After installing any requested updates to the spyware remover, we performed another scan at both the default setting and, if available, at the application's highest deep-scan setting.

In all cases, we reported the results of the scan that removed the most spyware. We noted whether the scanner removed part or all of the files associated with each of the six spyware apps, and whether it removed the Registry keys created as a result of the spyware infection. We also noted any abnormalities, such as false positives, where a scanner identified legitimate Windows files, Registry keys, or non-spyware applications as spyware.

When the scanning was complete, we instructed the scanner to remove anything it found; then we rebooted the computer and ran the scanner again. In one case the scanner removed files that Windows needed to boot, so the computer was unable to perform the second scan without permitting Windows XP's System Restore to bring the deleted files back.

Andrew Brandt