How We Tested Spyware-Removal Applications
We started by installing Windows XP Professional and all of its current security patches on a PC with a 1.3-GHz AMD Athlon 1300 processor, 256MB of RAM, and a 30GB hard drive. We then installed Adobe Reader, for viewing the online manuals or documentation for some of the anti-spyware tools; InCtrl, a utility that logs important details about the software environment of the computer; Ahead Nero Burning ROM, for copying relevant files or logs to CD-R discs; and Norton Ghost, which we used to create a disk image of the hard drive so that we could restore the PC to its original state before testing each spyware-removal application. We then installed six different spyware apps.
What Was Tested
Every spyware application adds two types of items to a computer that a spyware remover should remove or reverse: files, such as .exe (program executables) and .dll (additional instructions used by the executables) files, and keys (or entries) to the Windows Registry. The number and types of files and keys varies among spyware applications.
Some spyware applications copy themselves to two different locations on a hard drive and place a key in the Registry that instructs Windows to run one copy of the spyware. If Windows doesn't find the program referenced in the Registry (say, because you deleted that spyware program), the spare copy makes a copy of itself and then puts that where the original copy had been, so the spyware will sucessfully start up again the next time you reboot your computer. Because of this, we deemed that an anti-spyware tool had removed a spyware application's files only if it removed all files associated with the application.
Registry keys are less dangerous than program files because they cannot do anything without the files. Again, we determined that a spyware remover had successfully eliminated Registry keys for an application only if it eliminated all Registry entries associated with the application.
About the Spyware Apps We Used
The spyware applications we installed on the test PC engage in several behaviors commonly associated with spyware, including adding entries to Internet Explorer's Favorites; installing toolbars and other elements into IE's interface; downloading additional software; and automatically launching pop-up ads, even when the infected PC isn't running a browser--or isn't even connected to the Internet.
Several of the spyware applications we used also made modifications to the Hosts file, where a browser looks up the IP address associated with a domain name. This alteration typically means that a user requesting a popular Web page could receive a completely different page. For example, a user who typed in "www.google.com" might unwittingly go to an alternate search engine.
All of the spyware applications we used made changes that ensured they would be activated the next time the computer booted up. Many of them changed Internet Explorer's security settings and/or kept track of the history of sites the PC had browsed, as well.
Free Versus Fee Scanners
Vendors for each of the spyware removers we tested (except Spybot Search & Destroy, our free reference application) provided a no-cost, downloadable scanning application that was supposed to determine what, if any, spyware was on a user's PC. We used the free scanner to test our infected system, recorded the results, and then paid for the full version of the scanner and software. After installing any requested updates to the spyware remover, we performed another scan at both the default setting and, if available, at the application's highest deep-scan setting.
In all cases, we reported the results of the scan that removed the most spyware. We noted whether the scanner removed part or all of the files associated with each of the six spyware apps, and whether it removed the Registry keys created as a result of the spyware infection. We also noted any abnormalities, such as false positives, where a scanner identified legitimate Windows files, Registry keys, or non-spyware applications as spyware.
When the scanning was complete, we instructed the scanner to remove anything it found; then we rebooted the computer and ran the scanner again. In one case the scanner removed files that Windows needed to boot, so the computer was unable to perform the second scan without permitting Windows XP's System Restore to bring the deleted files back.