Keith Dunlap had never even heard of Cool-search.net. But one day last December, as he opened the browser on his home PC, the site filled his display.

The browser's Internet Options window showed his home page had been changed to the arcane address t.rack.cc/hp.php. Dunlap, a researcher at the Wood Science & Technology Institute in Corvallis, Oregon, reentered his old one. But when the system rebooted, his browser jumped to Superbookmark.com, another site he didn't know. Sure enough, that mysterious home page setting was back. He rebooted again, and his browser jumped to a third unwanted site: Real-Yellow-Page.com. Obviously, something was lurking on his PC, and he feared it was tracking his behavior.

Dunlap had already installed PepiMK Software's Spybot Search & Destroy 1.2 (reviewed in this story), a tool designed to detect and remove this sort of sinister software. Spybot's engine, he discovered, had been turned off. "I don't know if the spyware was to blame," Dunlap says. "But Spybot's immunization tools were no longer running." Even when he turned it on, Spybot detected no spyware-related files. Dunlap manually removed all references to t.rack.cc/hp.php in the Windows Registry. He rebooted, and they came back.

Dunlap's machine was infected with CoolWebSearch, one of many spyware applications threatening the world's computing devices䴊a late-breaking Trojan horse so nasty that only one app we tested, Lavasoft's Ad-aware Plus 6, could find it䴊and none could remove it. There is, however, a standalone app called CWShredder (available at www.spywareinfo.com) that can get rid of CoolWebSearch.

Spyware apps sneak onto your machine when you download many file-sharing services, open infected e-mails, or click on dubious Internet pop-up ads. They can manipulate your system, record your habits, and steal your passwords and credit card numbers. Depending on their degree of aggressiveness, they can steal your privacy or even your identity. And they can be terribly difficult to remove.

< back

78,000 Ways to Spy

According to PestPatrol, which sells its own spyware remover, more than 78,000 spyware programs are on the loose. These include adware applications, which track browsing habits and serve up ads; key loggers, which record keystrokes (passwords and credit card numbers, anyone?); and Trojan horses, which provide hackers unfettered access to your PC. In the past year, PestPatrol uncovered more than 500 new Trojan horses, 500 new key loggers, and 1,287 new adware apps. In fact, Webroot Software, maker of Spy Sweeper 2.2, estimates that 80 percent of PCs are infected䴊and that's not including less malevolent types of spyware, such as tracking cookies. The problem is so prevalent that major utility vendors McAfee and Symantec are getting into the act. McAfee's results are already good; Symantec's are less so in this first round.

Chances are your machine is hosting spyware. If you've recently installed a free file-sharing service like Grokster or Kazaa, there's no doubt about it; such services are almost always tied to several pieces of adware. You may not realize that when you accepted your file sharer's licensing agreement, you also agreed to download, install, and run this adware. (For exceptions, see "Spyware-Free P2P䴊for Free".)

Even if you avoid sharing infected files, there are risks everywhere. Sometimes, Web sites or e-mail will dupe you into downloading malicious code. "You may see a message that plays off your fears, telling you that your system is vulnerable and giving you a link to a patch," says Pete Lindstrom, director of Pennsylvania-based research firm Spire Security. When you click on the link, you're often installing spyware. Other times, spyware can infest your system when you simply visit a Web page or open an e-mail. Keith Dunlap believes he was the victim of such a "drive-by download."

Note: Every year, we receive indignant calls, e-mails, and letters from adware makers and distributors claiming that their apps are not spyware. At PC Magazine, we maintain that any application that tracks your behavior without your knowledge and consent is spyware. And no, a clause buried in a privacy policy that 99 percent of users never read isn't enough to avoid the spyware appellation.

At the very least, spyware brings inconvenience. Like CoolWebSearch, the program that infested Keith Dunlap's PC, many of these tools hijack your home page. They add sites to your browser's Favorites menu. They launch unwanted windows. Taking up CPU cycles, they slow system performance and even make your PC less stable. (For more signs that you're infected, see "11 Signs of Spyware".)

But none of this is as troubling as what these programs do behind the scenes. Many seemingly innocuous adware applications track the sites you visit, with alarming accuracy. "Some spyware actually changes your DNS records so that all your Web requests go through someone else's servers," says Bruce Hughes, director of malicious-code research at ICSA Labs, the investigative arm of a security corporation called TruSecure.

The nastiest applications, including key loggers and Trojan horses, grab more valuable information. In February 2003, employees at AOL downloaded a Trojan horse that pillaged the company's customer database. In July, a 25-year-old from Queens pleaded guilty to installing key loggers on computers at Kinko's stores in Manhattan, stealing over 450 online banking passwords. And in October, hackers used key loggers at Valve Software to pilfer the source code for Half-Life 2, one of the company's best-known computer games.

These apps go beyond simple spying and actually facilitate identity theft. If you don't find that worrisome, reread the story, "Identity Theft: What, Me Worry?" How can you remove spyware from your system and prevent further infection? It's not easy.

Immortalware

In 2003, according to PestPatrol vice president of product development Roger Thompson, there was a huge increase in the number of burrower programs䴊apps that dig so deeply into an OS that they can't be found or removed without major surgery. Some hide behind ordinary Windows filenames. Others install as "layered service providers," so that quick deletion disables your Internet connection. Still others create multiple copies of themselves across an OS; if one is removed, the others keep running. "About six months ago, we knew of only 6 burrowers," Thompson says. "Now there are more than 40." And there are dozens of other apps that include ticklers䴊mini-programs that reinstall deleted files. You can't protect yourself from spyware like this without tools specifically designed to find and remove it.

Antispyware tools operate like antivirus software: They find and remove only the programs their developers have already identified. And many spyware programs try to disable the tools that hunt them. Wise users install more than one antispyware engine (though having several configured for real-time blocking may cause problems). Even the best tools don't find all spyware. At the very least, it can be extremely frustrating when spyware causes your system to run badly or slowly or hijacks things like home page or search functions. And when you consider how much personal information your computer contains, how much someone could learn about you by virtually peering over your shoulder as you work or surf the Web, spyware should make you very worried indeed.

Let's be clear: None of the applications we tested for this roundup hit the ball out of the park in terms of detecting and removing the adware, Trojan horses, key loggers, and hosts of other assorted nasties that make up the unpleasant category of applications known as spyware. They're not yet as good at their jobs as antivirus programs are, but they're nearly as important to have on your PC. Having a good antispyware program like Spy Sweeper 2.2 on our machines helps the editors at PC Magazine sleep䴊or surf, as the case may be䴊a little better at night.

Spy Sweeper is an impressive combatant in the battle against spyware䴊the best of all the applications we tested at finding spyware in on-demand scans. It also proved to be very good at removing it. None of the programs excelled on our tests at blocking spyware from getting on your machine in real time, but Spy Sweeper was as good as any. The fact that it is easy to use and provides you with enough information to make good choices when you're faced with spyware puts it over the top. If you already have a good antivirus and firewall system but lack specific spyware protection (and believe us, you need it), Spy Sweeper is the application you should consider first.

A close second in terms of spyware detection is Spybot Search & Destroy 1.2. Spybot won last year's Editors' Choice, and it's the recipient of an honorable mention this year. It was edged out of an Editors' Choice this year only by Spy Sweeper's slightly superior spyware removal abilities. The fact that Spybot is free may actually make it the first choice for some of our more cost-conscious readers䴊but please, if you use and like it, consider making a donation to keep this impressive labor of love alive. After all, identity theft䴊one of the worst possible consequences of a spyware infestation䴊can cost more than $10,000 per incident (see "Identity Theft: What, Me Worry?").

Some readers may balk at the idea of installing and managing yet another security application. We sympathize. If you prefer to get your protection in one package, consider McAfee Internet Security 2004, another honorable mention. While we preferred Norton Internet Security 2004 in our earlier roundup of security suites (November 25), that story was weighted heavily toward antivirus and firewall capabilities. If you're in the market for a security suite and you're more worried about spyware, McAfee's offering is the one for you. McAfee Internet Security has competent core security tools and outperformed Norton by a considerable margin in this category. And when its new standalone tool is released, Spy Sweeper and SpyBot may have some tough competition in the standalone antispyware category.

Ad-aware Plus 6, perhaps the best-known antispyware product, is generally a solid solution. Although it doesn't offer total protection from threats and has a few interface features that could be improved, in our testing it did a good job of scanning, classifying, and removing spyware as well as alerting us to potentially dangerous actions as we surfed the Web.

Ad-aware has two key components: a main scanner console and an Ad-watch module that lets you monitor behavior in real time. (Lavasoft's free Ad-aware Standard Edition doesn't include the Ad-watch real-time detection module.) Ad-watch monitors key system assets and alerts you when it detects something suspicious䴊for example, a known spyware process running in memory or an application attempting to change a Registry entry. Ad-watch then gives you the ability to block or permit the action.

While Ad-watch won't absolutely prevent you from downloading malicious software䴊unless you let it disable all downloads, including perfectly benign applications䴊it does give you advance warning and an opportunity to cancel installation. This real-time detection would be more helpful if the warning dialog actually provided information about suspected spyware programs and the threats they represent, as Webroot's Spy Sweeper 2.2 does. With Ad-watch, you've got to do the research for yourself. The module didn't provide real-time warnings for a few applications we installed, such as a solitaire game that includes the Aureate/Radiate engine and SideStep, which detects the use of travel price comparison services and offers its own price search instead.

Ad-watch also integrates a pop-up blocker䴊a useful feature, but we wish it were separately configurable. The pop-up blocker sometimes became so overzealous that it closed our primary browser window.

Ad-aware's main scanning engine is easy to use, and it detected and cleaned a reasonable portion of the threats we threw at it in testing, although it missed a number of key loggers. And like many of the products we tested, Ad-aware could not fully remove some programs, which used ticklers to keep reinstalling themselves when we rebooted. It was also squelched by the key logger SpyAgent, which actively disables many spyware-scanning tools.

For advanced users, Ad-aware offers a panoply of detailed configuration options (and the Pro version, $39.95, offers even more). Unfortunately, Ad-aware's options interface has some redundant sections and can be a bit confusing. This situation is compounded by the frequent absence of context-sensitive help䴊despite a prominent question mark icon.

On the whole, Ad-aware Plus 6 offers a compelling though not bulletproof combination of real-time monitoring and on-demand scanning capabilities.

Aluria's Spyware Eliminator 3.0 wraps fast and thorough spyware scanning and good threat information in a slick, Mac-style interface. Although its preemptive blocking capabilities had limited effectiveness in PC Magazine Labs' testing, and its interface has some shortcomings, Spyware Eliminator is on the whole a competent antispyware tool䴊if an expensive one.

On our tests, Spyware Eliminator scanned for installed threats quickly in most cases, with solid detection results in the middle of the pack. We did, however, experience occasional lockups when scanning heavily infested systems. Scan results appear in a flat list view, color-coded by severity. Clicking on an individual trace produces a detailed description of the detected spyware. While Spyware Eliminator didn't detect the key loggers we'd installed, it did find most other spyware, and it didn't clutter the results list with lots of marginally relevant hits such as tracking cookies.

You can select traces for elimination individually or all at once, but not application by application. The tool also offers a rollback feature that correctly reenabled applications that were disabled when we removed their required adware components. This restores the adware as well, but if you want an app badly enough to live with the adware, this is a welcome ability.

Beyond its basic scanning capability, Spyware Eliminator offers some options that users access via a slightly confusing tree view, which includes some check boxes that seem to have no effect whether you select them or not. One set of options controls blocking䴊stopping spyware from being installed in the first place䴊and lets you add Web sites to restricted zones, block ActiveX controls, and restrict access to suspicious IP ranges. Although Spyware Eliminator includes a long list of blocked ActiveX controls and IP ranges, there's a lot more on the Web that this prevention doesn't cover. After we enabled these blocking options, we went surfing for trouble and unfortunately were still able to download and install a large number of spyware apps without receiving any warning.

Spyware Eliminator also includes a Winsock LSP stack-restoring tool, some evidence-erasing capabilities, and a feature that claims to prevent Internet Explorer home page hijacking, although it didn't prevent our home page from being hijacked during testing.

Like many of the products in this roundup, Aluria's Spyware Eliminator 3.0 can perform a fair job of scanning your system and disinfecting it of spyware, if key loggers and real-time blocking aren't your primary concerns.

BPS Spyware/Adware Remover is a collection of tools that provide some useful antispyware capabilities. But, given their rough edges and poor integration, they don't jell into a compelling solution.

The program's core scanning engine, while reasonably good at finding existing spyware, is slow and troubled by false positives. It took more than 4 minutes to scan a clean Windows XP installation, compared with a minute or so for the bulk of the products we tested. Even more troubling, on that pristine baseline system BPS reported (incorrectly) that Gator and two renegade dialers were installed.

Scan times grew longer䴊to as much as 10 minutes䴊when we tested BPS on infected systems. Like many of the products we examined, the scanner wasn't able to detect the key loggers we'd installed (and two of them, iOpus Starr and SpyAgent, forced BPS to shut down before it could even begin a scan). Also like many other apps in this roundup, BPS was unable to prevent some spyware, such as istbar and RapidBlaster, from resurrecting itself on reboot, despite repeated scrubbing.

BPS offers real-time protection and blocking in a separate program that monitors processes and memory. While this approach is similar in principle to the way many other products handle real-time scanning, BPS's execution is ineffective. The real-time monitor simply displays an ever-growing, text-only log of cautionary messages that commingle serious alerts (spyware detected running in memory) with the more mundane (tracking cookies detected). The app offers such a profusion of information, with no tools to sort or filter it, that reacting appropriately is difficult unless you really know what you're doing. As this text box grows, its responsiveness diminishes. The fact that BPS is also one of only two products here (PC-cillin Internet Security 2004 is the other) that received a rating of poor for spyware descriptions makes the task doubly challenging. In addition, while testing this monitoring app we experienced occasional lockups and crashes.

The BPS toolkit includes three other utilities: a pop-up blocker, a system hijack scanner, and a Winsock repair tool. Licensed versions of BPS Spyware/Adware Remover 8.2 are also sold under third-party brand names, such as Cyberheat Adware Remover Gold. If you're not looking for an on-demand scanner, BPS does a reasonable job of detecting spyware䴊and Bullet Proof Soft offers a five-day free trial so you can see if the app will do the job. But the poor integration of ancillary tools such as real-time blocking and a lack of information are unfortunate.

Antispyware tools are just one part of McAfee Internet Security 2004, a comprehensive suite that includes an antivirus scanner, antispam capabilities, a personal firewall, and more. But despite its wide focus, McAfee has not skimped on the individual components; the suite's spyware scanner is one of the better tools we tested, and it's one of only a handful of apps that successfully detected at least one of the three key loggers we had installed in testing (none caught all three). In fact, it gets an honorable mention as the best suite-based antispyware app we saw in this roundup.

McAfee's standard virus scanner can identify a few spyware components, but to cleanse your system thoroughly, you'll need to click to the Privacy Service section (also available separately for $34.95) and select Remove Unwanted Spyware. After a few minutes of scanning, McAfee Internet Security presents an uncluttered list of all the spyware on your machine. For each spyware application, you'll need to choose whether to clean or exclude it; we do wish the app provided more information and guidance here to help users make this decision.

If you opt to remove an application, you'll have a chance to let the product use its own uninstaller (if it has one) or to let McAfee try to uninstall individual spyware components (you can select exactly which ones). While we like the degree of control this approach offers, the result is that removing a large volume of spyware takes a lot of manual effort, since you have to select each component, and there are often many components to a spyware app.

In our testing, McAfee Internet Security found most of the spyware installed on our systems and successfully removed the majority of them, though a few resilient programs kept reappearing each time we rebooted. Our attempts to have the McAfee product uninstall SideStep locked up the removal tool, but we were able to eliminate it later using SideStep's uninstaller.

McAfee Internet Security provides a variety of real-time blocking tools, including one that can foil attempts to add toolbars to your browser without permission. Other real-time blocking tools let us designate protected files or folders, prohibited actions such as formatting a drive, and immediately displayed pop-up alerts giving us the option to permit or block the activity when we attempted to violate those restrictions. While these capabilities didn't completely prevent us from straying into trouble, their combined effect was one of the most effective approaches we saw.

As we went to press, McAfee also announced that it would soon be shipping a standalone, enhanced version of its spyware scanner, which might be available by the time you read this. That's encouraging news, given that the company's current scanner is already worthy of an honorable mention.

Spyware blocking, detection, and removal turn out to be weak components of the otherwise excellent Norton Internet Security 2004, which earned an Editors' Choice award in our recent roundup of Internet security suites (November 25). Like the other suites in this roundup, Norton includes a firewall, antivirus and antispam scanners, parental controls, and privacy-monitoring capabilities that watch for transmission of sensitive personal data. But in the realm of antispyware tools, this suite is no substitute for the more robust packages reviewed here. If you want an Internet security suite that includes strong spyware capabilities, consider McAfee Internet Security 2004 instead.

Norton's spyware monitoring, like Trend Micro's PC-cillin Internet Security 2004, is bolted onto Symantec's standard virus-scanning engine䴊though in the case of Norton, spyware scanning is enabled by default. While this integration offers the advantage of making spyware scanning an integral part of your regular antivirus sweeps, Norton's engine just isn't very effective at coping with spyware.

When we scanned a variety of infested systems, Norton detected only a handful of the lurking spyware products. It presented its results in a simple list, with no detailed information about the threats, although double-clicking led to a Symantec Web page with more information on each item. This additional detail turned out to be crucial, since Norton was unable to remove a significant number of the few spyware products it managed to identify, urging us instead to follow the provided manual-removal instructions to disinfect our system. While having this backup is a good idea, we don't think a security suite should force us to use it so often.

Norton also did little in our testing to help us avoid installing problematic software. To its credit, it did detect and block the browser hijacker Lop the moment we clicked on the download link, and its script blocking curtailed (but did not entirely eliminate) the undesired browser modifications that FindTheWebsiteYouNeed foisted on us. This, however, was its only success in that regard.

Like PC-cillin, Norton includes a privacy protection feature that lets you enter sensitive personal information such as your bank account numbers and block Internet traffic containing these secrets.

While we've often been bullish on Norton's security products (and we recommend Norton Internet Security 2004 as a whole), when it comes specifically to antispyware, we're more bearish.

Panda Platinum Internet Security 8.01.00, like software from McAfee, Symantec, and Trend Micro, is more than an antispyware tool: It's a full security suite that includes firewall, antivirus, antispam, and parental-control features. In our testing, Panda's proactive spyware-blocking capabilities were the best in this roundup at foiling spyware in real time. But its database seems to be less stringent in its definition of spyware than some, and its scanning features were not as effective as those of many other products in this roundup.

We installed Panda on some spyware-infested systems and immediately began receiving pop-ups notifying us of suspicious processes running in memory and giving us the opportunity to delete each one. While the instant feedback was reassuring, the sheer number of individual alerts we had to navigate made us wish for a single screen that would let us view all the detected threats and bulk-manage them䴊our one complaint about an otherwise excellent user interface.

On one of our heavily infested test-bed systems, Panda detected the elusive key logger SpyAgent right off the bat. When we removed it, however, we lost our Internet connection as well.

Running a full system scan produces a complete list of detected spyware that you can view at a glance, and clicking on a spyware app takes you to Panda's Web site, which tells you more about it. Panda does not provide a facility for scheduling scans at regular intervals (only about half the apps we tested do this), though you can set the program to run on system start-up.

When we set up Panda on a clean system and began surfing dangerously, the software blocked a number of actions effectively. In addition to detecting and eliminating adware and spyware bundled into seemingly harmless programs, it managed to detect Lop the moment we completed the download䴊when the program was still in a temporary directory䴊and prevented execution. Panda includes some administrative touches that could be helpful in a small-business or home network environment, such as optional password protection for scanner features and the ability to send a warning via e-mail when the program detects spyware on a system.

If a security suite with strong real-time blocking capabilities appeals to you, Panda Platinum Internet Security 8.01.00 should make your short list, right after McAfee Internet Security 2004.

Trend Micro's PC-cillin Internet Security 2004 suite is, first and foremost, a personal firewall and virus scanner, but its virus detection capabilities have been beefed up to scan for and block other types of malware as well. PC-cillin's real-time blocking capabilities, however, are not as effective at handling as wide a variety of spyware as most of the standalone products we tested.

PC-cillin's interface is polished and professionally executed. While it's easy to use on the whole, you'll have to dig a bit to enable scanning for spyware, which is disabled by default. To turn this on, you need to select System | Scan Settings | Real-time Scan and check the Scan for spyware check box.

We found PC-cillin's active blocking reassuring. When we initiated a download containing a dangerous payload, PC-cillin popped up to deny access or quarantine the application, just as it would if you'd received an e-mail containing a virus. When it did detect spyware, it prevented us from installing the offending application. That said, this may actually instill a false sense of security in many users, as a number of spyware programs slipped past this cordon in testing.

PC-cillin's on-demand scanning facilities were less well suited to handling today's proliferation of spyware. Although the scanner identifies a number of serious threats, it provides virtually no information you can use to ascertain what a given piece of spyware might be doing or what actions would be appropriate. Files simply appear in a list䴊you must process them one by one䴊and some of our attempts to quarantine or delete files were unsuccessful, with no reason provided. It turns out that the app is unable to remove spyware that is running at the time of the removal attempt䴊a notable weakness.

Additionally, PC-cillin doesn't alert you to products, such as the Alexa toolbar, that live in the gray area some users would consider spyware. And it didn't protect our browser from being hijacked by FindTheWebsiteYouNeed.

In an attempt to thwart spyware from a different angle, PC-cillin lets you enter various personal secrets such as Social Security numbers and credit card numbers. It then monitors Internet traffic, warning you if a program attempts to send this data elsewhere.

PC-cillin's antispyware capabilities look good, but a slick interface will be cold comfort to users who discover they're infested by all the spyware the application misses.

PestPatrol 4 Home User Edition distinguishes itself with the best pest descriptions in the business, so you can make truly informed decisions about how to handle the spyware you find on your machine. It's also among the best in terms of actually finding spyware. On the other hand, the program's interface is complex, its scanner is slow, cleanup can monopolize memory, and it's got little to boast about in the area of real-time blocking.

With options galore and an interface that includes features like nested tabbed dialogs, PestPatrol is far more suitable for confident users than novices. But once you start scanning, you'll probably be impressed with the results. Not only does PestPatrol uncover a large amount of spyware, but it also provides excellent information to help you decide how to proceed. For each spyware trace, PestPatrol reports the program's name, type (pure spyware, adware, and so on), location, and risk level, as well as suggested action. Not enough? Click for more information and you'll find a highly detailed assessment of the threat. (Anyone can view the same information in PestPatrol's Pest Research Center, at www.pestpatrol.com/pestinfo.)

This deluge of information would be even more useful if PestPatrol provided better ways to sort, filter, and organize it䴊or a one-click way to let you select all the traces associated with a particular spyware element, as in products like PepiMK Software's Spybot Search & Destroy 1.2 and Rizal Software's Spy Remover 7.1.1. We particularly missed this capability when we attempted to quarantine a large number of pests on one heavily infested system, which eventually led to a "low virtual memory" warning, then an "out of system resources" error, ultimately forcing a restart.

PestPatrol's MemCheck utility is designed to block spyware installations in real time, but we found that most spyware wasn't deterred䴊although MemCheck did hinder the install of both Grokster and Kazaa, both of which install a particularly egregious amount of spyware if left unchecked. In fact, PestPatrol performed worst on real-time blocking among all the apps we tested that claimed to have that feature.

PestPatrol takes an interesting approach to ferreting out key loggers. Instead of scanning for signatures, the program's utility KeyPatrol sniffs out processes that are monitoring keystrokes. But as with most tools we tested, the key logger SpyAgent actually prevented KeyPatrol from running long enough to report its presence.

PepiMK Software's Spybot Search & Destroy 1.2 did a very good job of identifying threats in our testing, though like most products in this roundup, it was unable to eliminate everything and didn't perform well against the key loggers we installed. Spybot's record for blocking spyware installs in real time is among the best in this roundup. That, combined with reasonable removal abilities and an array of helpful ancillary tools for system monitoring, earns this free application䴊which was an Editors' Choice winner last year (April 22)䴊an honorable mention.

Spybot operates in two different modes: easy and advanced. Easy mode exposes the scanning, cleaning, rollback, immunization, and definition update operations. Scan results appear in a simple list that commingles serious threats with lesser concerns, such as tracking cookies. Fortunately, Spybot lets you right-click to select or deselect a set of related components and add them to an exclusion list, to be ignored in future scans. A left click provides additional information about the threat you've selected.

When Spybot can't eliminate a running process, it alerts you and configures itself to run immediately when Windows reboots, before your desktop or taskbar even appears. In most cases, this tactic was sufficient to clear away the spyware in question, though a few programs, such as PeopleOnPage, managed to reinstate themselves despite repeated removal attempts. But Spybot performed poorly against the key loggers we installed and䴊like most scanners䴊was disabled entirely when we ran it on a system infected with SpyAgent.

Running automatically on reboot sometimes inexplicably switched Spybot from easy into advanced mode, which exposes many more configuration options for savvy users but may be overwhelming for novices. Advanced mode also lets you use tools such as a start-up manager and a BHO (browser helper object) monitor, which lets you see all installed browser extensions; both let you disable individual entries in the lists they generate.

Spybot includes a slightly confusing immunization feature that's supposed to help protect Internet Explorer and block bad downloads, but its success on our tests was mixed. Immunization resulted in some sites being blocked via an entry in the system's HOSTS file; in other cases, as with Gator and SideStep, it resulted in a warning when we initiated a download.

Spybot's strong scanning, good removal record, and useful utilities make it an excellent choice. The fact that it's free increases its appeal. If you decide that Spy Sweeper 2.2's slightly superior removal abilities suit your needs better, Spybot still makes an impressive backup.

Unlike most of the antispyware tools in this roundup, SpyCop 5.6 Home Edition doesn't try to do it all. Instead, the program focuses on defeating one specific class of spyware: key loggers. With that narrow focus, a primitive interface, a lack of real-time blocking abilities, and a high price, SpyCop isn't for everyone. But if you need a specialized tool that can outwit key loggers䴊a particularly sneaky category of spyware䴊SpyCop is worth a look. The software's secret weapon against key loggers is its "super stealth" mode, which obliterates all other running Windows processes (save your work first!) to ensure that spyware with active countermeasures against scanners can't interfere with its operation.

In our testing, SpyCop's super stealth mode was one of the few ways we were successfully able to scan and disinfect a system with the key logger SpyAgent, which shuts down most antispyware tools when it detects them running. Other scan results were mixed: SpyCop detected Keylogger Pro but not iOpus Starr. And while the app found a small number of traditional spyware products such as Cydoor, it certainly won't provide the broad coverage you'll get from most other antispyware products.

Scanning with SpyCop is a time-consuming affair that required 10 minutes or more, although you can reduce the time for subsequent runs by telling SpyCop to scan only files that are new or have changed since its last run. But the method it uses to do this䴊checking the archive bit䴊is so easily spoofed that we can't recommend using this quicker scan method. You can also configure the program to run when your screen saver kicks in.

SpyCop's interface is simple, but its design is far from user-friendly. Scan results in particular leave a lot to be desired. They appear in two small, fixed-size list boxes and provide little information to help you decide how to proceed. All SpyCop shows is a filename; double-clicking brings up a dialog with a button that promises more information but simply launches a Google search䴊which seems a bit slapdash, given the app's price.

If you opt to remove a file, SpyCop does so by renaming it with a .spy extension (VeryBadThing.dll becomes VeryBadThing .dll.spy). The tool has no built-in rollback feature, though you could manually restore the file's original extension by removing the .spy.

SpyCop offers a free-evaluation version, but this scans only for a random subset of spyware. If you need a tool specifically to detect and remove key loggers, SpyCop may be for you. For more general antispyware solutions, other products in this roundup offer more balanced feature sets and cost less.

SpyGuard 2.0 Deluxe is as much an evidence eliminator as an antispyware utility; sadly, its capabilities in the latter area fall short of those provided by almost every other application in this roundup. Plenty of other products can more thoroughly detect and eliminate malicious programs lurking on your system while providing better tools and information for using them effectively.

SpyGuard's main interface is a tabbed dialog, from which you navigate a sea of check boxes to select the capabilities you wish to enable. SpyGuard scanned our test-bed systems rapidly and was able to detect a number of common spyware programs, including Aureate and Cydoor, as well as a number of key loggers, but it also missed a number of common nuisances, such as Bonzi Buddy. And it makes no attempt to warn you about tracking cookies, though its evidence elimination features let you indiscriminately remove cookies and a variety of other traces from your system.

Unlike most of the products we tested, SpyGuard pops up a dialog each time it finds a spyware trace on your system, so you can't get an overall picture of the results and perform bulk operations. In the case of a seriously infested machine, this could result in an extremely slow removal process, even given that SpyGuard doesn't detect as many types of spyware as its competitors. SpyGuard links individual spyware definitions to the online database at Spyware-Guide.com, but we are disappointed by the program's help system, a single short page of HTML describing its capabilities.

Removing detected spyware, as with many utilities, required multiple reboot-and-rescan cycles䴊and in the end SpyGuard was unable to eliminate SaveNow completely. Some other programs we tested it against were disabled but not fully removed, as we found when "dll not found" warnings popped up at awkward times. SpyGuard lacks the ability to roll back removals.

SpyGuard's spyware-blocking capabilities are limited, too. Although a check box claims to let you protect your Registry against dangerous components, we didn't find it had any appreciable prophylactic effect. Another check box lets you have SpyGuard ensure that your Internet Explorer start page is set to what you want, but unlike Spy Sweeper, Spyguard doesn't prevent home page changes in real time. The program does not provide a live-update feature.

Although SpyGuard 2.0 Deluxe might be useful if you're looking for a way to clear traces of activity on your pc, its limited abilities to deter spyware and its lack of options should lead you to look elsewhere when it comes to stopping these snooping apps.

SpyHunter was always one of our favorite video games (admit it, the music is running through your head), so we're extra disappointed that Enigma Software Group co-opted the name to put out such a mediocre product. SpyHunter 1.4.42 provides no blocking capabilities, offers only brief descriptions of detected spyware, and includes virtually no help or documentation. Its scanning was extremely slow and, on heavily infected systems, sometimes seemed to freeze entirely. These limited capabilities and minimal configuration options make it hard for us to recommend SpyHunter, even though it was one of the better apps at spyware detection.

Even under the best of circumstances, SpyHunter's scan speed was tediously slow: On a pristine Windows xp system, it required nearly 11 minutes. And on some of our infected machines, we had to cancel scans that appeared to have hung after half an hour or more. When it finally did manage to complete a scan, it detected spyware quite respectably, but its removal results were mediocre at best.

Sometimes a simple interface deftly masks complex functions, but in SpyHunter's case the interface is simple because the features are minimal. You can click on a button to start a scan, or pull down a menu to scan just a subset of the system (memory, Registry, cookies, or drives). The scan results appear as list box items with severity ratings. You can select items one at a time or all at once, but you can't easily select all traces associated with a single spyware product. In some cases, dozens will be.

SpyHunter's help system is disappointing, consisting of a Windows file containing just two paragraphs of text.

Although SpyHunter includes a live- update capability, it doesn't tell you when or whether a new program file is available. You have to click the Program Update button, reinstall, and reboot, without knowing whether you're going to get a newer version or not. Checking to ensure you have current spyware definition files is more seamless.

Compared with many other products offering richer features at similar prices, SpyHunter offers little reason to choose it.

Rizal Software's Spy Remover 7.1.1 takes a minimal approach to tackling spyware. It has few features, lacks blocking capabilities, and didn't find the key loggers we installed䴊or much of the other spyware. On the plus side, its scanning capabilities are easy to use, and it organizes results effectively.

Spy Remover's biggest advantage is its straightforward interface, which ranks with the best in this roundup. Check the items you wish to scan䴊memory, Registry, cookies, or disk files䴊and press Scan Now to begin. When the results are ready, Spy Remover presents them in a convenient tree view that organizes spyware by type, specific program, and associated components. No other program we tested makes it so easy to get a clear picture of the spyware detected on your system, and you can easily eliminate all traces of a specific program or class of spyware by selecting a check box.

We wish the excellent results list provided more insightful information about each of the detected apps, though. This would help users make more informed decisions on what course of action to take. But at least you can back up your changes and roll them back for all products you removed in a given session, if the removal broke an associated app that you need or want.

If Spy Remover is unable to remove a component that's currently running, the app will queue it for removal on the next system boot䴊but unlike most of the products we tested, it doesn't specifically tell you that a reboot may be required to complete the disinfection. The application was about average at removing detected spyware.

Our testing also exposed a few rough edges in Spy Remover. The program's Live Update capability worked at some times and not others (giving us a cryptic "division by zero" error or telling us that our "connection was forcefully rejected"). Additionally, removing spyware on one of our test-beds also resulted in a nonfunctioning Internet connection. While this is a common aftereffect of removing certain types of spyware, we didn't encounter this problem with the other apps on identical tests.

In a crowded field, Spy Remover does not set itself apart from the pack, and its detection and removal abilities are subpar. On the other hand, its ease of use may appeal to less technically savvy users.

Webroot Software's Spy Sweeper 2.2 is the most effective standalone tool for detecting, removing, and blocking spyware. Although the program didn't perform perfectly in our testing, it was successful in inhibiting most spyware and was one of only three products that were able to scan a system successfully with the key logger SpyAgent installed.

Spy Sweeper's Active Shields feature aims to protect you while you're surfing and warns you when your system loads spyware into memory, when your browser home page is changed, or (if you desire) when a site places tracking cookies on your system. The memory scanner detected most spyware as the apps were attempting to install.

Spy Sweeper provided particularly informative descriptions of the programs and the option to scan the system now, scan later, or ignore a spyware app entirely. In a few cases, however, the pop-up window intended to warn us away from a program was hidden behind the installation window until after installation was complete. Spy Sweeper also didn't warn us when we installed CommonName, though it did identify that app during a later scan. Whenever a site or application tried to reset our Internet Explorer home page, a Spy Sweeper dialog popped up to ask if we approved of the change.

We like Spy Sweeper's scanning capabilities. They're thorough and relatively fast, and the results are organized into a convenient hierarchy so you can see at a glance what spyware was detected without having to wade through every Registry key, file, or cookie that the scanner detected (though this information is available should you desire it). One caveat: You can't resize Spy Sweeper's fixed-size window, which shows only a few lines of information at a time. This can be irritating when you're working with a badly infected machine.

Although scanning itself took just a minute or two, on some of our heavily infected test-beds Spy Sweeper took half an hour or more to quarantine the installed spyware. And while it succeeded in eliminating most of the undesirable software on our systems, we were unable to eliminate a handful of products, which managed to use ticklers to revive themselves after each reboot.

Webroot also makes a free version of Spy Sweeper, without the live-update capabilities. Spy Sweeper's combination of ease of use, reasonable price, and above-average blocking and removal capabilities makes it an excellent choice for users who want a standalone application.

1. Make sure to run an antispyware application. Perform on-demand scans regularly to root out spyware that slips through the cracks. Reboot after removal and rescan to make sure no ticklers, which are designed to reinstall spyware, have resurrected any deleted apps. Additionally, even though we are not overly impressed with any app's real-time blocking abilities, activate whatever your app of choice offers; it's nearly always better than nothing.

2. Give your antispyware some backup. In addition to an antispyware app, make sure to run both software and hardware firewalls and antivirus applications to protect yourself against Trojan horses (and viruses, naturally).

3. Beware of peer-to-peer file-sharing services. Many of the most popular applications include spyware in their installation procedures (see the sidebar "Spyware-Free P2P䴊for Free"). Also, never download any executables via P2P, because you can't be absolutely certain what they are. Actually, it's a good idea to avoid downloading executables from anywhere but vendors or major, well-checked sites.

4. Watch out for cookies. While they may not be the worst form of spyware, information gathered via cookies can sometimes be matched with information gathered elsewhere (via Web bugs, for example) to provide surprisingly detailed profiles of you and your browsing habits. PC Magazine's own Cookie Cop 2 (www.pcmag.com/utilities) can help you take control of cookies.

5. Squash bugs. Web bugs are spies that are activated when you open contaminated HTML e-mail. Get rid of unsolicited e-mail without reading it when you can; turn off the preview pane to delete messages without opening them. In Outlook 2003, Tools | Options, click on the Security tab and select Change Automatic Download Settings. Make sure Don't download pictures or other content automatically in HTML e-mail is checked.

6. Don't install anything without knowing exactly what it is. This means reading the end-user license agreement (EULA) carefully, as some EULAs will actually tell you that if you install the app in question, you've also decided to install some spyware with the software. Check independent sources as well, as some EULAs won't tell you about spyware.

7. Protect yourself against drive-by downloads. Make sure your browser settings are stringent enough to protect you. In IE, this means your security settings for the Internet Zone should be at least medium. Deny the browser permission to install any ActiveX control you haven't requested.

8. Keep up to date on the ever-changing world of spyware. Knowing the threat will help you defeat it. There are several great sites you can visit to keep abreast of this issue. PestPatrol's Research Center (www.pestpatrol.com/pestinfo) has one of the most comprehensive lists of spyware and related threats we've seen. SpywareInfo is another good online source of information. Finally, PC Magazine's Security Scout utility (www.pcmag.com/utilities) aggregates dozens of security-specific news feeds and brings them right to your desktop.

1. You find a new finger-size hardware device connected between your keyboard cable's plug and the corresponding socket on the back of your computer. Or maybe someone recently offered you "a better keyboard."

2. Your phone bill includes expensive calls to 900 numbers that you never made䴊probably at an outrageous per-minute rate.

3. You enter a search term in Internet Explorer's address bar and press Enter to start the search. Instead of your usual search site, an unfamiliar site handles the search.

4. Your antispyware program or another protective program stops working correctly. It may warn you that certain necessary support files are missing, but if you restore the files they go missing again. It may appear to launch normally and then spontaneously shut down, or it may simply crash whenever you try to run it.

5. A new item appears in your Favorites list without your putting it there. No matter how many times you delete it, the item always reappears later.

6. Your system runs noticeably slower than it did before. If you're a Windows 2000/XP user, launching the Task Manager and clicking the Processes tab reveals that an unfamiliar process is using nearly 100 percent of available CPU cycles.

7. At a time when you're not doing anything online, the send or receive lights on your dial-up or broadband modem blink just as wildly as when you're downloading a file or surfing the Web. Or the network/modem icon in your system tray flashes rapidly even when you're not using the connection.

8. A search toolbar or other browser toolbar appears even though you didn't request or install it. Your attempts to remove it fail, or it comes back after removal.

9. You get pop-up advertisements when your browser is not running or when your system is not even connected to the Internet, or you get pop-up ads that address you by name.

10. When you start your browser, the home page has changed to something undesirable. You change it back manually, but before long you find that it has changed back again.

11. And the final sign is: Everything appears to be normal. The most devious spyware doesn't leave traces you'd notice, so scan your system anyway.

The best way to deal with spyware is to avoid getting it in the first place. But that doesn't have to mean giving up file sharing, a prime source of spyware for the unsuspecting. You can find lite, hacked, or alternative versions of all the major P2P clients that are free of the unwanted code. Furthermore, the clients in some lesser-known networks never had spyware to begin with. Here are some clients you can get free of charge and free of that nasty spyware headache.

Easily the most popular P2P network, Fast Track typically has more than 3 million users online, compared with a million or fewer for the nearest competitors. Kazaa, the most popular Fast Track client, however, loads what seems like 3 million pieces of spyware, making Kazaa Lite K++ a must-have (download sites change constantly; do a search). Not only is it free of malicious bloat, but it works just as well as the original app. For an even more streamlined and simpler Fast Track experience, try the iMesh Light client (www.imesh-light.com), although it may provide fewer search results and slower downloads than those of Kazaa Lite K++.

An innovative spyware-free network of choice for many is eDonkey-2000, which lets clients download a file from other clients even while those clients are still in the process of getting the file. This idea has evolved into an even better technology䴊a veritable P2P revolution called Bit Torrent. This technology doesn't waste bandwidth having clients search for files; rather, the network produces torrents, or links to new files that are posted on Web sites such as SuprNova.org. Click on one of these torrents and your Bit Torrent client will begin downloading the desired file from machines that have complete versions, called seeds, as well as from machines that are in the process of downloading the file. Because the file comes down in random bits, even a machine beginning a download can potentially help someone finish one.

A popular standalone Bit Torrent app is The Shadow's Experimental Bit Torrent Client (http://bt.degreez.net), which lets you adjust upload bandwidth. But if you want a client that will pull extra duty, try Shareaza (www.shareaza.com), which can also access eDonkey2000 and even the Gnutella network. Remember Gnutella? A powerful, simple way to access that network, with Fast Track䴋like multiple download sources, is Xolox (www.xolox.nl), which does everything the for-pay BearShare Pro does䴊but free.

A couple of other spyware-free networks worth checking out (along with their associated clients) are Ares (www.softgap.com) and Filetopia (www.filetopia.com). Ares has become popular for its ease of use and decent selection. Paranoid types will love Filetopia, which adds the benefit of some anonymity through encryption. Filetopia therefore also helps avoid human spies such as those from well-known four-letter entertainment organizations.

Easy installation and configuration raise a program's ease of use rating, as does a thorough, well-indexed help system; bugs, program crashes, or other problems lower this rating. Detection involves the range of spyware types the product successfully detects; more credit is given for detecting severe problems like active key loggers, less for simple adware. If a product removed most of the spyware it detected, it has a removal rating equal to its detection rating; if not, the removal rating is lower. A good blocking rating indicates that the product blocks installation of a wide variety of spyware, or at least warns when a spyware program is attempting installation. The amount of information these apps supply to the user varies widely; some provide an exhaustive online database of threats, some offer detailed descriptions of spyware they find, and some do neither. The overall rating is not an average but an aggregate based on rigorous discussions among PC Magazine Labs staff, reviewers, and editors.

Download our Summary of Features table.

next >