Get started Bring yourself up to speed with our introductory content.

Spyware Protection and Removal Tutorial

This free spyware protection and removal tutorial is a compilation of free resources that explain what spyware is, how it attacks and most importantly what you can to do to win the war on spyware.


As spyware continues to threaten the integrity of corporate infrastructures and the data they safeguard, it's crucial to understand how this type of malicious software works and how to defend against it.

This free spyware protection and removal tutorial is a compilation of resources that explain what spyware is, how it attacks and most importantly, what you can to do to protect against and remove spyware. Send us an email to let us know what other guides you'd like to see on

   What is spyware and adware?
   Is your computer or system infected with spyware?
   Different types of spyware and how an attack works
   Rootkit attacks: Different types and how they work
   How to detect, remove and prevent a rootkit
   How to find and remove spyware and build defenses

What is spyware and adware?
Spyware is a nefarious form of data collection technology that gathers private and personal information about a user or organization without his/her/its knowledge or consent. It usually lives on the Internet in the form of a virus and installs malicious code on a user's computer, unknowingly, when that user clicks on a link in an email or Web browser pop-up window.

Some spyware is used by organizations as a sales tool, collecting demographic information about Web surfers to be used as a way to mold their marketing and sales campaigns. A more malicious form of spyware, used by hackers and cybercriminals, is capable of stealing extremely sensitive information, such as Social Security numbers or credit card data.

Adware, which is a type of spyware, is often borne by a banner ad or a pop-up window that displays when a users travels to a specific website. Adware usually includes some sort of tracking code that is able to obtain and track user information and online browsing activity without the user's knowledge. This information can later be sold to marketers who then analyze users' browsing interest so they can infiltrate their screens with advertisements.

Is your computer or system infected with spyware?
Now that you know what spyware is, how can you tell if your computer or system has been infected with spyware? In this section of our free spyware protection and removal tutorial, we are going to highlight the biggest warning signs of spyware infection.

One of the first signs that you have been infected with spyware is if your computer and Internet connection are running painfully slow, especially if such a change happens quickly. When spyware is living on your system, it is tracking your actions, transporting data about those actions via the Internet and then producing and sending pop-up ads to your screen. These ads, or merely the transfer of activity data, in turn, cause your operating system to perform slowly in its day-to-day functions.

Some additional warning signs of spyware infection include:


  • Receiving an extensive number of pop-up ads, especially if the ads address you by name or in other personal ways, such as targeting websites you have visited or things you have searched for.
  • Your antivirus applications aren't working properly; you get warning messages about needing to update antivirus software that is already up to date.
  • Your browser's homepage is continually changing and new toolbars are popping up without any action on your part.

    Different types of spyware and how an attack works
    There are many different types of spyware. In fact, the general term "spyware" involves a variety of malicious, information-stealing software, such as Trojans, rootkits and keyloggers, all of which use a variety of malicious techniques. In this section, we will define the most common spyware attack techniques, discuss how they work, and offer insight on how to prevent them from infecting your network.

    What is a browser hijacking?
    A browser hijack is a form of malware that hijacks, or takes over a user's browser. This form of attack is capable of redirecting users to websites they never wanted to visit, overflowing a browser with pop-up windows, or changing browser settings. One sign of a browser hijack is if your browser settings are constantly changing (i.e. favorites, default homepages and search pages) to something unfavorable. Even if a user manually changes his or her browser settings back to their original state, the browser-hijacking spyware most likely made changes in the registry, causing the unwanted homepage or added favorites to resurface continually, even after the user restarts.

    Browser hijackers often also map certain Web URLs to a specific IP address, so every time a user types a specific URL into his or her browser, say, it will take them to a different website, such as a porn site, instead. Or every time a user mistypes a URL, the user will be redirected to the spyware owner's Web page of choice, instead of a "bad link" or website unknown" page.

    Browser hijacks most often redirect users to pornographic websites, which can cause serious problems if you are a victim using a closely monitored office machine.

    How does a keystroke logger work?
    A keystroke logger, or keylogger, is a device that installs a form of malicious software onto a machine via a spyware or malware utility. Once installed, it tracks and records the user's specific keystrokes, often including what a user types on a keyboard and even mouse click data. Keystroke loggers are most often used for malicious intentions, but are occasionally used by corporations to monitor employee activity. When used maliciously, a keystroke logger can be used to capture sensitive user information, such as user names and passwords, Social Security numbers, account numbers and encryption keys – basically any data imputed by the system user. This information is either saved somewhere on the machine for the hacker to access later, or it is sent to an Internet spyware server or personal email address.

    When a user visits a malicious website that harbors a keylogger, the malicious program is most often automatically installed on the user's computer via system exploits, typically unpatched operating system or application flaws. Obviously an attacker's possession of your personal information can lead to identity theft, as well as financial and credit problems, but hacker access to personal information about enterprise systems is also extremely worrisome. For instance, if an attacker knows a system's encryption key, he then has the information necessary to unlock all the sensitive information on that system or even the entire network, making encryption efforts pointless.

    Rootkit attacks: Different types and how they work
    A rootkit is a form of spyware software that is installed on a victim's machine by a hacker. The hacker usually gains root access to a system, which is the highest level of access, through an unpatched flaw or vulnerability, or by cracking a weak password. The attacker then uses the rootkit to hide any trace of his or her presence by concealing, modifying or deleting files, logon activity or traffic information. This enables the attacker to mull around the network and wreak havoc while the user is none the wiser. The attacker will also often install a backdoor on a victim machine so they can enter and exit the system at their convenience. Rootkits first originated in Unix- and Linux-based systems, but over time they have evolved to target Windows and other OSes as well.

    There are two forms of rootkits: user mode and kernel mode. A user-mode rootkit tries to remain undetected by replacing binaries, which means it is detectable through changes in key system files, and therefore, not as dangerous. A kernel-mode rootkit is much sneakier, and is the form most often used by attackers. Kernal-mode rootkits gain access to the root, or core of the operating system, allowing them to run on the same privilege level as other legitimate system processes and programs. From that level, these rootkits are capable of controlling systems and programs, letting the user see only what it wants them to see.

    There are also rootkit hypervisors, which are layers of virtualization software that lie between a machine's hardware and its OS. These types of rootkits control a machine by running its OS in a virtual machine, meaning the rootkit is in complete control of the entire operating system; it has the ability to reject any security defense, making it nearly impossible to detect.

    How to detect, remove and prevent a rootkit
    In order to prevent the installation of rootkits, it is important to be sure that all enterprise systems are fully patched. If a new patch is released, be sure to apply it as soon as possible in order to avoid an opening that rootkit writers can exploit to bury the malicious programs deep in the file systems of client machines.

    Also practice a layered defense-in-depth approach to security that includes the use of firewalls, strong authentication and consistent, verifiable configurations; the fewer weaknesses and more layers there are in an organization's security architecture, the less likely it will be that attackers can get through.

    There are several rootkit removal programs that claim to be able to detect and remove the malicious software, but it is difficult to verify whether the removal program successfully or fully did its job.

    The only way to be absolutely certain the rootkit is completely removed is to wipe the computer, i.e. delete the data on the machine's hard drive and reinstall the operating system.

    How to find and remove spyware and build defenses
    So, you have been infected with some form of spyware and successfully cleaned your operating system -- now what? Build your system defenses to avoid another attack. One of the first steps in developing a strong defense system to prevent spyware is to be sure that antivirus programs and systems are installed and updated accordingly. Users can also install spyware scanner programs, such as Lavasoft's Ad-Aware and Spybot Search and Destroy, which are both available for free download online. Both programs scan systems and detect and delete spyware. Also, your operating system should be patched and updated as necessary. If there are known OS vulnerabilities, hackers will try to take advantage of them, so it's important to keep your system updated with the latest vulnerability fixes.

    End-user education on how to avoid spyware is another important aspect of any spyware defense strategy and should be incorporated into every enterprise's employee security awareness training. Users should be reminded of the organization's acceptable use policy when accessing the Internet, and especially for visiting potentially insecure websites and downloading material. Certain websites, such as pornographic and gaming sites, are notorious for harboring malicious code. Even though it may be obvious that these sites are prohibited, it is worthwhile to remind users of the penalties they could face, such as termination, if they brake corporate policies and access these types of sites.

    To defend against browser-based spyware, be sure your browser security settings never go below "medium" and users are educated to not open suspicious emails, click on strange links in an email, travel to suspicious websites or click on random browser prompts. Be sure to rely on network defenses as well, specifically network firewalls; firewalls can often be useful in alerting administrators to spyware activity since they are typically the point where traffic enters the network. Browser hardening should also be a general security practice for the organization. Also consider deploying a Active Directory Group Policy Object as a way of enforcing stricter browser configurations.

    It has been suggested in the past that Internet Explorer is more susceptible to becoming infected with spyware, since some malicious code is specifically written for IE. Consider recommending that users browse with another application, like the Firefox or Opera browsers. It's another way to add an additional layer to an organization's spyware defense.

    If a system has already been infected with spyware, one of the first steps in cleaning the machine is to run an antivirus system scan and delete anything that it finds that is clearly malicious. Be sure to schedule future scans daily at a convenient time.

    Finally also delete any applications or programs that are unfamiliar or strange and clearly don't serve a business purpose. Be sure to backup the system first in order to prevent problems that can result after accidentially deleting something important.

This was last published in February 2009

Dig Deeper on Malware, virus, Trojan and spyware protection and removal