Remedies and prevention
As the spyware threat has worsened, a number of techniques have emerged to
counteract it. These include programs designed to remove or to block spyware, as
well as various user practices which reduce the chance of getting spyware on a
Nonetheless, spyware remains a costly problem. When a large number of pieces
of spyware have infected a Windows computer, the only remedy may involve backing
up user data, and fully reinstalling the operating system.
Many programmers and some commercial firms have released products designed to
remove or block spyware. Steve Gibson's OptOut, mentioned above,
pioneered a growing category. Programs such as Lavasoft's Ad-Aware SE and
Patrick Kolla's Spybot - Search & Destroy rapidly gained popularity as
effective tools to remove, and in some cases intercept, spyware programs. More
recently Microsoft acquired the GIANT AntiSpyware software, rebadging it
as Windows AntiSpyware beta and releasing it as a free download for
Windows XP, Windows 2000, and Windows 2003 users. In early spring, 2006,
Microsoft renamed the beta software to Windows Defender, currently "beta 2." The
renamed software for now exists as a time-limited beta test product that will
expire (beta 1 in July 2006, and beta 2 in December, 2006). Microsoft has also
announced that the product will ship (for free) with Windows Vista. Other
well-known anti-spyware products include Webroot Spy Sweeper, Trend Micro's
Anti-Spyware, PC Tools' Spyware Doctor, ParetoLogic's XoftSpy, iS3's STOPzilla
and Sunbelt's CounterSpy (which uses a forked codebase from the GIANT
Major anti-virus firms such as Symantec, McAfee and Sophos have come later to
the table, adding anti-spyware features to their existing anti-virus products.
Early on, anti-virus firms expressed reluctance to add anti-spyware functions,
citing lawsuits brought by spyware authors against the authors of web sites and
programs which described their products as "spyware". However, recent versions
of these major firms' home and business anti-virus products do include
anti-spyware functions, albeit treated differently from viruses. Symantec
Anti-Virus, for instance, categorizes spyware programs as "extended threats" and
now offers real-time protection from them (as it does for viruses).
Anti-spyware programs can combat spyware in two ways:
- real-time protection, which prevents the installation of spyware
- detection and removal of spyware.
Writers of anti-spyware programs usually find detection and removal simpler,
and many more programs have become available which do so. Such programs inspect
the contents of the Windows registry, the operating system files, and installed
programs, and remove files and entries which match a list of known spyware
components. Real-time protection from spyware works identically to real-time
anti-virus protection: the software scans incoming network data and disk files
at download time, and blocks the activity of components known to represent
spyware. In some cases, it may also intercept attempts to install start-up items
or to modify browser settings.
Earlier versions of anti-spyware programs focused chiefly on detection and
removal. Javacool Software's SpywareBlaster, one of the first to offer real-time
protection, blocked the installation of ActiveX-based and other spyware
programs. To date, other programs such as Ad-Aware and Windows AntiSpyware now
combine the two approaches, while SpywareBlaster remains focused on prevention.
Like most anti-virus software, many anti-spyware/adware tools require a
frequently-updated database of threats. As new spyware programs are released,
anti-spyware developers discover and evaluate them, making "signatures" or
"definitions" which allow the software to detect and remove the spyware. As a
result, anti-spyware software is of limited usefulness without a regular source
of updates. Some vendors provide a subscription-based update service, while
others provide updates gratis. Updates may be installed automatically on a
schedule or before doing a scan, or may be done manually. Not all programs rely
on updated definitions. Some programs rely partly (for instance Windows
Defender) or entirely (BillP's WinPatrol, and certainly others) on historical
observation. They watch certain configuration parameters (such as the Windows
registry or browser configuration) and report any change to the user, without
judgment or recommendation. Their chief advantage is that they do not rely on
updated definitions. Even with a subscription, a "critical mass" of other users
have to have, and report a problem before the new definition is characterized
and propagated. The disadvantage is that they can offer no guidance. The user is
left to determine "what did I just do, and is this configuration change
If a spyware program is not blocked and manages to get itself installed, it
may resist attempts to terminate or uninstall it. Some programs work in pairs:
when an anti-spyware scanner (or the user) terminates one running process, the
other one respawns the killed program. Likewise, some spyware will detect
attempts to remove registry keys and immediately add them again. Usually,
booting the infected computer in safe mode allows an anti-spyware program a
better chance of removing persistent spyware.
Malicious programmers have released a large number of fake anti-spyware
programs, and widely distributed Web banner ads now spuriously warn users that
their computers have been infected with spyware, directing them to purchase
programs which do not actually remove spyware — or worse, may add more spyware
of their own. 
The recent proliferation of fake or spoofed antivirus products has occasioned
some concern. Such products often bill themselves as antispyware, antivirus, or
registry cleaners, and sometimes feature popups prompting users to install them.
This is called Rogue software.
Known offenders include:
- Malware Wipe
- Pest Trap
- AntiVirus Gold
- Spy Sheriff
- PAL Spyware Remover
- Spyware Stormer
For details, please see "Rogue/Suspect Anti-Spyware Products & Web Sites"
On 2006-01-26, Microsoft and the Washington state attorney general filed suit
against Secure Computer for its Spyware Cleaner product.
Using a virtual machine (such as a pre-built Browser Appliance for VMware
Player) can inhibit infection by spyware, malware, and viruses. Virtual machines
provide separate environments, so if spyware enters the virtual environment, the
host computer remains unaffected. One can also use snapshots to remove one's
private information, transporting the snapshot of the VM.
This environment resembles a sandbox. It has drawbacks in that it uses more
memory (compared to a standalone browser) and it uses a lot of disk space.
To deter spyware, computer users have found a number of techniques useful in
addition to installing anti-spyware software.
Many system operators install a web browser other than Microsoft's Internet
Explorer (IE), such as Opera or Mozilla Firefox. Though such web browsers have
also suffered from some security vulnerabilities, because most users that are
likely to fall for spyware aren't using them, these browsers are not targeted as
much as Internet Explorer. Not a single browser ranks as safe, because in the
case of spyware the security comes with the person who uses the browser.
Some Internet Service Providers — particularly colleges and universities —
have taken a different approach to blocking spyware: they use their network
firewalls and web proxies to block access to Web sites known to install spyware.
On March 31, 2005, Cornell University's Information Technology department
released a report detailing the behavior of one particular piece of proxy-based
spyware, Marketscore, and the steps the university took to intercept it.
 Many other educational
institutions have taken similar steps against Marketscore and other spyware.
Spyware programs which redirect network traffic cause greater technical-support
problems than programs which merely display ads or monitor users' behavior, and
so may attract institutional attention more readily.
Some users install a large hosts file which prevents the users computer from
connecting to known spyware related web addresses. However, by connecting to the
numeric IP address, rather than the domain name, spyware may bypass this sort of
Spyware may get installed via certain shareware programs offered for
download. Downloading programs only from reputable sources can provide some
protection from this source of attack. Recently, CNet revamped its download
directory: it has stated that it will only keep files that pass inspection by
Ad-Aware and Spyware Doctor.
Notable programs distributed with spyware
- Messenger Plus! (only if you agree to install their "sponsor" program)
- Bonzi Buddy 
- DivX (except for the paid version, and the "standard" version without the
encoder). DivX announced removal of GAIN software from version 5.2.
- Dope Wars 
- ErrorGuard 
- FlashGet (free version) 
- Grokster 
- Kazaa 
- Morpheus 
- RadLight 
- WeatherBug 
- EDonkey2000 
Sony's Extended Copy Protection involved the installation of spyware from
audio compact discs through autorun. This practice sparked considerable
controversy when it was discovered.
Notable programs formerly distributed with spyware
- AOL Instant Messenger 
(AOL Instant Messenger still packages Viewpoint Media Player)
- EDonkey2000 
- LimeWire (all free Windows versions up to 3.9.3)
- WildTangent