Introduction to Spyware

Document Sample
Introduction to Spyware Powered By Docstoc
					Introduction to Spyware
In the world of computers, spyware describes malicious software designed to intercept or take partial control of a
computer’s operation without the informed consent of that machine’s owner or legitimate user. The term literally
suggests software that monitors the user, but it has also come to refer more broadly to software that subverts the
computer’s operation for the benefit of a third party.

Spyware is not a virus or a worm. It does not usually self-replicate. Like many recent viruses, however, spyware exploits
infected computers for commercial gain by design. Therefore, typical tactics used by spyware programs include delivery
of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card
numbers); monitoring of Web-browsing activity for marketing purposes; or routing of HTTP requests to advertising

As of 2005, spyware has become one of the pre-eminent security threats to computer-systems running Microsoft
Windows operating systems. Users of Internet Explorer are especially at risk because of that browser’s collaboration
with the Windows operating system, which is why New Age Computers installs Mozilla Firefox and suggests that our
customers use it as their primary browser.

Spyware, “ad-ware”, and tracking
The term ad-ware frequently refers to any software which displays advertisements, whether or not it does so with the
user’s consent. The Eudora mail client displays advertisements as an alternative to shareware registration fees. These
classify as “ad-ware” in the sense of advertising-supported software, but not as spyware. Ad-ware in this form does not
operate covertly or mislead the user, and provides the user with a specific service.

Many of the programs frequently classified as spyware function as ad-ware in a different sense: their chief observed
behavior consists of displaying advertising. Claria Corporation’s Gator Software and Exact Advertising’s
BargainBuddy provide examples of this sort of program. Visited Web sites frequently install Gator on client machines
in a sneaky manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user.
The user experiences a large number of pop-up advertisements.

Other spyware behaviors, such as reporting on web sites the user visits, frequently accompany the displaying of
advertisements. Monitoring web activity aims at building up a marketing profile on users in order to sell “targeted”
advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web
browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer
plug-in published by, as spyware (and some anti-spyware programs report it as such) although many users
choose to install it.

How you can become infected
Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not
attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or
through exploitation of software vulnerabilities.

The most direct route by which spyware can infect a computer involves the user installing it. However, users tend not to
install software if they know that it will disrupt their working environment and compromise their privacy. So many
spyware programs deceive the users, either by piggybacking on a piece of desirable software, or by tricking the users to
do something that installs the software without them realizing. Recently, spyware has come to include “rogue anti-
spyware” programs, which masquerade as security software while actually doing damage.

Classically, a Trojan horse, by definition, smuggles in something dangerous in the guise of something desirable. Some
spyware programs get spread in just this manner. The distributor of spyware presents the program as a useful utility, for
instance, as a “Web accelerator” or as a helpful software agent. Users download and install the software without
immediately suspecting that it could cause harm. For example, Bonzi Buddy, a spyware program targeted at children,
claims that:
“He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-
mail, and download like no other friend you’ve ever had! He even has the ability to compare prices on the products you
love and help you save money! Best of all, he’s FREE!

Spyware can also come bundled with shareware or other downloadable software, as well as music CDs. The user
downloads a program (for instance, a music program or a file-trading utility) and installs it, and the installer additionally
installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases,
spyware authors have paid shareware authors to bundle spyware with their software, as with the Gator spyware now
marketed by Claria. In other cases, spyware authors have repackaged desirable free software with installers that add

A third way of distributing spyware involves tricking users by manipulating security features designed to prevent
unwanted installations. The Internet Explorer Web browser, by design, prevents web sites from initiating an unwanted
download. Instead, a user action (such as clicking on a link) must normally trigger a download. However, links can
prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a
message such as “Would you like to optimize your Internet access?” with links which look like buttons reading Yes and
No. No matter which “button” the user presses, a download starts, placing the spyware on the user’s system. Later
versions of Internet Explorer offer fewer avenues for this attack.

Some spyware authors infect a system by attacking security holes in the Web browser or in other software. When the
user navigates to a Web page controlled by the spyware author, the page contains code that attacks the browser and
forces the download and install of spyware. The spyware author would also have some extensive knowledge of
commercially available anti-virus and firewall software. This has become known as a “drive-by download”, which
leaves the user a hapless bystander to the attack. Common browser exploits target security vulnerabilities in Internet
Explorer and in the Microsoft Java runtime.

The installation of spyware frequently involves Microsoft’s Internet Explorer. As the most popular Web browser, and
with an unfortunate history of security issues, it has become the largest target. Its deep integration with the Windows
environment and its scriptability make it an obvious point of attack into Microsoft Windows operating systems. Internet
Explorer also serves as a point of attachment for spyware in the form of browser helper objects, which modify the
browser’s behavior to add toolbars or to redirect traffic.

In a few cases, a worm or virus has delivered a payload of spyware. For instance, some attackers used the
W32.Spybot.Worm worm to install spyware that popped up pornographic ads on the infected system’s screen. By
directing traffic to ads set up to channel funds to the spyware authors, they can profit even by such clearly illegal

The Effects and Behavior of Spyware
A piece of spyware rarely “lives” alone: an affected computer can rapidly become infected with large numbers of
spyware components. Users frequently notice unwanted behavior and degradation of system performance. A spyware
infestation can create significant unwanted CPU activity, disk usage, and network traffic, which slows down legitimate
uses of these resources. Stability issues, such as application or system-wide crashes, are also common. Spyware that
interferes with networking software commonly causes difficulty connecting to the Internet.

When Windows users seek technical support, whether from computer manufacturers, Internet service providers, or other
sources, spyware infection emerges as the most common cause. In many cases, the user has no awareness of spyware
and assumes that the system performance, stability, and/or connectivity issues relate to hardware, to Windows
installation problems, or to a virus. Some owners of badly infected systems resort to buying an entire new computer
system because the existing system “has become too slow.” Badly infected systems may require a clean reinstall of all
their software in order to restore the system to working order. This can become a time-consuming task, even for
experienced users.

Only rarely does a single piece of software render a computer unusable. Rather, a computer rarely has only one
infection. As the 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces
installed. The cumulative effect and the interactions between spyware components typically cause the stereotypical
symptoms reported by users: a computer that slows to a crawl, overwhelmed by the many parasitic processes running on
it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security
settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease.
Documented cases have also occurred where a spyware program disabled other spyware programs installed by its

Some other types of spyware (Targetsoft, for example) modify system files to make themselves harder to remove.
(Targetsoft modifies the “Winsock” Windows Sockets files. The deletion of the spyware-infected file “inetadpt.dll” will
interrupt normal networking usage.) Unlike users of many other operating systems, a typical Windows user has
administrator privileges on the system, mostly for convenience. Because of this any program that the user runs,
intentionally or not, has unrestricted access to the system. Spyware, along with other threats, has led some Windows
users to move to other platforms such as Linux or Apple Macintosh, which such mal-ware targets far less frequently.

Many spyware programs reveal themselves visibly by displaying advertisements. Some programs simply display pop-
up ads on a regular basis; for instance, one every several minutes, or one when the user opens a new browser window.
Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to
advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the
purposes for which spyware programs gather information on user behavior. Hence, pop-up advertisements lead to some
of users’ most common complaints about spyware.

Many users complain about irritating or offensive advertisements as well. As with many banner ads, many spyware
advertisements use animation or flickering banners that are visually distracting and annoying. Pop-up ads for
pornography often display indiscriminately, including when children use the computer (possibly in violation of anti-
pornography laws).

A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites.
Spyware that acts as a web proxy or a Browser Helper Object can replace references to a site’s own advertisements
(which fund the site) with advertisements that instead fund the spyware operator. This cuts into the margins of
advertising-funded Web sites.

“Stealware” and Affiliate Fraud
A few spyware vendors, notably WhenU and 180 Solutions, have written what the New York Times has dubbed
“stealware”, and what spyware-researcher Ben Edelman terms affiliate fraud, also known as click fraud. These redirect
the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor.

Affiliate marketing networks work by tracking users who follow an advertisement from an “affiliate” and subsequently
purchase something from the advertised Web site. Online merchants such as eBay and Dell are among the larger
companies that use affiliate marketing. In order for affiliate marketing to work, the affiliate places a tag such as a
cookie or a session variable on the user’s request, which the merchant associates with any purchase made. The affiliate
then receives a small commission.

Spyware that attacks affiliate networks do so by placing the spyware operator’s affiliate tag on the user’s activity, which
replaces any other tag if there are any. This harms just about everyone involved in the transaction other than the
spyware operator. Having their choices thwarted harms the user. A legitimate affiliate is harmed by having their earned
income redirected to the spyware operator. Affiliate marketing networks are harmed by the degradation of their
reputation. Vendors are harmed by having to pay out affiliate revenues to an “affiliate” who did not earn them through a
contractual agreement.

Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators
such as WhenU and 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.
Identity Theft and Fraud
Spyware has principally become associated with identity theft in that key loggers are routinely packaged with spyware.
It is estimated that identity thieves have stolen over $24 billion US dollars of account information in the United States

Spyware-makers may perpetrate another sort of fraud with dialer program spyware: wire fraud. Dialers cause a
computer with a modem to dial up a long-distance telephone number instead of the usual ISP. Connecting to these
suspicious numbers involves long-distance or overseas charges that invariably result in massive telephone bills that the
user is liable for. Dialers are somewhat less effective today, now that fewer Internet users use dialup modems.

Spyware and cookies
Anti-spyware programs often report Web advertisers’ HTTP cookies as spyware. Web sites (including advertisers) set
cookies, small pieces of data rather than software, to track Web-browsing activity: for instance to maintain a “shopping
cart” for an online store or to maintain consistent user settings on a search engine.

Only the Web site that sets a cookie can access it. In the case of cookies associated with advertisements, the user
generally does not intend to visit the Web site which sets the cookies, but gets redirected to a cookie-setting third-party
site referenced by a banner ad image. Some Web browsers and privacy tools offer to reject cookies from sites other
than the one that the user requested.

Advertisers use cookies to track people’s browsing among various sites carrying ads from the same firm and thus to
build up a marketing profile of the person or family using the computer. For this reason many users object to such
cookies, and anti-spyware programs offer to remove them.

Typical examples of spyware
A few examples of common spyware programs may serve to illustrate the diversity of behaviors found in these attacks.

  * Caveat: As with computer viruses, researchers give names to spyware programs, which frequently do not relate to
any names the spyware-writers use. Researchers may group programs into “families” based not on shared program
code, but on common behaviors, or by “following the money” or apparent financial or business connections. For
instance, a number of the spyware programs distributed by Claria are collectively known as “Gator”. Likewise,
programs, which are frequently installed together, may be described as parts of the same spyware package, even if they
function separately.

  * CoolWebSearch, a group of programs, installs through the exploitation of Internet Explorer vulnerabilities. The
programs direct traffic to advertisements on Web sites including To this end, they display pop-up
ads, rewrite search engine results, and alter the infected computer’s hosts file to direct DNS lookups to these sites.

  * Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users
follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-
protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it
impossible for the user to access password-protected sites.

  * 180 Solutions transmits extensive information to advertisers about the Web sites which users visit. It also alters
HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for
the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies.

  * HuntBar, aka WinTools or Adware.Websearch, is a small family of spyware programs distributed by Traffic
Syndicate. It is installed by ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other
spyware programs—an example of how spyware can install more spyware. These programs add toolbars to Internet
Explorer, track Web browsing behavior, redirect affiliate references, and display advertisements.
Remedies and prevention
As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs
designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware
on a system.

Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows
computer, the only remedy may involve backing up user data, and fully reinstalling the operating system.

Anti-spyware programs
Many programmers and some commercial firms have released products designed to remove or block spyware. Steve
Gibson’s OptOut, mentioned above, and pioneered a growing category. Programs such as Lavasoft’s Ad-Aware SE and
Patrick Kolla’s Spybot - Search & Destroy rapidly gained popularity as effective tools to remove, and in some cases
intercept, spyware programs. More recently Microsoft acquired the GIANT AntiSpyware software, renaming it as
Windows AntiSpyware beta and releasing it as a free download for Windows XP, Windows 2000, and Windows 2003
users. In early spring, 2006, Microsoft renamed the beta software to Windows Defender, currently “beta 2.” The
renamed software now exists as a time-limited beta test product that will expire for beta 1 in July 2006 and for beta 2 in
December 2006. Microsoft has also announced that the product will ship for free with Windows Vista. Other well-
known anti-spyware products include Webroot Spy Sweeper, PC Tools’ Spyware Doctor, ParetoLogic’s XoftSpy, and
Sunbelt’s CounterSpy (which uses a forked codebase from the GIANT Anti-Spyware product).

Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table, adding anti-spyware features
to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions,
citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products
as “spyware”. However, recent versions of these major firms’ home and business anti-virus products do include anti-
spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware
programs as “extended threats” and now offers real-time protection from them (as it does for viruses).

Anti-spyware programs can combat spyware in two ways:

 1. Real-time protection, which prevents the installation of spyware
 2. Detection and removal of spyware.

Writers of anti-spyware programs usually find detection and removal simpler, and many more programs have become
available which do so. Such programs inspect the contents of the Windows registry, the operating system files, and
installed programs, and remove files and entries which match a list of known spyware components. Real-time protection
from spyware works identically to real-time anti-virus protection: the software scans incoming network data and disk
files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also
intercept attempts to install start-up items or to modify browser settings.

Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software’s
SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other
spyware programs. To date, other programs such as Ad-Aware and Windows AntiSpyware now combine the two
approaches, while SpywareBlaster remains focused on real-time protection.

Like most anti-virus software, many anti-spyware/adware tools require a frequently-updated database of threats. As new
spyware programs are released, anti-spyware developers discover and evaluate them, making “signatures” or
“definitions” which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited
usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others
provide updates gratis. Updates may be installed automatically on a schedule or before doing a scan, or may be done
manually. Not all programs rely on updated definitions. Some programs rely partly (for instance Windows Defender) or
entirely (BillP’s WinPatrol, and certainly others) on historical observation. They watch certain configuration parameters
(such as the Windows registry or browser configuration) and report any change to the user, without judgment or
recommendation. Their chief advantage is that they do not rely on updated definitions. Even with a subscription, a
“critical mass” of other users have to have, and report a problem before the new definition is characterized and
propagated. The disadvantage is that they can offer no guidance. The user is left to determine “what did I just do, and is
this configuration change appropriate?”
If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it.
Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one
respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add
them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of
removing persistent spyware.

Malicious programmers have released a large number of fake anti-spyware programs, and widely distributed Web
banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase
programs which do not actually remove spyware — or worse, may add more spyware of their own.

The recent proliferation of fake or spoofed antivirus products has occasioned some concern. Such products often bill
themselves as antispyware, antivirus, or registry cleaners, and sometimes feature pop-ups prompting users to install

Known offenders include:

  * SpyAxe
  * AntiVirus Gold
  * SpywareStrike
  * SpyFalcon
  * WorldAntiSpy
  * WinFixer
  * SpyTrooper
  * Spy Sheriff
  * SpyBan
  * SpyWiper
  * PAL Spyware Remover
  * Spyware Stormer
  * PSGuard
  * AlfaCleaner

Security practices
To deter spyware, computer users have found a number of techniques useful in addition to installing anti-spyware

Many system operators install a web browser other than Microsoft’s Internet Explorer (IE), such as Opera or Mozilla
Firefox - though such web browsers have also suffered from some security vulnerabilities. Not a single browser ranks
as safe, because in the case of spyware the security comes with the person who uses the browser.

Some Internet Service Providers, particularly colleges and universities, have taken a different approach to blocking
spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware. On
March 31, 2005, Cornell University’s Information Technology department released a report detailing the behavior of
one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it. Many other
educational institutions have taken similar steps against Marketscore and other spyware. Spyware programs, which
redirect network traffic, cause greater technical-support problems than programs that merely display ads or monitor
users’ behavior, and so may attract institutional attention more readily.
Spyware may get installed via certain shareware programs offered for download. Downloading programs only from
reputable sources can provide some protection from this source of attack. Recently, CNet revamped its download
directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor.

Notable programs distributed with spyware

 * Messenger Plus! (only if you agree to install their “sponsor” program)
 * Bearshare
 * Bonzi Buddy
 * DAEMON Tools (only if you agree to install their “sponsor” program)
 * DivX (except for the paid version, and the “standard” version without the encoder). DivX announced removal of
GAIN software from version 5.2.
 * Dope Wars
 * ErrorGuard
 * FlashGet (free version)
 * Grokster
 * Kazaa
 * Morpheus
 * RadLight
 * WeatherBug

Notable programs formerly distributed with spyware

  * AOL Instant Messenger (AOL Instant Messenger still packages Viewpoint Media Player)
  * EDonkey2000
  * LimeWire (all free Windows versions up to 3.9.3)
  * WildTangent
          Spyware Blaster Instruction Manual
        Spyware, adware, browser hijackers, and dialers are some of the fastest-growing threats on
the Internet today. By simply browsing to a web page, you could find your computer to be the brand-
new host of one of these unwanted fiends!

       The most important step you can take is to secure your system. Spyware Blaster is one of the
most powerful protection programs available.

         Having Spyware Blaster on computer allows you to:
         • Prevent the installation of ActiveX-based spyware, adware, browser hijackers,
           dialers, and other potentially unwanted software.
         • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
         • Restrict the actions of potentially unwanted sites in Internet Explorer.

       Spyware Blaster can help keep your system spyware-free and secure, without interfering with
the "good side" of the web. Spyware Blaster does not have to remain running in the background.

        The most important key to maintaining a secure computer is keeping your protection up-to-
date. To access Check for Updates, simply click on the “Updates” tab on the left side of the Spyware
Blaster interface.

After selecting the Updates button, you’ll need to click on the check for updates
button that shows up on the screen.

A loading bar will appear to give you progress on the update.
If there were updates available you will be presented with the following window.
Sometimes all of the updates aren’t downloaded, so left click on the back button
and when the Check for Updates button is back on the screen go ahead and left
click it again.

If there were no updates you will see this window. Close SpywareBlaster and don’t
forget to check for updates regularly!
        Spybot Search & Destroy Instruction Manual
Spybot - Search & Destroy can detect and remove spyware of different kinds from your computer.
Spyware is a relatively new kind of threat that common anti-virus applications do not yet cover. If
you see new toolbars in your Internet Explorer that you didn't intentionally install, if your browser
crashes, or if you browser start page has changed without your knowing, you most likely have
spyware. Even if you don't see anything, you may be infected, because more and more spyware is
emerging that is silently tracking your surfing behaviour to create a marketing profile of you that will
be sold to advertisement companies. Spybot-S&D is free, so there's no harm in trying to see if some-
thing snooped into your computer.

When you first start Spybot Search & Destroy, you will probably be greeted with the legal disclaimer
information such as the one below. Simply click okay continue loading Spybot.
   Once the Legal information is off the screen, you will probably see the following screen:

The Wizard shows you several of Spybot’s useful features. Most of which we do not actually need to
set in the wizard, so often it is best to skip it if you see the window. Just click next until you are
presented with the final screen that presents you with a link to ‘start using this program.’

After the wizard is closed, you will be presented with the main Spybot - S&D window. This has
selections for several of the main features of the program. The two functions that we need to be
concerned about are Check for Options and Search for Updates.
Before we prepare to do a check for any spyware infections or problems, we want to make sure we
have the latest definitions on our computer. To do this we select Search for Updates which will give
us a list of updates that are available for the software.
Check all the boxes next to all the items listed for updates. After you’ve done this, click the drop
down menu to select an update location to download from. Since we are in the US, TDS (USA) is
probably the best and fasted location.

  A window will appear and start downloading the updates. Once it is done, Spybot might restart. If
it does, you’ll want to check for updates again to make sure you have everything. Once you have all
the updates, we can start scanning for problems.
In order to check for spyware infections, you’ll ever need to click on the Search & Destroy icon in
the upper left corner of the Spybot window, or you can click the Check for Problems button in the
main Spybot window. This will bring you to the following window.

You may have to click on the check for problems button to get it started. Once you see the red x and
the option to stop check and the loader bar at the bottom of the window moving, you’ll know that it
is scanning. Once scanning has finished, you’ll be presented with a list of items that were found.
Simply select Fix selected problems, and answer yes when it prompts you on whether you’re sure and
you should be set to go.
               Ad-Aware SE Personal Instruction Manual

With the ability to scan your RAM, Registry, hard drives, and external storage devices for known
data-mining, advertising, and tracking components, Ad-Aware SE easily can clean your system,
allowing you to maintain a higher degree of privacy while you surf the Web.

Ad-Aware SE Personal Edition boasts a number of improvements. Extended memory scanning now
scans all modules loaded by a process. Scanning uses the all- new CSI (Code Sequence Identifica-
tion) technology to identify new and unknown variants of known targets. Extended Registry scanning
now scans Registry branches of multiple-user accounts and performs additional smart checks to
detect dynamically created references. Scanning speed is noticeably faster, and this version offers an
Extended Scanning mode for known and unknown/possible browser hijackers.

When you first launch Ad-Aware SE, depending on the last time you used the software, it might
prompt you to check for updates. If it does, make sure you do so and download the updates. Once
that is done you will be presented with the above window.

This is the main Ad-Aware window. Here you have statistics about previous scans, how the software
is running, options to start a scan, and also an option to check for updates. Go ahead and check for
updates so we can make sure you have the latest definitions installed on your computer.
The webupdate window is very simple. Make sure you’re connected to the internet before you do
this, however. When you see this window, simply click the connect button. Ad-aware will connect
to its update servers and check to see if there are any updates available. If there aren’t any, the
software will tell and present you with the option to finish. If there are updates available, you’ll see a
window similar to the one below.

Click okay to start the download. You’ll see a progress bar giving you an indication on how long you
have to wait until the download will com-
Once the update is finished, click the finish button and you’ll end up back at the starting screen for
Ad-Aware. If you’re ready to start scanning for spyware, you’ll want to click on the start button.

You have a few options, the main two being a smart system scan and a full system scan. The smart
system scan checks a few known locations that spyware frequently inhabits. The full system scan
will check every file on your computer’s hard drive. Normal use requires a smart system scan, but if
you’re still having problems after that, you may want to try the full system scan. Regardless of your
Ad-Aware begins to scan your system for infected files. As it finds items, you’ll see a running tally
in reddish brown letters to show how many it has found and what kinds. Finally the scan will finish,
display that it is complete, and give you the option to click next so you can decide what to do with
what Ad-Aware found.

You’ll be presented with the scanning results, giving you a list of what type of spyware items it
found. Simply click the check boxes next to each of the items listed under Scan Summary and click
next to continue the cleaning process.

  Once you click next you will be asked if you wish to continue. Click OK and you are done!