Once spyware has exploited a security vulnerability, the payload is installed on the victim's computer and usually hijacks Web browser functions. The most common hijack technique is to use a BHO (Browser Helper Object).
A BHO is a DLL (Dynamic Link Library, a special type of executable file) that has complete control over Internet Explorer, allowing it to monitor and change anything it wants.

When Internet Explorer starts, it looks through the Registry for all installed BHOs, and loads each one in turn. Although this may seem perfect for little other than spyware, it's actually an extremely useful plug-in system. Download managers and other utilities, such as FlashGet or GetRight, use BHOs to seamlessly integrate their functions with Internet Explorer to enhance its functionality.

Although BHOs are commonly associated with toolbars and visible functionality changes, there's no requirement for this -- it's perfectly possible for a BHO to be installed and never announce its presence. Perfect for spyware. Learn More For more information on how Internet Explorer can be a threat, read the CNET Review How Internet Explorer could drain your bank account.

Other types of hijacking exploit the tight links between Internet Explorer and Windows. It's common for spyware to use Windows policies to force the computer to act a certain way; for example, to change the Internet Explorer home page, and then set a policy to prevent you from changing back. This type of hijacking can be very difficult to reverse because it uses the Windows security system. In other words, to remove it, you actually fight Microsoft's security mechanisms!

Spyware can also use the multiple ways Windows knows to automatically start an application on boot, ensuring that the spyware is always running. Once running on a victim computer, many types of spyware actively seek out antispyware tools and attempt to disable them. They also manipulate the Windows networking system to prevent the unfortunate user from even downloading antispyware tools. Many of these programs are deliberately named to sound like legitimate operating system files, for example svchost32.exe; the legitimate Windows program is named svchost.exe and deleting the wrong one can cause serious damage.

One problem that's becoming more widespread is the use of Trojan Web page techniques to keep a computer infected. Newer versions of Windows, such as Microsoft Windows XP and Microsoft Windows Server 2003, use custom Web page interfaces to provide access to operating system functions. If spyware infects these pages, no matter how many times you delete the spyware-related executable files and Registry entries that appear, every time you access the infected management page, the spyware re-infects your computer. This is a technique used by the CWS malware.

Although this may seem like a desperate situation, things aren't as bad as they sound. Although spyware is annoying, a security risk, and in some cases very difficult to get rid of, all is not lost.
It's your computer and you have overall control over it. You can remove most of the spyware and malware either manually or with an automated tool. Best of all, most spyware is very well known and removal techniques have been studied in depth by antispyware researchers.