David had called Leila because his laptop was running slowly and he kept seeing advertisements for things he had searched for privately β on his own machine, not in a public browser, not on his phone. Products he had researched in incognito mode. Hotels he had looked at on a travel comparison site. "It's like someone is watching," he'd said on the phone. He was right.
Leila ran her standard diagnostic within the first ten minutes. The results confirmed what she suspected: spyware, installed approximately six weeks ago. She traced the installation back to a free video editing application David had downloaded from a third-party site, not the developer's official page. The installer had included the video editor β and, buried in a long license agreement behind a pre-ticked checkbox, a second program that described itself as an "enhanced browsing experience tool."
"Did you read the full installation agreement when you installed the video editor?" Leila asked.
David looked pained. "Does anyone?"
"That's what they're counting on." She showed him the spyware process running in the task manager. "This thing has been monitoring your browser for six weeks. Every site you visit, every search query β it captures that data and sends it to a remote server. That server sells your browsing profile to advertising networks. That's why you're seeing ads for things you researched privately. They know what you looked at because this software told them."
"Is my password safe?"
Leila paused before answering. That question required a more careful look.
Spyware is malware that secretly monitors user activity and collects information without the user's knowledge or consent, then transmits that data to an attacker or third party. Unlike ransomware or destructive malware, spyware's goal is surveillance β it wants to remain hidden as long as possible while extracting maximum value from the victim's data.
Three primary objectives of spyware:
- Advertising and behavioral tracking β monitoring browsing habits, search queries, and visited websites. The collected profile is sold to advertising networks or used to deliver targeted ads. The victim sees ads for things they researched privately.
- Identity theft β capturing usernames, passwords, credit card numbers, Social Security numbers, banking credentials. This data is used directly to steal money or impersonate the victim, or sold on criminal markets.
- Affiliate fraud β manipulating online referral and affiliate programs. When a user makes a purchase online, spyware can inject a referral code so that the attacker receives an affiliate commission for the sale. The victim pays the same price; the attacker earns money from the transaction without providing anything of value.
Leila ran a deeper scan using Malwarebytes, a dedicated anti-malware tool. The results came back with a second finding alongside the browser monitor: a keylogger component. The same installation that had brought in the browser spyware had also dropped a keylogger that had been running silently alongside it.
"The browser monitor watched where you went," Leila said. "The keylogger recorded what you typed. Every username. Every password. Every search query. Every email you composed. Every form you filled out."
David went pale. "My bankβ"
"Yes. If you've logged into your bank account on this machine in the last six weeks, there is a high probability your banking credentials were captured." Leila was already writing down the steps. "You need to change your passwords from a clean device β not this one β starting with your bank and email, then work through every account you've accessed from this laptop. Enable two-factor authentication on everything."
"How do I know it's not still watching?"
"Because we're going to remove it. But I want to be upfront: spyware is specifically designed to be difficult to remove. Some versions embed themselves deep into operating system processes. A standard uninstall may leave components behind. That's why I'm running Malwarebytes β it's specifically designed to find and remove exactly this kind of software. In severe cases, the cleanest answer is a full restore from a backup image taken before the infection."
"I don't have a backup."
Leila made a note. "Then our goal after removing this is making sure you have one going forward."
Three common installation vectors:
- Peer-to-peer (P2P) software and file sharing β applications downloaded from P2P networks or unofficial mirrors frequently include bundled spyware. The legitimate file (a game, a movie, an application) arrives with spyware embedded in the installer or packaged alongside.
- Fake security software (scareware) β a pop-up or web page warns the user that their computer is infected and urges them to install a "free scanner" or "security tool." The tool is itself spyware. The irony: the user installs malware while trying to remove malware.
- Bundled software in legitimate installers β a real application is distributed with additional software included. A pre-checked checkbox during installation quietly installs spyware alongside the desired program. Unchecking all optional extras and reading license agreements prevents this.
Defenses against spyware:
- Anti-malware with current signatures (e.g., Malwarebytes) β dedicated spyware/adware detection tools go beyond standard antivirus
- Know what you are installing β download only from official sources; uncheck all optional bundled software during installation
- Maintain a known-good backup β some spyware is too embedded to cleanly remove; restoring from a pre-infection backup is the reliable recovery path
- Research software before installing β check reviews and reputation before installing unfamiliar applications
The Malwarebytes scan identified four separate components of the spyware installation: the main browser monitor, the keylogger, a startup persistence module that re-installed the other components if they were removed, and a registry modification that disabled certain Windows security features. Leila quarantined all four.
"This is the reason spyware is different from most malware in one specific way," she told David as she worked. "Ransomware wants to be seen β it wants you to know you've been hit so you'll pay. Spyware wants to stay invisible for as long as possible. Every day it goes undetected is another day of data collection. So its survival mechanisms are more sophisticated. It fights removal. It reinstalls itself. It hides from standard antivirus by mimicking legitimate processes."
She closed the Malwarebytes report. The scan had caught everything β this time. "The reason dedicated tools like this exist is because the behavioral patterns of spyware are different from typical viruses. A standard antivirus looks for known malicious executables. Anti-malware tools look specifically for surveillance behavior: processes that monitor keystrokes, that send data to external servers, that hook into browser sessions. Different detection approach, different results."
David's laptop, after two hours of work and a full password reset from his phone, was clean. Leila's next appointment was waiting.
The second call had come from the Okafor family. They had purchased a new laptop as a birthday gift for their daughter, opened it that evening, turned it on, and immediately found it sluggish, full of unfamiliar applications, and throwing up notifications from programs they had never installed. "We didn't download anything," the mother explained when Leila arrived. "We just turned it on."
Leila recognized the scene before she sat down. She counted the pre-installed applications in the Start menu: twenty-six. The laptop had shipped from the retailer with the operating system, yes β and also a trial version of an antivirus suite (expiring in 30 days), a cloud storage client set to run at startup, a music streaming app, four games, two shopping apps, the laptop manufacturer's own "system optimization" tool, a weather widget, a photo editor, two social media apps, and assorted others.
"This is bloatware," she explained to the mother. "The manufacturer gets paid by third parties to pre-install their software on the devices they ship. You don't get a say in what's included. You just receive a machine that has already been loaded with applications you didn't choose."
"Is it dangerous?"
"It ranges from merely annoying to a genuine security concern. Let me show you why."
Bloatware is unnecessary software pre-installed on new devices by manufacturers or retailers. The manufacturer is typically paid by software vendors to include their applications on shipped devices. From a security perspective, bloatware is more than a performance nuisance:
- Expands the attack surface β every pre-installed application is software with potential vulnerabilities. A device with 20 bloatware apps has 20 additional applications that could be exploited, from day one, before the user installs a single program of their own.
- May not receive regular updates β bloatware applications are often poorly maintained. Unlike OS components that receive Patch Tuesday updates, bloatware may go months or years without security patches, leaving known vulnerabilities unaddressed.
- Runs at startup automatically β many bloatware applications configure themselves to start with the OS, consuming CPU, RAM, and disk I/O from the first boot. System performance is degraded before the user does anything.
- Consumes storage space β bloatware occupies disk space that could be used for the user's data or chosen applications.
- May introduce its own vulnerabilities β in the most serious cases (such as the 2015 Superfish/Lenovo incident), pre-installed software has actively compromised system security by intercepting encrypted traffic.
Leila started with the built-in Windows uninstaller β the Add/Remove Programs list in Settings. "This is always your first stop," she said. "Most of these apps appear here and can be removed normally. Click, uninstall, done." She worked through the list: eight of the twenty-six came off cleanly.
"What about the rest?" the daughter asked, watching over her shoulder.
"A few have their own uninstallers. You find those either in the program's folder in File Explorer, or in the Start menu for that app." She removed four more that way.
"And the rest?"
Leila hesitated. Four of the remaining apps β including the manufacturer's "optimization" tool and one of the shopping apps β had no obvious uninstall path. They appeared in the app list but clicking uninstall did nothing, or required an account login to a service the family had not signed up for. "This is where it gets frustrating. Some bloatware is intentionally difficult to remove. The manufacturer wants it to stay because their payment arrangement with the vendor depends on it remaining installed."
For the stubborn ones, Leila used a third-party uninstaller β a specialized tool that can force-remove applications the standard Windows process cannot touch. "This isn't my first option," she said. "It's powerful and can occasionally cause problems if it removes something a core OS component depends on. But for genuine bloatware with no legitimate removal path, it's often the only answer."
An hour later, the laptop had twelve fewer applications and was noticeably faster. "Now," Leila said, "let's talk about backups."
Bloatware removal should follow this sequence, from safest to most aggressive:
- Built-in OS uninstaller β Settings β Apps (Windows) or Applications (macOS). The standard, safe method. Works for most bloatware. Always start here.
- Application's own uninstaller β some apps ship with a dedicated uninstall executable in their program folder or Start menu entry. Run this if the OS uninstaller doesn't work or if the app is not listed there.
- Third-party uninstaller tools β specialized software (e.g., Revo Uninstaller, IOBit Uninstaller) can force-remove stubborn applications and clean up leftover registry entries and files. Use with caution β these tools are powerful and can remove components other software depends on. Not the first choice; use when standard methods fail.
Always have a backup before aggressive removal. If a third-party uninstaller removes something essential, you need a recovery path. Create a system backup or restore point before starting removal of deeply integrated bloatware.