(FORTUNE Small Business) – Like many small companies, J.B. Racing of Taveres, Fla., depends heavily on its local-area computer network to manage its operations. Earlier this year Dennis King, head of sales and marketing and de facto IT chief for the seven-employee maker of custom auto-racing components, noticed a disturbing problem: Speeds on the company network were dropping.

As King soon discovered, J.B. Racing's network had been infested with "spyware," foreign pieces of pernicious, persistent code that had migrated onto employees' computers from the Internet and sunk grappling hooks into hidden spots in their system files. Generating endless pop-up ads, as well as hijacking employees' browsers and replacing their Internet homepages, the software had become so pervasive that it was slowing the network by 10% to 40% and sapping the entire company's performance.

For help King turned to Webroot, a small company based in Boulder that makes software designed to root out spyware and banish it from users' machines. About two weeks after he installed SpySweeper, Webroot's flagship product, on the company's PCs, King found that J.B. Racing's network performance was back to normal. "We saw this stuff proliferate to where it was really affecting our bottom line," King says. "Besides the time involved in dealing with it, your computing resources are basically being stolen."

Almost unheard-of only a year or so ago, spyware is now a virulent Internet plague to rival spam and viruses. In many ways it's worse than either; spam is annoying but mostly harmless, and even the worst viruses are fleeting. Spyware, however, lives on, lurking inside machines, tracking users' movements on the web, and sometimes sending them to places they never dreamed existed, much less wanted to visit. Some spyware can track every keystroke, capturing personal information such as credit card numbers and passwords. Other forms divert web searches to paid advertisers' sites or hijack users' homepages, generally making online life miserable.

Most spyware infests a machine without the user's awareness, typically when he visits certain websites or downloads free software. More common, if less damaging, is adware, which generates targeted pop-up ads based on a web surfer's interests. If you visit the site of a national flower shipper, for instance, you might get a pop-up ad from a florist in your area offering a special on Mother's Day roses.

Until recently adware mainly touted fringe products such as remedies for erectile dysfunction and thinning hair. But these days large direct-marketing companies are using adware, devised by dozens of small vendors such as Claria Corp. of Redwood City, Calif., and WhenU of New York City. Most adware is perfectly legal; it's like online telemarketing, except that there's no do-not-call registry. But what was an annoyance for individual users is now becoming a curse for small businesses, many of which lack the resources to disinfect their PCs. And the threat is growing. Why? Spyware "has been adopted by advertisers because it works," says Scott Eagle, a senior vice president of Claria. In the $6.9-billion-a-year online ad market, adware is among the fastest-growing segments, according to eMarketer, a research firm.

The adware explosion has fueled the growth of a handful of anti-spyware startups, including Webroot, which fielded one of the first PC-sweeper programs in 1997. (Competing products include Ad-aware, Spychecker, and Spyware.) With some 150,000 subscribers, the privately held Webroot is growing its customer base by 400% annually, according to CEO David Moll, who predicts that revenues will top $7 million this year. Small companies constitute a growing part of Webroot's clientele, Moll says, because they often lack the expertise to track down and expunge phantom code themselves. "There's a 90% likelihood that there is some form of spyware on your machine," Moll says. "People don't have a full understanding of the dangers that are out there."

Webroot's founder, Steve Thomas, is a reformed computer hacker who developed the company's first product, Windows Washer, on his own while working for a company that tested the computer security at the Department of Energy's national labs. Windows Washer wipes clean all traces of a computer user's Internet activity so that snoops can't track any virtual footprints. SpySweeper, released last year, goes further by hunting down and eradicating any devious code.

But as fast as Webroot can produce updated versions of its computer-cleansing tools, spyware and adware makers churn out new and more cunning versions. "Last year we'd see one or two new variants a week," notes Thomas, 32. "Now they change daily."

To keep up, Webroot's six-person development team produces a weekly SpySweeper update that eliminates all the new variants of adware and other spyware that Webroot has located over the preceding seven days. The Webroot spy hunters depend on customers to send in new examples of unwanted code that turns up on their machines. They track down the new spyware files in circulation, grab the files' "fingerprints" (key pieces of identifying code), and create software to find the files and erase them from users' machines. They then transmit the update to paying ($39.95 a year) subscribers.

How does spyware find its way onto your machine? It's often secretly bundled with popular file-sharing applications, such as Grokster and Kazaa, or other free software, including computer games and calendar programs. Gaming and porn sites are rich sources of spyware; some programs leap from the web to the PC without the user's knowledge in what are known as drive-by downloads. Webroot quality-assurance manager Chris Stimmel cites one example: A web surfer visits the site of a popular reality TV show and downloads a clip from a recent episode. A piece of spyware sneaks in with the video, changing the browser's homepage while tracking all web activity. (For more on how spyware attacks, see the box on page 60.)

Adware, by contrast, is nominally permission-based. Many users unwittingly agree to download it by clicking on "end-user licensing agreements" for free software programs; vendors correctly assume that hardly anyone actually reads the pages of legal jargon in the agreements. Stimmel advises Webroot clients to avoid downloading any software not made by a major vendor--and to be wary even then. (How can you avoid spyware? For help, see the box above.)

Makers of spyware are using increasingly sophisticated techniques to get their code onto machines and to camouflage it once it's there. Some programs now propagate via e-mail, like viruses, but deposit spyware that tracks web use and reports back to a central server. What's more, the spyware is not just hiding anymore, notes Stimmel; it's actually starting to fight back.

One bit of malicious code, known as a "watcher file," fights removal by continually reinstalling a dialogue box that badgers users into agreeing to download it. Another transmits two spies that watch each other's back, reinstalling if one gets "shot," or eliminated by SpySweeper. According to Stimmel, one especially devious adware program is advertised as an anti-spyware product like SpySweeper; what it really does is wipe out other adware, install itself, and begin webjacking the user to paid online advertisements.

Thanks to anti-spyware activists, the Federal Trade Commission may soon issue new regulations on hidden downloads. Meanwhile, spyware continues to take new forms. A novel variant called Blazefinder, which reloads itself each time a user reboots, recently cropped up on the Webroot spy-hunter team's screens. Trolling the web, monitoring anti-spyware forums, and fielding customer reports, the spy hunters tracked Blazefinder for three weeks before finding an original version of the program so that they could identify and erase it from clients' PCs. But another variant is surely on its way. "Some weeks we'll find only one or two spyware files," says Stimmel, "then the next day we'll find seven or eight. The search just goes on"--which is, of course, very good for Webroot's business.