Spyware used to worm its way into PCs when users tried to download a free utility, such as a screen saver, and wound up with an unexpected bonus after agreeing to the distributor's license agreement.

Today most spyware infiltrations follow a different course: Users browsing the Web unknowingly launch "drive-by" downloads as they peruse sites affiliated with spyware makers. What those spyware-dumping sites often have in common is pornographic content.

"We've gotten to a point where, statistically, virtually all of the spyware that you get is being planted onto a system by browsing the Web," says David Perry, global education director for security vendor Trend Micro. "The most available Web sites to undertake this kind of thing are those Web sites that are willing to do anything to make a buck off of you. And those have a tendency to be pornography and gambling sites."

When users browse such sites, they wind up silently installing adware, keystroke loggers, Trojans and other nefarious programs. A person browsing pornographic Web sites from an unprotected machine could pick up 50 or 60 pieces of spyware in just 30 minutes, Perry says.

Habitual porn surfers can find their PCs quickly disabled from all the programs running in the background. The problem is so widespread among consumers that one computer repair consultant says the first thing he looks for when a customer complains of poor PC performance is pornography.

"Almost universally, it's what the problem is," says the consultant, who asked not to be identified. "A computer I just did had 36 instances of viruses and 700 pieces of malware installed. And gee, they wondered why their computer wouldn't work. Absolutely it's porn-related."

It's a problem that's not limited to private PCs. In corporate settings, a growing percentage of help desk calls are associated with spyware, says Richard Stiennon, vice president of threat research for anti-spyware vendor Webroot Software and a former Gartner analyst.

When Webroot uses its auditing tools to discover a corporation's threat exposure, "we'll find 55% of machines have adware or spyware, about 4% will have keystroke loggers, and 7% to 12% will have Trojans on them," Stiennon says. "These are companies that have anti-virus at the gateway, on the desktop and at the mail server, and they still get infected."

One reason companies are behind in the battle against spyware is that they failed to recognize it was a problem until about 12 months ago and now they're playing catch-up, Stiennon says. There's a lot to keep up with: Webroot discovers and writes signatures for 300 new spyware variations every week, he says.

Meanwhile, corporate users continue to invite spyware and other threats by surfing inappropriate sites. Reconnex, a start-up that offers corporations risk-management software and services, reports in its latest threat index that 89% of companies that took Reconnex's 48-hour risk assessment found inappropriate content on user PCs.

Delta Consulting this spring surveyed 50 of the 500 largest U.S. firms and found half formally dealt with the discovery of illicit images in the workplace during the past 12 months. Of those firms that pursued an investigation, 44% removed an employee from the company and 41% took other disciplinary action.