When you ask for a web page on the browser, what the spyware actually does is tack that url as data onto the end of their website. So everything is effectively routed through another server acting as an intermediary. Because you are actually talking to a single server for all requests, that server can present the pages in any way it wants (advertizing, porn, illegal lrpd's, etc)....

So the trick is to find who's coopted the browser.