Counterspy User Guide

8/8/2019 Counterspy User Guide

1/81

User's GuideCounterSpy


2/81

Use of this software is subject to the End User License Agreement found in this User Guide (the "License Agreement"). By installing the software, you agree to accept theterms of the License Agreement. Copyright (c) 2004-2005 Sunbelt Software, Inc. Allrights reserved. All products mentioned are trademarks or registered trademarks of their respective companies. Information in this document is subject to change without notice.No part of this publication may be reproduced, photocopied, stored in a retrieval system,transmitted, or translated into any language without the prior written permission of Sunbelt Software, Inc.

REV. 01182005


3/81

- 1 -

Table of ContentsCHAPTER 1: WELCOME.....................................................................................3

CounterSpy Features ...................................................................................................3

System Requirements..................................................................................................4 Customer Support........................................................................................................5

Installing CounterSpy...................................................................................................6 Before You Install .....................................................................................................6 Installing ...................................................................................................................6 After Installing...........................................................................................................7 Uninstalling ...............................................................................................................7

The CounterSpy Home Page .......................................................................................8 Access Icons ............................................................................................................8

Important Information................................................................................................9 Current System Status..............................................................................................9 The CounterSpy Toolbar............................................................................................11

CounterSpy Menus ....................................................................................................11

Getting Started...........................................................................................................12

CHAPTER 2: WORKING WITH COUNTERSPY................................................18

Spyware Scans ..........................................................................................................18 Running a Scan ......................................................................................................18 Reviewing the Last Scan ........................................................................................21 Scheduling Scans ...................................................................................................21 Managing Quarantined Spyware.............................................................................23

Active Protection ........................................................................................................24 Enabling Active Protection ......................................................................................24 Active Protection in Action ......................................................................................25 Managing Blocked Items.........................................................................................26 Internet Monitors.....................................................................................................27 System Monitors .....................................................................................................29 Application Monitors................................................................................................35

System Tools .............................................................................................................42 My PC Checkup......................................................................................................42 The History Cleaner................................................................................................43 The Secure File Eraser ...........................................................................................44 My PC Explorers.....................................................................................................46

CounterSpy Settings ..................................................................................................54


4/81

- 2 -

Automatic Update Settings .....................................................................................54 Active Protection Settings .......................................................................................55 Alert Settings ..........................................................................................................56 ThreatNet Settings..................................................................................................56 Spyware Scan Settings...........................................................................................57 General Settings .....................................................................................................57

Updating ....................................................................................................................58 How to Update........................................................................................................58 About your Subscription..........................................................................................60

APPENDIX A - WHAT IS SPYWARE? ..............................................................61

How Spyware Is Installed...........................................................................................62 Is All Spyware Hazardous?.....................................................................................64 Signs of Spyware Infection......................................................................................64

How to Maintain Protection ........................................................................................65 Avoid Spyware........................................................................................................65 Security Settings and System Updates ...................................................................66 System and Tool Updates.......................................................................................66 Use Security Patches..............................................................................................67 Installing Patches Automatically Using Windows Update ........................................ 67 Using the Windows Update Website .......................................................................68 Keep CounterSpy Current.......................................................................................68 Prepare for Emergencies ........................................................................................69

APPENDIX B: FIGHT BACK! THREATNET......................................................70

Join ThreatNet ...........................................................................................................70 ThreatNet Privacy Policy.........................................................................................70 Using ThreatNet with a Firewall ..............................................................................70

APPENDIX C: COMMON TERMS......................................................................72


5/81

- 3 -

Chapter 1: WelcomeCounterSpy is an anti-spyware product, designed to protect your computer fromunwanted and hazardous spyware. CounterSpy detects, and then safely removes fromyour computer spyware, adware, trojans, and keyloggers. CounterSpy is considerably

more powerful than most anti-spyware products, and it takes a new approach to fightingand preventing spyware. By identifying and removing spyware, CounterSpy protects youfrom the negative affects, including slow Internet connections, pop-up advertisements,reduced computer performance, the loss of private information, or even identity theft.

Spyware is software that is installed onto your computer without your knowledge or permission. It collects personal information, like the Web sites that you have visited or even your user names and passwords. Spyware can generate a stream of unsolicitedadvertisements, tax your computer or affect your browser's home page or search pagesettings. For more information about Spyware, see page 61.

CounterSpy uses a number of methods to keep your computer protected from spyware.It monitors your computer for known and unknown spyware. Known spyware programs

are detected and identified by name. Unknown spyware is spyware for whichCounterSpy does not yet have a definition.

CounterSpy FeaturesSpyware scans CounterSpy's scanning engine scans your entire system,including in-depth scans of your computer's hard drives, memory, process, registryand cookies. It uses a continually updated database of thousands of known spywaresignatures to provide you with ongoing, accurate protection. Spyware scanning canbe done manually (on-demand scanning) or on a scheduled basis.

Active Protection Active Protection protects your computer, privacy, and personalinformation from hidden spyware threats before they can attack. Internet, System,and Application Monitors look at over 50 security checkpoints, comparing anyunknown activity with the most up-to-date database of spyware threats at Sunbelt'sResearch Center stopping new spyware in its tracks.

System Tools My PC Explorers let you explore and manage key elements of your system that are normally hidden and difficult to change. My PC Checkup helpskeep your computer secure by updating your computer settings to recommendedsecurity levels. The History Cleaner is a privacy tool that removes all InternetHistory usage logs and 75 different activities. The Secure File Eraser is a powerfuldeletion tool that ensures the complete destruction of any files you wish to removefrom your machine.

CounterSpy ThreatNet ThreatNet provides ongoing Spyware threat information,which is used to update the CounterSpy spyware database. ThreatNet is arevolutionary network community that connects diverse CounterSpy users to shareand identify new applications and signatures. This information helps block newspyware.


6/81

- 4 -

System RequirementsOperating Systems - To use CounterSpy, your computer must have one of thefollowing Windows operating systems:

Windows 98SE/Me

Windows 2000 Professional Windows XP Professional/Home Edition Windows 2003 Server

Note : It is recommended that Service Pack 2 for Windows XP be installed BEFOREinstalling CounterSpy.

Note : If you are planning to upgrade your Windows operating system from Windows98/Me to Windows 2000/XP, you must uninstall CounterSpy first and then reinstallafter the upgrade is complete.

Note : Installation of CounterSpy is not supported on Windows 95/NT, Macintosh, or Linux computers.

System Requirements - Your computer must meet the following minimumrequirements. If you are installing on Windows 2000/XP/2003, you must install withadministrator privileges.

Windows 98SE/Me

Intel Pentium processor (or compatible) at 133 MHz for Windows 98; 150 MHzfor Windows Me

64 MB of RAM (128 recommended if running Active Protection) 20 MB of available hard disk space Internet Explorer 5.0 or later

Windows 2000 Professional Edition

Intel Pentium processor (or compatible) at 133 MHz or higher 64 MB of RAM (128 recommended if running Active Protection) 20 MB of available hard disk space Internet Explorer 5.0 or higher

Windows XP Professional/Home Edition

Intel Pentium processor (or compatible) at 300 MHz or higher 128 MB of RAM 20 MB of available hard disk space Internet Explorer 5.0 or later

Windows XP Professional/Home Edition

Intel Pentium processor (or compatible) at 300 MHz or higher 128 MB of RAM 20 MB of available hard disk space Internet Explorer 5.0 or later


7/81

- 5 -

Customer SupportSunbelt Software offers a number of avenues for obtaining technical support for CounterSpy.

CounterSpy Knowledge Base contains answers to many frequently asked questions

about CounterSpy.

Online Technical SupportGo to www.sunbelt-software.com/support . Click Ask a Question and fill out the form tosend your electronic inquiry to Sunbelt's technical support staff.

EmailTechnical Support: [email protected]

Sales: [email protected]

Customer Service: [email protected]

Sunbelt Software

101 N. Garden Ave.

Clearwater, FL 33755

Phone: (727) 562-0101

Toll-free technical support: 877-673-1153


8/81

- 6 -

Installing CounterSpy

Before You InstallIf you have an older version of CounterSpy, installing a new version automatically

removes the previous version. You can transfer existing option settings to the newversion during installation.

Before you install CounterSpy, here are suggestions on how to prepare your computer:

If you have any other anti-spyware programs on your computer, you shoulduninstall them and restart your computer before installing CounterSpy.

Although removing other anti-spyware programs is not required, it isrecommended. CounterSpy might detect spyware that is already quarantined byanother anti-spyware program, especially if the other anti-spyware program doesnot secure its quarantined files.

To uninstall other anti-spyware programs, see the user documentation that camewith the program.

Close all other Windows programs before installing CounterSpy, including thoseprograms displayed in the Windows tray.

InstallingTo install CounterSpy:

1. If you are installing CounterSpy from a CD, insert the CounterSpy CD into theCD-ROM drive.

2. In the CounterSpy window, click CounterSpy . (Skip to step number 4.)

Note : If your computer is not set to automatically open a CD, navigate to the CDdrive and then double-click the setup.exe icon.

3. If you downloaded your copy of CounterSpy, locate and double-click on thedownloaded file: CounterSpy.exe .

4. The opening installation window reminds you to close all other Windowsprograms. Close those now.

5. Click Next to continue.

6. Read the License Agreement and then click I accept the license agreement . If you decline to accept the License Agreement, you cannot continue with theinstallation.

7. Click Next to continue.

8. If you are upgrading from an older version of CounterSpy, you can opt to keepyour option settings. Click Yes to keep previous settings.

9. Select the folder where you want CounterSpy to be installed, and then click Next .

10. Confirm the installation location, and then click Next .

11. After the installation is complete, click to check the Launch CounterSpy


9/81

- 7 -

checkbox.

12. Click Finish to exit the installation.

Sometime installing CounterSpy requires you to restart your computer. If that isnecessary, you will see a message that tells you to restart your computer.

If you are installing CounterSpy for the first time, follow the on-screen instructionsand let the CounterSpy Setup Assistant guide you.

After InstallingThe Setup Assistant guides you through steps to configure CounterSpy. The processdoes not take a long time. With a few short steps, you will be ready to run acomprehensive spyware scan, disinfect your system and equip it to detect and eliminatespyware threats.

You will setup the automatic update features, enable Active Protection, decide whether to participate in ThreatNet, and run your first CounterSpy scan.

UninstallingIf you need to remove CounterSpy from your computer, you can use the Add/RemovePrograms option from the Windows Control Panel or the Uninstall CounterSpy optionfrom the Programs menu. During uninstall, Windows may indicate that it is installingsoftware. Disregard this standard Microsoft installation message.

To uninstall CounterSpy using the Windows Control Panel:

1. On the Windows taskbar, click Start > Settings > Control Panel .or

1. On the Windows XP taskbar, click Start > Control Panel .

2. In the Control Panel, double-click Add/Remove Programs .

3. In the list of currently installed programs, click CounterSpy .

4. In Windows 2000/Me, click Change/Remove .

In Windows 98, click Add/Remove .

In Windows XP, click Change .

5. Click Yes to confirm that you want to uninstall the product. If you have files inQuarantine, you are asked if you want to delete them. Your options are:

Yes - Delete the quarantined files from your computer.

No - Leave the quarantined files on your computer, but make them inaccessible.

6. Click Finish , and then click Yes to restart your computer.


10/81

- 8 -

The CounterSpy Home PageThe CounterSpy Home Page is a great place to start, as it serves as the main consolefor the entire application. From here, you can access most of CounterSpy's features andview information about such things as previous scans and CounterSpy settings.

Figure 1: The CounterSpy Home Page.

Access IconsThree icons on the CounterSpy Home Page take you directly to CounterSpy features.Click an icon to perform that action or manage those options.

Spyware Scan Click the Spyware Scan icon to scan your computer, setscan options, schedule when scans run, view previous scan results, and view quickstats about CounterSpy. Click Run a spyware scan to start a spyware scan.

Active Protection Click the Active Protection icon to work with ActiveProtection Monitors or to manage blocked items. Active Protection gives you real-time protection against spyware threats.

System Tools Click the System Tools icon to use one of CounterSpyspowerful system configuration and privacy protection tools. Here, you will find ThePC Explorers, My PC Checkup, the History Cleaner, and the Secure File Eraser.


11/81

- 9 -

Important InformationThe Important Information area of the CounterSpy Home Page displays messages andannouncements, based on the status of your CounterSpy installation. Watch themessages for notices and information that can improve CounterSpys performance andyour computers security.

Current System StatusThe Current System Status section of the CounterSpy Home Page lets you view at aglance the results of spyware scans, your current protection level, and whether or not itstime to update spyware definitions. A Warning or Requires Attention notification appearswhen you need to complete a task. Click on an item to go to that CounterSpy feature.

To manage an item in the list, mouse-over that item. CounterSpy displays a popupwindow with more information, to help you complete the task.

Figure 2: View a summary. Click to go to that feature.

Last Spyware Scan - Shows the time of the last full spyware scan. In order to keepyour computer free of spyware, run a spyware scan at least once a day. You can dothis manually, or use the spyware scan scheduler.

Last Spyware Scan Results Summarizes the result of the last spyware scan andnotifies you if your attention is required. For example, if a scan detected spywarethreats, but action has not yet been taken.

Next Scheduled Scan - Displays the time of the next scheduled spyware scan,based on your schedule settings. Use the scheduled spyware scan to check for andremove spyware on a regular basis. When the scheduled time arrives, CounterSpylaunches a full spyware scan that runs in the background.


12/81

- 10 -

Figure 3: Mouse-over an item in the status list to see

more information.Active Protection - Shows the status of the Active Protection. Active Protectionprovides real-time protection against spyware and other malicious threats that mayattack your computer.

Spyware Definitions - Shows the last time you updated spyware definitions andindicates if definitions are up to date.

Automatic Updates - Shows whether you have CounterSpy's Automatic Updatesfeature activated. When you connect to the Internet, the update service automaticallychecks to see if new spyware definitions or software updates are available. If theyare available, CounterSpy downloads them.

HelpClick the Help button on CounterSpy pages to see information aboutthat screen.

Some CounterSpy pages have explanations about specific tasks or settings. When yousee an exclamation point , click the link beside it to learn more about that specificitem.


13/81

- 11 -

The CounterSpy Toolbar When you leave the CounterSpy Home Page, the CounterSpy Toolbar makes it easy toget around.

Figure 4: Use the toolbar to get around in CounterSpy.

CounterSpy MenusCounterSpys Command Menus are another way to navigate to the information you needto view or to a task you want to complete.

Figure 5: The CounterSpy Command Menus.

File Menu Register CounterSpy, Check for updates, or Close CounterSpy.

View Menu View a Summary, run a Scan, Manage Spyware Quarantined, ManageSpyware Scan Schedule, view Spyware Scan History, view Active Protectionmonitors, view Blocked events, Security Agents, view My PC Explorers, run My PCCheckup, use History Cleaner, or use Secure File Eraser.

Help Menu Open the CounterSpy Help System, run the Setup Wizard,communicate with Technical Support or ThreatNet, purchase or extend your subscription, contact Sunbelt Software online, view and generate helpful informationabout your CounterSpy software.


14/81


15/81

- 13 -

At the end of the scan, CounterSpy displays a brief summary of the scan results.

Figure 8: Scan Result Summary.

5. Click View Results to close the little summary window and view a list of anydiscovered spyware.

The list shows you information about each piece of discovered spyware.CounterSpy assigns every item a threat level and suggests a RecommendedAction. All of this can help you decide what action to take. The RecommendedAction drop-down list is safely set to the action suggested by CounterSpy, so youcan continue.

Figure 9: Scan Results.

6. Click Take Action to have CounterSpy take the suggested actions to rid your computer of spyware.

Congratulations! You have just cleaned spyware from your computer. Now learn toprotect it.


16/81

- 14 -

To keep your machine protected from new threats, CounterSpys Active ProtectionMonitors can block spyware before it is installed. Check that CounterSpys ActiveProtection Monitors are enabled.

7. From the CounterSpy Home Page, click the Active Protection icon .

Figure 10: Active Protection Categories.

You might have enabled Active Protection when you set up CounterSpy.

A green check indicates that the Active Protection Monitors in that category areenabled.

A red X means that the Monitors in that category are not enabled and your attention is required.

8. If all three categories have green checks, skip to the next page.

9. If any categories have a red X, click those categories to manage those ActiveProtection monitors.

When you click a category, CounterSpy displays the monitors in that category.

10. Click Enable in the Monitors Status area.


17/81

- 15 -

Figure 11: Active Protection is enabled.

Once Active Protection is enabled, spyware is stopped before it is installed.When a change is made to your computer, CounterSpy alerts you by displaying asmall notification window in the bottom right corner of the computer screen.CounterSpy makes a decision to allow the, block the change, or ask you to makea decision.

Figure 12: Active Protection detects changes.

You have scanned your computer for software and turned on Active Protection. Nowhave CounterSpy update your computers security. Run My PC Checkup to make sureyour computer settings are set at recommended security levels.


18/81

- 16 -

11. From the CounterSpy Home Page, click the System Tools icon , and then

click .

Figure 13: My PC Checkup tightens security.

12. Click Start .

When the checkup is complete, CounterSpy displays the Results of Analysis.This contains a list of security items that can be protected. CounterSpy flagshazardous security items. The first time you run My PC Checkup, there may bemany suggested items. Subsequent My PC Checkups will find fewer changes tosuggest. CounterSpy is self-tuning, and when you also use Active Protection, ithelps keep your computer secure.

Figure 14: My PC Checkup results.

13. Click Continue to have CounterSpy implement the selected security


19/81

- 17 -

enhancements. CounterSpy tells you how many settings were updated.

You have run a Spyware Scan, turned on Active Protection, and had My PC Checkuptighten security settings. Next, use the History Cleaner to rid your computer of personalinformation that you do not want to fall into the wrong hands.

14. From the CounterSpy Home Page, click the System Tools icon .

15. Click .

16. Click Check all to check all items in the list.

Figure 15: History Cleaner erases personal history.

17. Click Clean History .Regularly updating CounterSpy is an important part of staying ahead of spyware. Newspyware is discovered every day. You can also schedule when you want CounterSpy tocheck for update.

Learn how to check for updates and check for them often.

18. Choose File menu | Check for updates .

You have scanned for spyware, enabled Active Protection, run My PC Checkup totighten security, used the History Cleaner to remove software usage information, andchecked for spyware definition updates.

The remaining documentation covers these and other CounterSpy features.

For further information, dont hesitate to contact one of our friendly technical supportpeople at www.sunbelt-software.com/support (choose Ask a Question) for anyassistance you may need.


20/81

- 18 -

Chapter 2: Working with CounterSpySpyware Scans

Running a ScanA CounterSpy scan of your computer looks at files and critical areas of your computer,checking for any type of spyware. These are in-depth scans of your computers harddrives and processes currently running, the Windows registry, and Internet cookies.CounterSpy seeks out and provides you options to remove both known and potentiallyhazardous, unidentified spyware threats.

You can scan for spyware manually or you can use the Schedule Spyware Scan toschedule when to have CounterSpy to perform a full system scan for spyware threats.For more information about scheduling scans, see page 21.

To run a manual spyware scan:

1. From the CounterSpy Home Page, or from any screen with the toolbar, click theSpyware Scan icon .

Tip : You can also run a spyware scan from anywhere in CounterSpy, bychoosing View menu | Spyware Scan | Run a Scan Now .

2. Click Scan Options to display and select any scan options that apply.

Intelligent quick scan - An Intelligent quick scan runs a complete scan of your computer where most spyware may be found. This takes only a few minutes, andcan detect more then 99% of known spyware threats. This is the default setting.

Full system scan - A full system scan lets you select from additional scanningoptions, in order to perform a more in-depth or customized scan.

Scan memory - A memory scan does an in-depth scan of the processes thatare currently running in memory. It also checks each process that is loaded tosee if it is spyware.

Scan selected drives / folders - A custom file/folder scan lets you selectspecific hard drives, folders, or files to include in the scan. Click after thearrows to open a dialog where you can choose exactly what you wantscanned and not scanned. Note : CounterSpy scans known locations on theC: drive or operating system installed drive, before scanning other drives.

Deep scan selected folders - A deep scan is a very in-depth scan of your system. Although this scan is very accurate, it takes much longer to finish.

Scan cookies - This allows you to scan for known spyware Internet cookies.These can track your Web surfing habits or provide targeted advertising.

Save these options - Save your spyware scan settings. CounterSpy uses your saved options the next time a scan is run.


21/81

- 19 -

Figure 16: Select scan options.

3. Click Scan Now . At the end of the scan, CounterSpy displays a summary of theresults.

Figure 17: Scan Result Summary.

4. (Optional) Click Do not display this window after a spyware scan to haveCounterSpy skip the summary after a scan in order to go immediately to the listof discovered spyware.

5. Click View Results to close the summary.CounterSpy generates a list of spyware that is found during a scan. It providesinformation about each piece of spyware, assigns a threat level, and suggests aRecommended Action. All of this can help you decide what action to take.

6. (Optional) Click a threat to highlight it and display Spyware Details about thatpiece of spyware.


22/81

- 20 -

To find out more about the highlighted threat, click the link Learn more aboutthis spyware... , located at the bottom of the Spyware Details section. Thisdisplays such information as a detailed description, threat alias names, securityand stability information, and information about the author.

7. (Optional) Click the plus sign (+) to view all detected locations. Threat locationsare the files, folders and registry keys where a threat has installed on your computer. When deleting or quarantining a threat, all areas where the threat ispresent are cleaned. Click a location in the list to learn more about thatlocation.

Figure 18: Select a spyware threat to viewSpyware Details.

8. Review the Threat Level for the selected spyware. Move the cursor over thethreat level indicator. When you see a " ? ", click and hold to read a definition.

9. Review the Recommended Action drop-down list. It is preset to the action thatCounterSpy suggests.

10. (Optional) Use the Recommended Action drop-down list to select an action other than the one CounterSpy suggests.

Ignore - Select this action to ignore a threat until the next time you run a spywarescan.Quarantine - Select this action to safely remove this threat from your computer and store it in spyware quarantine. Any threats in your spyware quarantine willnot run on your computer. The advantage of quarantine is you can restore itemsback to their original state.

Remove - Select this action to remove the threat permanently from your computer. Some spyware cannot be quarantined, only removed.Always Ignore - Select this action to ignore a threat permanently. Much likeIgnore, Always Ignore does not quarantine or remove a threat. In addition,Always Ignore adds the threat to your Ignored Threats list. Once on the IgnoredThreats list, a threat is not marked as spyware when you run scans. Should youchange your mind, you can edit your Ignored Threats list in Spyware Settings.


23/81

- 21 -

11. (Optional) Click Set a single action for all spyware threats to apply one actionsetting to all detected spyware.

12. (Optional) You can select Create restore point when using Windows XP or MEto save your current computer system settings before you click Take Action .

13. Click Take Action to have CounterSpy take the suggested actions.

Reviewing the Last ScanIf you need time to study a scan before making decisions, you can see the details of thelast completed scan. Scan details can be printed for later review.

To review the last completed scan:

1. From the CounterSpy Home Page, or from any screen with the toolbar, click the

Spyware Scan icon .

2. Click View Details in the Last Completed Scan area.

3. (Optional) Click the printer icon to print a copy of the scan details.

Scheduling ScansYou can schedule customized spyware scans to run unattended on specific dates andtimes or at periodic intervals. If you are using the computer when the scheduled scanbegins, it runs in the background. You do not have to stop working.

You have complete flexibility in scheduling custom spyware scans. When you select howfrequently you want a scan to run (such as daily, weekly, or monthly), CounterSpypresents you with additional options with which you can refine your request.

To schedule a custom spyware scan:


Spyware Scan icon .

2. Click Manage Schedule under the Schedule Scan Details section.

Tip : You can also run a spyware scan from anywhere in CounterSpy, bychoosing View menu | Spyware Scan | Manage Spyware Scan Schedule .


24/81

- 22 -

Figure 19: Define and schedule scans.

3. Choose, under "Select Your Spyware Schedule Scan Times", how frequently youwant a scan to be performed, and then refine your schedule:

Daily - Choose Every Day, or select the days when you want to perform a scan.

Weekly - Choose between Every week, Every other week, or Every three weeks,and then select the days of the week when you want to perform the scan.

Monthly - Choose between an actual day of the month when the scan will run, or a relative schedule, like "The first Monday of the month".

4. Under "Start time", set the time when you want to perform the scheduled scan(s).

5. Select Scheduled Scan Options to suit your needs:

Always run a deep scan - CounterSpy will run a deep scan. A deep scan is an

in-depth scan of all of your hard drives.Automatically quarantine spyware - CounterSpy will automatically quarantineany spyware threats that could cause harm to your computer. This includes allspyware, keyloggers, back-door trojans, and especially hazardous adwareapplications.

Do not scan for spyware cookies - CounterSpy will not scan for spywarerelated cookies.

Automatically remove spyware cookies - CounterSpy automatically willremove any spyware cookies.

Do not display spyware scan results - If spyware is detected on your computer, CounterSpy will not display the results in a window.

Do not display the scan progress - CounterSpy displays a small progresswindow in the lower right hand corner of your computer when a scan is inprogress. This window displays scan progress, as well as all spyware threatsfound during the time the scan has been running. Select this option to disable thedisplay of this progress window.

6. (Optional) Check Disable Schedule to stop CounterSpy from running a


25/81

- 23 -

scheduled spyware scan. The Disable Schedule check box is a handy way tosuspend scheduled scans.

If you disable scheduled scans, try to run a manual spyware scan at least two or three times a week.

7. Click Update Schedule when your selections are complete.

Managing Quarantined SpywareYou can also choose to remove quarantined software permanently. After enough timehas elapsed to make you sure that the quarantined software is no longer needed,remove it from your computer.

If you accidentally quarantine software you want to keep using, you can remove it fromquarantine and restore it to original state.

To restore quarantined spyware:

1. Choose View Menu | Spyware Scan | Manage Spyware Quarantine .

2. Select a quarantined item by placing a check mark beside it to view SpywareDetails about that item.

3. Click Learn more about this spyware to view additional information about thatitem.

4. Click Un-quarantine spyware at the bottom of the Spyware Details area torestore the selected item to its original state.

Note : It is a good idea to restart your computer after you restore an item.

5. To restore multiple items, check each item that you want restored, and then clickUn-quarantine All Checked Spyware .

To remove quarantined spyware permanently:

1. Choose View Menu | Spyware Scan | Manage Spyware Quarantine .2. Select a quarantined item to view Spyware Details about that item.

3. Click Learn more about this spyware to view additional information about thatitem.

4. Click Permanently remove spyware to delete the selected item from your computer.

To remove multiple items, check each item that you want permanently removedfrom your computer, and then click Permanently remove all checked spyware .


26/81

- 24 -

Active Protection

Enabling Active ProtectionTo keep your machine protected from new threats, CounterSpy comes installed withover 100 Active Protection Monitors. These Monitors stop spyware before it is installed.Active Protection helps protect your privacy and identity, as well as prevent unauthorizedprograms from taking control of your computer.

When software is installed, or when a change is made to your computer, an internetsetting, or an application setting, Active Protection quickly reacts to analyze the change.CounterSpy makes a decision to allow the change if it is not threatening, block thechange if it is known spyware, or ask you to decide.

To enable Active Protection:


Active Protection icon .

Tip : You can also manage Active Protection from anywhere in CounterSpy, bychoosing View menu | Active Protection .

Figure 20: Click to manage Active Protection settings.

1. Click a category ( Internet Monitors , System Monitors , or ApplicationMonitors ) to manage those Active Protection monitors. For information aboutApplication Monitors, see page 35. For information about System Monitors, seepage 29. For information about Internet Monitors, see page 27.


27/81

- 25 -

Figure 21: Enable all in an Active Protection category.

3. Click Disable under Monitor Status to turn all monitors in that category off. AllMonitors in an Active Protection category are on by default.

4. Click Enable under Monitor Status to turn all monitors in that category on.

5. Click to select and highlight a monitor to see Monitor Details.

6. Click Learn about Selected Monitor to view additional information.

7. Click Disable Selected Monitor to turn off the selected monitor.

8. Click Enable Selected Monitor to turn on a disabled monitor.

9. Click Manage allowed/blocked to view, unblock, or delete any software that wasblocked by an Active Protection Monitor.

Active Protection in ActionWhen Active Protection detects a spyware threat, it prompts you for action. CounterSpydisplays a small alert window in the bottom right corner of your computer screen. Itcontains information about the change. This allows you to make an informed decisionabout whether or not to allow the action that CounterSpy suggests.

If you choose to block or allow the threat, you can also choose to always allow or alwaysblock that specific threat. Click the checkbox to remember this action. This causesCounterSpy to respond to this threat the same way every time an Active ProtectionMonitor or scan detects it.


28/81

- 26 -

Figure 22: Active Protection warns you about possiblethreats.

To block or allow a threat:

1. Click Block or Allow in the alert window.

When you choose Block, CounterSpy performs a quick block of the threat, whichblocks the installation or execution of the blocked spyware.

After a threat is blocked, CounterSpy asks if you want to run a full spyware scan.This is highly recommended, as the initial block only removes that specific

instance of the spyware threat.2. Click Yes to initiate a scan. The CounterSpy scan setup screen is display.

Managing Blocked ItemsThe Blocked section of CounterSpy contains a list of all items (applications, programs or settings) that are blocked by an Active Protection Monitor. You can review all the itemsthat are blocked, and then decide if you want to permanently remove each item or unblock it.

To manage blocked items:


Active Protection icon .

Tip : You can also manage Blocked items from anywhere in CounterSpy, bychoosing View menu | Active Protection | View All Blocked Events .


29/81

- 27 -

Figure 23: Manage items blocked by Active Protection.

2. Select an item in the Blocked list to view information about that item in theBlocked Details area.

3. Check an item to select it for action.

4. Click Un-Block item to restore the selected item to its original state.

To unblock multiple items, check the items that you want restored, and then clickUn-block all checked items .

After you unblock an item or items, it is a good idea to restart your computer.

5. Click Permanently remove item to delete the selected item from your computer.

To remove multiple items, check the items that you want removed, and then clickPermanently remove all checked items at the bottom of the screen.

Internet MonitorsInternet Monitors provide real-time protection from applications that make unauthorizedconnections to the Internet or change your computer's Internet connections settings,such as dial-up or wireless connectivity.

Dialup Connection - Monitors for unauthorized dial up activity from your computer'smodem(s). This is used to prevent dialer-type spyware from dialing out without your knowledge. A dialer is software that dials a phone number using your computer'smodem. Most dialer programs connect to toll numbers without your permission. Theycan rack up large phone charges on your phone bill.

Internet Safe Sites - Prevents unauthorized Web sites from being added to your listof Internet Safe Sites. Safe Sites are Web sites that you trust will not damage your computer. When you visit a safe site, Internet Explorer will lower the recommendedsecurity and allow the site to run scripts. If Spyware adds an unsafe site to that list,the scripts that run could be dangerous.


30/81

- 28 -

Internet Proxy Server - It prevents unauthorized changes or additions to your Internet Explorer Proxy Server. The Internet Explore Proxy Server is a server between the Internet Explorer Web browser and a real server. Proxy servers havetwo main purposes: improve performance and filter requests. A Proxy Server intercepts any request to the real server, to see if it can fulfill the request itself. If itcannot fulfill the request, it forwards the request to the real server.

Winsock Layered Service Providers - Monitors additions and modifications to your Windows Winsock Layered Service Providers (LSPs). LSPs (Layered ServiceProviders) are sometimes manipulated by spyware applications known as WinsockHijackers. LSPs are a way to chain a piece of software to your Winsock 2implementation on your computer. Since the LSPs are chained together, whenWinsock is used, the data is also transported through each of the LSPs in the chain.Spyware can use LSPs to see all traffic being transported over your Internetconnection. You should use extreme caution when deleting these objects, because if they are removed without properly fixing the gap in the chain, you can have looseInternet access.

Windows Messenger Service - The Protection Monitor Messenger Serviceprotection disables the Windows Messenger Service. Windows XP and 2000machines have a "service" running behind the scenes called the "Messenger"service. This is a normal part of the operating system, and is used by networkadministrators to send messages to other users on a company network. The"Messenger" service allows the "net send" function to communicate across networks.Another function can use the "Messenger" service to communicate across networksand these messages are called "Alerters". If you have ever received a message fromyour UPS (Uninterruptible Power Supply) that it has passed a self test, or went ontobattery for a moment due to a spike in the power supply - then you have received an"Alerter" message.

Name Server Protection - Prevents spyware from changing your Domain NameServers (DNS). By default, your Internet Server Provider assigns your Domain NameServer, but spyware can try to change it. If your Name Server is changed, TCP IPqueries could be redirected through a potentially dangerous server.

Spam Zombie Protection - Prevents spyware from sending spam from your computer. Spambot Prevention prevents your computer from becoming a source for sending spam. Many spammers take advantage of security gaps and spyware, inorder to install 'spambots', also known as "spam zombies". These are installed onpersonal computers with the intention of sending out spam email from that computer,without the user's knowledge. Spammers can use your computer to send unsolicitedand possibly offensive email offers for products and services. Spammers are using

home computers to send bulk emails by the millions. If a spammer takes over your computer, you could face serious problems. Your Internet Service Provider (ISP)may prevent you from sending any email at all until the virus is treated. Treatmentcould be a complicated, time-consuming process.

TCP/IP Parameters - It prevents spyware threats from modifying various TCP/IPparameters used by Windows to send and receive network data. TCP/IP


31/81

- 29 -

configuration parameters are registry parameters that are used to configure theprotocol driver, Tcpip.sys. Tcpip.sys implements the standard TCP/IP networkprotocols. Some spyware threats such as CoolWebSearch can modify theseparameters to take advantage of your computer. There may be some unusualcircumstances in customer installations where changes to certain default values areappropriate. To handle these cases, optional registry parameters can be created tomodify the default behavior of some parts of the protocol drivers. The WindowsTCP/IP implementation is largely self-tuning. Adjusting registry parameters withoutcareful study may reduce your computer's performance.

WiFi Protection - Monitors for access from other users on your wireless network.When a new user enters your WiFi network, the Monitor notifies you.

System MonitorsSystem Monitors provide real-time protection against potential spyware that makesunauthorized or hazardous changes to your system, such as altering your securitypermissions or system settings.

AppInit DLLs - Prevents unauthorized changes or additions to the Windows AppInitDLLs. Normally, only the Administrators group and the LocalSystem account havewrite access to the key containing the AppInit_DLLs value. The AppInit_DLLsregistry value contains a list of dlls that are loaded when user32.dll is loaded. MostWindows executables use the user32.dll. That means that any DLL listed in theAppInit_DLLs registry key will also be loaded. This makes it very difficult to removethe DLL, because it can be loaded during multiple processes, some of which cannotbe stopped without causing system instability. Processes that are automaticallystarted by the system when you log on also use the user32.dll file. This means thatthe files loaded in the AppInit_DLLs value will be loaded very early in the Windowsstartup routine allowing the DLL to hide itself or protect itself before you have accessto the system. Technical Information: The AppInit DLLs are loaded via LoadLibrary()during the DLL_PROCESS_ATTACH of User32.dll. As a result, executables that donot link with User32.dll will not load the AppInit DLLs. Very few executables do notlink with User32.dll. Because they load early, only API functions exported fromKernel32.dll are safe to use within the initialization of the AppInit DLLs. TheAppInit_DLLs value has type REG_SZ. This value should specify a NULL-terminated string of DLLs, which is delimited by spaces or commas. Because spacesare used as delimiters, no long file names should be used. The system does notrecognize semicolons as delimiters for these DLLs. Only the first 32 characters of theAppInit_DLLs value are picked up by the system. Because of this 32-character limit,all of the AppInit DLLs should be located within the SYSTEM32 directory. Thiseliminates the need to include a path, thus allowing multiple DLLs to be specified.

Trojan Explorer Protection - Monitors for known Explorer trojans (spyware).Windows loads explorer.exe (typically located in the Windows directory) during thestartup process. If a file named "explorer.exe" is placed in the C: directory(C:\explorer.exe), that file is loaded instead of the Windows explorer.exe. Worse, if c:\explorer.exe is a corrupt file, you are effectively locked out of your system after you restart. Worse yet, if c:\explorer.exe is a trojan (spyware), it is loaded. Unlike allother autostart methods, there is no need for any file or registry changes. The


32/81

- 30 -

inserted file simply needs to be named c:\explorer.exe.

Context Menu Handler - Prevents unauthorized changes to Windows Contextmenus. A context menu is the little menu that you get when you right-clicksomething. Context menus change, based on what object is in focus when you right-click. A context menu handler is a shell extension handler that adds commands to anexisting context menu. Context menu handlers are associated with a particular fileclass and are called when a context menu is displayed for a member of the class.While you can add items to a file class context menu with the registry, the items willbe the same for all members of the class. By implementing and registering such ahandler, you can dynamically add items to an object's context menu, customized for a particular object.

Control.ini Policy - Prevents Internet Explorer control from showing in the ControlPanel. It is possible to disable the seeing of a control in the Control Panel by addingan entry into the file called control.ini, which is stored in C:\windows\control.ini. Fromwithin that file you can specify which specific control panels should not be visible. If inetcpl.cpl is set to no (inetcpl.cpl=no), that may be a sign that a piece of software is

trying to make it difficult for you to change your settings, unless it is set to that valuefor a specific known reason by an administrator.

Windows Password Protection - Prevents unauthorized changes to your Windowsautologon preferences. Using Windows XP Professional, you can automate thelogon process by storing your password and other pertinent information in theregistry. Using this feature, other users can start your computer and use the accountyou enabled to log on automatically. Although enabling autologon can make it moreconvenient to use Windows XP Professional, using this feature is a security risk.Setting a computer for autologon means that anyone who can physically obtainaccess to the computer can gain access to all of the computer's contents, potentiallyincluding any network or networks to which it is connected. A second risk is that

enabling autologon causes the password to be stored in the registry in plain text. Thespecific registry key that stores this value is remotely readable by the AuthenticatedUsers group. As a result, this setting is appropriate only when the computer isphysically secured, and unauthorized users are prevented from remotely accessingthe registry.

Windows Update Service - Prevents modifications to your Windows Update Accesssettings. The Microsoft Windows operating systems includes an Automatic Updatesfeature. If your computer is on and connected to the Internet, this feature canautomatically download the latest Microsoft security updates. Windows UpdateAccess Restriction prevents computers from connecting to the Windows Update Website. This restriction prevents the computer from staying up to date with the latest

Windows updates and service patches from Microsoft.Host File Protection - Monitors changes to your System Host file. If a new entry ismade to the file, if an older entry is modified, or if an older entry is deleted, an actionalert prompts you to either accept or reject the change. Spyware changes your hostfile listings for one reason, to redirect your browser to a chosen Web site. Your browser references your Host file. It performs, for specific Web site addresses, a


33/81

- 31 -

translation (Host File Redirection) from Domain Name (the URL address for a Website) to IP Address (a series of numbers that references the physical connection of acomputer or server on the Internet). For example, when you enter www.somesite.com into your browser, you go to the somesite.com Web site. ThatWeb site has an IP Address, but you do not need to know what it is, because your browser to find the site uses the Domain Name. If, however, this entry is in the Hostfile: 192.168.0.12 www.somesite.com, each time you enter www.somesite.com intoyour browser, the browser checks the Host file, matches what you type to a listing for "somesite.com", and automatically converts what you type into the IP address in thatlisting. Your browser goes to the Web site at 192.168.0.12, which could be anythingthat the spyware attacker wants to display. The Host file should not requiremodification. Some Hijackers use this technique to redirect popular sites to their Website. For example, it is possible to redirect all popular search engines to a Web site of your choice. That kind of attack can be very hard for the average user to fix, and willmost likely require specialist software or detailed removal instructions. Other practices involve changing auto.search.msn.com to redirect to a Web site, sowhenever a user types in an incorrect URL, the browser is redirected toauto.search.msn.com. That is then resolved to a different IP address of the hijacker'schoice. Reset Web Settings does not fix a Host file Hijack. It only resets the searchpage to auto.search.msn.com. The Host file remains altered, and any redirectionlisting remains active.

Ini File Mapping - Prevents hazardous applications from being installed in an .ini filemapping location. Newer versions of Windows (2000, XP, etc.) do not generally usethe system.ini and win.ini files. Instead of backwards compatibility, they use afunction called IniFileMapping. Ini file mapping puts all the contents of an .ini file intothe registry, with keys for each line found in the .ini key stored there. When you run aprogram that normally reads their settings from an .ini file, Windows first checks theregistry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping, to see if there is an .ini setting that has been

mapped to that file. If a mapping is found, Windows takes settings from there.

Windows Protocols - Prevents hijacker threats from overriding standard protocoldrivers. A technique of some sophisticated spyware is to take control of certain waysyour computer sends and receives information. This is accomplished through theWindows protocols filters and handlers. Common offenders to this areCoolWebSearch, Related Links, and Lop.com. Technical Information: InternetExplorer uses two mechanisms for registering new URL protocol handlers. The firstmethod is to register a URL protocol and its associated application so that allattempts to navigate to a URL using that protocol launch the application (for example, registering applications to handle mailto: or news: URLs). The secondmethod uses the Asynchronous Pluggable Protocols API, which allows you to define

new protocols by mapping the protocol scheme to a class.

Windows Restrict Anonymous - Prevents modifications to your Windows RestrictAnonymous settings. Windows has a feature that allows anonymous users to listdomain user names and enumerate share names. Users who want enhancedsecurity may restrict this functionality. Windows provides a mechanism for administrators to restrict the ability for anonymous logon users (also known as NULL


34/81

- 32 -

session connections) to list account names and enumerate share names. For example, the Windows NT ACL editor requires listing account names from DomainControllers, in order to obtain a list of users and groups in order for a user to be ableto select users and grant them access rights. Windows NT Explorer also uses listingaccount names in order to grant access to shared files. Windows NT networks basedon a single Windows NT domain will always be able to authenticate connections tolist domain account information. Windows NT networks that use multiple domainsmay require anonymous user logon to list account information. A brief exampleshows how anonymous connections are used. Consider two Windows NT domains,an account domain and a resource domain. The resource domain has a one-waytrust relationship with the account domain. That is, the resource domain "trusts" theaccount domain, but the account domain does not trust the resource domain. Usersfrom the account domain can authenticate and access resources in the resourcedomain based on the one-way trust. Suppose an administrator in the resourcedomain wants to grant access to a file to a user from the account domain. Theywould want to obtain a list of users and groups from the account domain, so that theycan select a user or group and grant access rights. Since the account domain doesnot trust the resource domain, the administrator request to obtain the list of usersand groups from the resource domain cannot be authenticated. The connection ismade using a NULL session to obtain the list of account domain users.

Shared TaskScheduler - It prevents unauthorized programs from being added asauto start values when Windows loads. The files listed in Shared TaskScheduler runautomatically when you start Windows. Windows executes autorun instructions in theWindows Task Scheduler (or any other scheduler that supplements or replaces theTask Scheduler). The Task Scheduler is an official part of all Windows versionsexcept the first version of Windows 95, and is included in Windows 95 if the MicrosoftPlus Pack is installed.

Windows Shell Execute Hooks - Prevents changes to your system's Shell Execute

Hooks. Shell execute hooks are programs that load into the Windows shell,Explorer.exe. A shell execute hook program receives all the execute commands thatare run on a computer. This type of integrated program can either accept or reject acommand to launch a particular program.

Approved Shell Extensions - Prevents unauthorized changes to Windows ShellExtensions. Shell Extensions allow developers to add functionality to the existingWindows shell. Some examples of shell extensions are Context Menus (menus thatchange, based on what object is in focus when you right-click), Property SheetHandlers (tabbed pages that appear when the Properties menu item is selected froman objects context menu), Icon Overlays (appear as the arrow on top of an icon thatpoints to a shortcut or the hand that appears on shared folders), and Folder

Customizations. These and other extensions can be added to the Windows Shell.Windows Shell Open Commands - Prevents changes to your system's Shell OpenCommands in the Windows Registry File. What is a Shell Open Command?Windows executes instructions in the Windows Registry File.HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* section of theRegistry is subject to spyware attack. A spyware command embedded there can


35/81

- 33 -

cause a program to run when any other program is started. If keys don't have the"\"%1\" %*" value as shown, and have been changed to something like"\"somefilename.exe %1\" %*", then the Shell Open Command automatically runsthat specified file. Many spyware worms and trojans make changes to the WindowsRegistry file. Some of them change one or more of the shell\open\command keys. If these keys are changed, the worm or trojan can run every time you run certainprograms. For example, if the \exefile\shell\open\command key is changed, thethreat will run every time that you run any .exe file. These spyware threats can alsostop you from running the Registry Editor to try to fix this.

Shell Service Object DelayLoad - Prevents unauthorized programs from beingadded as auto start values when Windows loads. The files listed inShellServiceObjectDelayLoad are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your computer, it will alwaysstart, thus always loading the files under this key. These files are therefore loadedearly in the startup process before any human intervention occurs. TechnicalInformation: The ShellServiceObjectDelayLoad registry(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServic

eObjectDelayLoad) contains values that function in a way similar to the Run key. Thedifference is that instead of pointing to the file itself, it points to the CLSID'sInProcServer, which contains the information about the particular DLL file that isbeing used.

Windows System.ini File - Monitors for additions and modifications to the MicrosoftWindows System.ini file. The Microsoft Windows system.ini file is located in theWindows directory (C:\windows\system.ini). An initialization file is used by MicrosoftWindows to initialize system settings for the computer. These include font, keyboard,language and other settings. The shell = statement in the system.ini file is used todesignate what program acts as the Shell for the operating system. The Shell is theprogram that loads your desktop, handles windows management, and allows you to

interact with the system. In Windows, that program is explorer.exe. Any programlisted after the shell statement is loaded when Windows starts, and acts as thedefault shell. (There used to be some programs that acted as valid shellreplacements, but they are generally no longer used.) It is possible to list other programs to launch when Windows loads, by adding to the same Shell = commandline, such as Shell=explorer.exe spyware.exe. This line entry in the system.ini filewould cause both programs Windows Explorer and a spyware program to start whenWindows loads.

User Shell Folders Protection - Prevents unauthorized changes to the system'sUser Shell Folder settings. Shell folders are special folders that Windows uses toindicate the default location for many types of files and data. These special folders

are usually the more commonly used system folders such as My Documents, MyPictures, your Program Files folders and a number of other standard Windowsfolders. The default user shell folders location is in %USERPROFILE% which is"C:\Documents and Settings\user". Some common Shell folders include: CD Burning,Desktop, Document Templates, Favorites, Installation Path Windows Installer defaultinstall folder location, My Documents, My Music, My Pictures, Programs, SendTo,Shared Documents, Shared Music, Shared Pictures, Start Menu, Startup, Common


36/81

- 34 -

Admin Tools, Common AppData, Common Desktop, Common Favorites, CommonPrograms, Common Start Menu, Common Startup, and Common Templates.

Windows Directory Trojans - Warns you when an application tries to replace aknown Microsoft System file with a file that has been altered. A Windows System Filebelongs to a set of files that are required for the Windows operating system tofunction normally.

Windows Extensions - Prevents unauthorized changes to the system's list of Windows Extensions. Windows Extensions are used to associate data files with theapplication that works with that type of file. For example, the extension ".doc" isassociated with the MS Word application.

Windows Win.ini File - Monitors for additions and modifications to the MicrosoftWindows Win.ini file. The Microsoft Windows initialization file is located in theWindows directory (C:\windows\win.ini). The win.ini file is used to load settings everytime Microsoft Windows starts. For example, it loads communications drivers, theselected Windows wallpaper, the selected screen saver, language settings, and font

settings. These and other settings are loaded according to the instructions in thewin.ini file. If this file becomes corrupted Microsoft Windows will either not load, or will encounter errors as it loads. Any programs listed after the run= or load=command in the win.ini file will load when Windows starts. This run= statement wasmostly used with older versions of Windows but for backwards compatibility, thefeature still exists. Most programs today do not use a win.ini setting, and if you do notuse older programs, entries for those programs should not exist. The load=statement was designed to load drivers for your hardware, but is not generally usedtoday.

Winlogon Shell - Prevents unauthorized changes to your Winlogon Shell setting.The Winlogon Shell is automatically loaded when a user logs into Windows. The

Shell is the main User Interface (GUI) that the user uses to manage Windows. Inmost cases, this is Windows Explorer (Explorer.exe). However, the Windows Shellcan be easily changed to point to another program. If this is the case, this programwill be launched every time a user logs in.

Windows Logon Policies - Prevents unauthorized additions and modifications tothe Windows logon policies. Windows NT logon utility manages user logons andlogoffs. The utility prompts you for a password when you log on and allows you to logoff or shut down. Winlogon is designed around an interactive logon model thatconsists of three components: the Winlogon executable, a graphical identification,and the authentication dynamic-link library (DLL) (referred to as the GINA), as wellas any number of network providers.

Winlogon Userinit - Prevents unauthorized changes to your Winlogon Userinitsetting. Specifies the programs that Winlogon runs when a user logs on. By default,Winlogon runs Userinit.exe, which runs logon scripts, reestablishes networkconnections, and then starts Explorer.exe, the Windows user interface. You canchange the value of this entry to add or remove programs. For example, to have aprogram run before the Windows Explorer user interface starts, substitute the name


37/81

- 35 -

of that program for Userinit.exe in the value of this entry, then include instructions inthat program to start Userinit.exe. You might also want to substitute Explorer.exe for Userinit.exe if you are working off-line and are not using logon scripts. (Note: Theentry remains in the registry to support programs designed for Windows NT 4.0 or earlier.)

WOW Boot Shell - Prevents spyware from loading a particular file when Windowsstarts. WOW\Boot\Shell is a Windows registry entry that allows a program to beloaded when Windows loads.

Application MonitorsApplication Monitors provide real-time protection against threats that make changes toyour installed applications. This can include software that modifies your Internet Explorer or downloads ActiveX applications from the Internet.

ActiveX Installations - It monitors for ActiveX applications that are beingdownloaded with Internet Explorer. If the ActiveX program being downloaded andinstalled is known to be safe, the Monitor automatically allows it. If it is known to bespyware or poses a potential threat, the Monitor automatically blocks it, warns you,and prompts you for action. ActiveX applications are programs that are downloadedfrom Web sites and stored on your computer. These programs are stored inC:\windows\Downloaded Program Files. They are also referenced in the registry bytheir CLSID, which is the long string of numbers between curly braces. InternetExplorer regularly uses many legitimate ActiveX applications. You can delete mostActiveX applications from your computer without problem, because you candownload them again. Many of the current security vulnerabilities that exist inMicrosoft's Internet Explorer Web browser exist in the service called "activescripting". Active scripts are programs written in JavaScript, or sometimes Microsoft'sVBScript and ActiveX. Active scripting can install spyware on your computer. It is amethod known as "drive-by downloading". While it is possible to disable activescripting completely, there are legitimate sites for which you want active scriptingenabled. For example, http://windowsupdate.microsoft.com (Windows UpdateService) uses active scripting, as do many other legitimate Web sites. There may beWebmail sites that use active scripting. Some sites with high amounts of contentssuch as CNN's news site can also make heavy use of scripts. Online commerce sitessuch as CDW and PC Connection also use scripts in their sites. Fortunately, InternetExplorer has in its design, a way to identify "trusted sites". That is, it is possible todisable active scripting on a general basis, but enable it for sites that you routinelyvisit, such as your Webmail or online commerce sites.

Browser Helper Objects - Monitors additions of Internet Explorer BHOs (Browser Helper Objects). If the BHO being installed is known to be safe, the Monitor automatically allows it. If it is known to be spyware, the Monitor automatically blocksit, and then warns you. A 'Browser Helper Object' (BHO) is an application thatextends Internet Explorer and acts as a plug-in. Spyware, as well as browser hijackers, often use BHOs to display ads or follow your moves across the Internet. Anumber of legitimate applications such as the Google or Yahoo toolbars also usebHOs. Applications that install BHOs are becoming more and more popular becauseBHOs allow application developers to control Internet Explorer. BHO technology has


38/81

- 36 -

allowed the development of some very powerful applications that provide usefulfunctionality to its users. For example, Alexa uses a BHO to monitor page navigationand show related page links. GetRight and Go!Zilla use BHOs to monitor and controlfile downloading. Flyswat, Quiver, Blink, and iHarvest use BHOs to extend andcontrol Internet Explorer. It is possible that there are BHOs installed on your computer that you do not know about. What this means is that while there are somegood uses for BHOs, they may not necessarily need your permission to install. Someare used for malicious purposes, like gathering information about your Internet usagehabits. A lot of spyware and BHOs are poorly written. This can cause anything fromincompatibility issues to the corruption of important system functions. This can makeunsolicited BHOs not only a threat to your security, but to your system's stability.

Disable Regedit Policy - Prevents spyware from disabling the Regedit functionality.The Disable Regedit Policy prevents Regedit from being run, because an entry in theregistry has changed. Regedit is a system application that is used to change settingsin the system registry. The registry contains information about how your computer runs and what software is installed on the computer. Changing the registryimproperly can result in your system no longer working. Note : Many administrators

for corporate networks lock this on purpose.

Internet Explorer Security Settings - Monitors for changes in Internet explorer settings that could compromise some of the more secure settings. This could allow aremote Web site to exploit your computer, possibly allowing ActiveX controls to beinstalled with a "drive-by download". Your browser security preference settings areyour first line of defense in stopping the theft or unwanted viewing of confidential,personal information. The most popular browsers offer you the ability to receive analert or notification when any of the following occurs: (1) Changes between secureand insecure transmission modes, (2) invalid site certificates (this setting notifies youwhen a site's SSL certificate is invalid or has expired, and an invalid certificate willdeactivate SSL), (3) a transmission is sent over an "open" or unsecured connection,

(4) a forms submittal is redirected (this setting warns you if information beingsubmitted on a Web-based form is being sent to a Web site other then the one thatyou are currently viewing).

Tip : Here are more ways to improve your Internet Explorer security: (1) My PCCheckup can recommend and automatically modify security settings. (2)Microsoft Internet Explorer offers advanced security options. To access theseoptions in Internet Explorer: Select Tools | Internet Options , and then select theAdvanced tab . Among other choices, the Advanced tab contains a Securitysection that includes several configuration options pertaining to encryptedcommunications. Although most of the default settings are acceptable, certainsecurity levels disable the first four items by default. You should enable these

four items for maximum browser: (1) Check for publisher's certificate revocation,(2) Check for server certificate revocation (requires restart), (3) Do not saveencrypted pages to disk, and (4) Empty Temporary Internet Files folder whenbrowser is closed.

Internet Explorer Third Party Cookies - Prevents unauthorized cookies from beingadded as acceptable 3rd party cookies. Cookies are little files that Web sites drop


39/81

- 37 -

onto your computer, so that they can recognize you on your return visits. Manycookies are quite useful. For example, those that let sites identify you and log you inautomatically to private member areas. Others are not so benign. Some gather information without your knowledge and track your Web usage. Third-party cookiesare those planted by Web sites that are external to the one you are visiting. For example, sites such as www.ninemsn.com use third-party cookies for advertisingpurposes. First-party cookies are those used by the site you are actually viewing.

Internet Explorer Explorer Bars - Monitors modifications made to your list of Internet Explorer Bar applications. An Explorer bar (or band) is a panel, similar to theFavorites, History or Search panels in Internet Explorer or Windows Explorer.

Internet Explorer Extensions - Monitors modifications made to your list of InternetExplorer Extensions applications. Internet Explorer Extensions control buttons on themain Internet Explorer toolbar. They also control what items, in addition to those thatare listed there by default, are displayed in the Internet Explorer 'Tools' menu.

Internet Explorer Menu Extensions - It prevents spyware from changing your

Internet Explorer Menu Extensions. Internet Explorer Menu Extensions are menuoptions found in the Context Menu of Internet Explorer. To see these options, rightclick the Web page you are viewing in the browser.

Internet Explorer Plugins - Prevents hazardous spyware from installing InternetExplorer Plugins. Internet Explorer Plugins are pieces of software that get loadedwhen Internet Explorer starts. These pieces add functionality to the browser.

Internet Explorer Reset Web Settings - Prevents spyware from changing your Internet Explorer 'Reset Web Settings' protection. Internet Explorer uses a file onyour computer if you need to reset options to Windows defaults. That file is stored inC:\windows\inf\iereset.inf and contains all the default settings that will be used. When

you reset an Internet Explorer setting to its default, Internet Explorer reads that fileand changes the setting to the value listed in the file. If spyware changes theinformation in that file, you can be re-infected when you reset a feature, becauseInternet Explorer reads incorrect information in the iereset.inf file. Note : Be awarethat it is possible for iereset.inf settings to be legitimately changed by a Computer Manufacturer or the Administrator of a computer.

Internet Explorer Restrictions - Prevents Internet Explorer Restrictions. InternetExplorer Restrictions are administrative locks that prevent the changing of options or home page settings in your Internet Explorer. This is accomplished by changingsome settings in the registry. Locked options should only be by an administrator.

Internet Explorer Security Zones - Prevents unauthorized changes to your InternetExplorer Security Zones. Internet Explorer 6 takes precautionary measures to helpyou have a secure browsing experience. Preserving the security of your computer when you browse the Web is a balancing act. The more open you are to downloadsof software and other content, the greater your exposure is to risk. However, themore restrictive your settings, the less useful the Internet becomes. The securityfeatures of Internet Explorer 6 aim to strike an effective balance. When you firstinstall Internet Explorer, it corrals all Web sites into a single zonethe Internet


40/81


41/81

- 39 -

SearchUrl PostNotCached, and Internet Explorer SearchUrl mozilla.

It is possible for a browser hijacker to change the default prefix that is appended toan URL when one is not included. For example, if you type in "google.com", thebrowser would normally add the http:// to the front of what you type. This part iscalled the "URL prefix", and it is not fixed to http://. The prefix values are stored in aregistry at: HLM\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefixHLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefix. For example:

If you change the default prefix from: http:// to http://www.google.com/search?q=the browser will automatically go to google.com if you don't type the http:// part of aURL. With the default prefix value set to the above google.com URL, if you typedsecurity.com into your browser address bar, you would not go tohttp://www.security.com. Instead, what you would get would be a search for "security.com" on google.com. Browser hijackers can make good use of thistechnique. Instead of querying a public search engine, like Google, the spywarecould always cause your entry to query a private search engine instead. InternetExplorer URL prefixes that are monitored and protected include DefaultPrefix, ftp,

gopher, home, mosaic, and www.

Internet Explorer WebBrowser - Prevents changes or additions to your InternetExplorer's WebBrowser. The Internet Explorer WebBrowser contains information andsettings about an instance of Internet Explorer. If these settings are modified or anew WebBrowser is added, the new WebBrowser can take over full control of Internet Explorer. It can add toolbars, menus, buttons, or much more.

Installed Components - Monitors for additions to your installed component list. Aninstalled component is a program or application that is installed with the WindowsOperating System. For more information, visit:http://support.microsoft.com/default.aspx?scid=kb;EN-US;123876

Process Execution - Alerts you if an unknown process is attempting to run on your computer and if a known spyware process is trying to run, this Monitor prevents itfrom starting, and warns you that it has tried. It gives you the option to remove thespyware before it can run. This is a powerful feature, because it can prevent anyknown spyware installer from being able to install spyware onto your computer. Anexecuted process is a program or application that is currently running on your computer. You can see a list of most running processes in your Task Manager.

Application Restrictions - Prevents unauthorized additions and modifications to theapplications restriction policies, as defined by the restrict run setting. Anadministrator can restrict what programs a user can run, by modifying the

RestrictRun setting. Warning : If you are the person who applies Group Policy, do notapply a run restriction to your own computer. If applied too broadly, this policy canprevent administrators from running Group Policy or the registry editors. As a result,once applied, you cannot change this policy except by reinstalling Windows!Technical Information:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. TheRestrictRun subkey contains a list of programs that restricted users can run. This list


42/81

- 40 -

is used only when the value of the RestrictRun entry is 1. This subkey stores thecontents of the Show Contents box in the Run only allowed Windows applicationsGroup Policy. Group Policy adds this subkey and its entries to the registry when youenable the policy. If you disable the policy or set it to Not configured, Group Policydeletes this subkey and its entries from the registry. The entries in this subkey list allof the Windows programs that the affected users can run. If a program is notrepresented by an entry in this subkey, users cannot run the program. If no entriesappear in this subkey, users cannot run any programs that Windows Explorer starts.Each entry in this subkey represents a Windows program, like Notepad. It containsthe name of the executable file for the program, like Notepad.exe. (The number thatnames this entry represents only the order in which the programs are entered. Itdoes not affect the feature.)

Running Process - Alerts you if an unknown process is attempting to run on your computer and if a known spyware process tries to run, this Monitor prevents it fromstarting, and then warns you. CounterSpy gives you the option to remove thespyware, before it gets a chance to run. A running process is a program or application that is currently running on your computer. You can see a list of most

running processes in the Windows Task Manager.

Script Blocking - Prevents spyware or malicious scripts from running on your computer. A script is a program written with a scripting language, such as VisualBasic Script or JavaScript. It can be executed without user interaction. Scripts can beopened with text editors or word processing programs, so they are very easy to writeor change. A script can be written to perform malicious activities when it is started.You can unknowingly receive a malicious script by opening an infected document or email attachment, viewing an infected HTML email message, or visiting an infectedInternet Web site. Script Blocking detects Visual Basic, JavaScript and other script-based software, without the need for specific virus definitions. It monitors scripts for virus-like activity and alerts you if it is found.

StartUp Files - Monitors additions and modifications to your list of startup programs.When a new program is added to your user startup folder or if one is added to the"all users" startup program folder, this Monitor alerts you. If the program being addedis known to be safe, this Monitor automatically allows it to be added. If the programbeing added is known to be spyware, this Monitor automatically blocks it, and thenwarns you. If a program being added is unknown, you can select the Send Feedbackcheckbox to report it to Sunbelts Research Center. Startup files are files (or shortcuts to files) that are located in your startup folder. Files that are in the startupfolder are automatically loaded when Windows starts. If it is a program, the programstarts. If it is a shortcut to a program, the program that the shortcut points to starts. If it is a file that is associated with a program, the associated program starts. For

example: If you put a Microsoft Word document (or a shortcut to one) in your StartUp folder, Microsoft Word will automatically start, and it will open that documentwhen your computer starts. If you put a music file (or a shortcut to one) in the startupfolder, your audio software will start and it will play the music file. If you put an HTMLfile (or a shortcut to one) that contains a list of your Internet favorites in the startupfolder, Internet Explorer (or your preferred browser) will start and it will open thatWeb page for you when the computer starts.


43/81

- 41 -

The User Profile Startup Folder is your personal Startup folder. Each person who hasa profile setting on the computer has a User Profile Startup folder. Any files or shortcuts placed in this folder are run when the user with that profile logs in. (In thepath shown below, LoginName = the name you use to log onto the computer.) Thisfolder is usually found in:

C:\windows\start menu\programs\startupC:\Documents and Settings\LoginName\Start Menu\Programs\Startup

The All Users Startup Folder contains any files or shortcut files that are to run whenany user logs onto the computer. This folder applies to all Windows NT, 2000, XPand 2003 versions. Possible folder paths are:

C:\Documents and Settings\All Users\Start Menu\Programs\StartupC:\WINNT\Profiles\All Users\Start Menu\Programs\StartupC:\Documents and Settings\All Users\Start Menu\Programs\Startup

Startup Registry Files - Monitors additions and modifications to the list of startupprograms that are listed in your system registry keys. Startup registry keys are anumber of registry entries in the Windows registry. They store paths to applicationson your computer. Applications that are listed in any of these registry keys areautomatically loaded when Windows starts. These keys generally apply to Windows98, ME, NT, 2000, XP, and 2003.

URL Search Hooks - Prevents unauthorized changes to your Internet Explorer'sURL Shell Hooks. A URL Search Hook is used when you type an address in thelocation field of the browser, but do not include a protocol such as http:// or ftp:// inthe address. When you enter such an address, the browser will attempt to figure outthe correct protocol on its own, and if it fails to do so, will use the UrlSearchHook in

an attempt to try to find the location you are seeking. URL SearchHook is a COMobject, which is used by the browser to translate the address of an unknown URLprotocol. When attempting to browse to a URL address that does not contain aprotocol, the browser will first attempt to determine the correct protocol from theaddress. If this is not successful, the browser will create URL Search Hook objectsand call each object's Translate method until the address is translated or all of thehooks have been queried.


44/81

- 42 -

System Tools

My PC CheckupMy PC Checkup helps tighten computer security. It updates your computer settings torecommended best practices security levels. My PC Checkup thoroughly scans your computer for over 1000 different settings, suggests recommended changes, and thenallows you to execute the recommende

Counterspy User Guide

Documents

Transcript of Counterspy User Guide