User's Guide

™
CounterSpy
Use of this software is subject to the End User License Agreement found in this User
Guide (the "License Agreement"). By installing the software, you agree to accept the
terms of the License Agreement. Copyright (c) 2004-2005 Sunbelt Software, Inc. All
rights reserved. All products mentioned are trademarks or registered trademarks of their
respective companies. Information in this document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system,
transmitted, or translated into any language without the prior written permission of
Sunbelt Software, Inc.
REV. 01182005
Table of Contents
CHAPTER 1: WELCOME..................................................................................... 3
CounterSpy Features ................................................................................................... 3
System Requirements.................................................................................................. 4
Customer Support........................................................................................................ 5
Installing CounterSpy ................................................................................................... 6
Before You Install ..................................................................................................... 6
Installing ................................................................................................................... 6
After Installing........................................................................................................... 7
Uninstalling ............................................................................................................... 7
The CounterSpy Home Page ....................................................................................... 8
Access Icons ............................................................................................................ 8
Important Information................................................................................................ 9
Current System Status.............................................................................................. 9
The CounterSpy Toolbar............................................................................................ 11
CounterSpy Menus .................................................................................................... 11
Getting Started........................................................................................................... 12

CHAPTER 2: WORKING WITH COUNTERSPY................................................ 18

Spyware Scans .......................................................................................................... 18
Running a Scan ...................................................................................................... 18
Reviewing the Last Scan ........................................................................................ 21
Scheduling Scans ................................................................................................... 21
Managing Quarantined Spyware............................................................................. 23
Active Protection ........................................................................................................ 24
Enabling Active Protection ...................................................................................... 24
Active Protection in Action ...................................................................................... 25
Managing Blocked Items......................................................................................... 26
Internet Monitors..................................................................................................... 27
System Monitors ..................................................................................................... 29
Application Monitors................................................................................................ 35
System Tools ............................................................................................................. 42
My PC Checkup...................................................................................................... 42
The History Cleaner ................................................................................................ 43
The Secure File Eraser ........................................................................................... 44
My PC Explorers..................................................................................................... 46
CounterSpy Settings .................................................................................................. 54
-1-
 Automatic Update Settings ..................................................................................... 54
Active Protection Settings ....................................................................................... 55
Alert Settings .......................................................................................................... 56
ThreatNet Settings.................................................................................................. 56
Spyware Scan Settings........................................................................................... 57
General Settings ..................................................................................................... 57
Updating .................................................................................................................... 58
How to Update ........................................................................................................ 58
About your Subscription.......................................................................................... 60
APPENDIX A - WHAT IS SPYWARE? .............................................................. 61
How Spyware Is Installed ........................................................................................... 62
Is All Spyware Hazardous?..................................................................................... 64
Signs of Spyware Infection...................................................................................... 64
How to Maintain Protection ........................................................................................ 65
Avoid Spyware........................................................................................................ 65
Security Settings and System Updates ................................................................... 66
System and Tool Updates....................................................................................... 66
Use Security Patches.............................................................................................. 67
Installing Patches Automatically Using Windows Update ........................................ 67
Using the Windows Update Website ....................................................................... 68
Keep CounterSpy Current....................................................................................... 68
Prepare for Emergencies ........................................................................................ 69
APPENDIX B: FIGHT BACK! THREATNET ...................................................... 70
Join ThreatNet ........................................................................................................... 70
ThreatNet Privacy Policy......................................................................................... 70
Using ThreatNet with a Firewall .............................................................................. 70
APPENDIX C: COMMON TERMS...................................................................... 72

-2-
Chapter 1: Welcome
CounterSpy is an anti-spyware product, designed to protect your computer from
unwanted and hazardous spyware. CounterSpy detects, and then safely removes from
your computer spyware, adware, trojans, and keyloggers. CounterSpy is considerably
more powerful than most anti-spyware products, and it takes a new approach to fighting
and preventing spyware. By identifying and removing spyware, CounterSpy protects you
from the negative affects, including slow Internet connections, pop-up advertisements,
reduced computer performance, the loss of private information, or even identity theft.
Spyware is software that is installed onto your computer without your knowledge or
permission. It collects personal information, like the Web sites that you have visited or
even your user names and passwords. Spyware can generate a stream of unsolicited
advertisements, tax your computer or affect your browser's home page or search page
settings. For more information about Spyware, see page 61.
CounterSpy uses a number of methods to keep your computer protected from spyware.
It monitors your computer for known and unknown spyware. Known spyware programs
are detected and identified by name. Unknown spyware is spyware for which
CounterSpy does not yet have a definition.

CounterSpy Features
Spyware scans – CounterSpy's scanning engine scans your entire system,
including in-depth scans of your computer's hard drives, memory, process, registry
and cookies. It uses a continually updated database of thousands of known spyware
signatures to provide you with ongoing, accurate protection. Spyware scanning can
be done manually (on-demand scanning) or on a scheduled basis.

Active Protection – Active Protection protects your computer, privacy, and personal
information from hidden spyware threats before they can attack. Internet, System,
and Application Monitors look at over 50 security checkpoints, comparing any
unknown activity with the most up-to-date database of spyware threats at Sunbelt's
Research Center – stopping new spyware in its tracks.

System Tools – My PC Explorers let you explore and manage key elements of
your system that are normally hidden and difficult to change. My PC Checkup helps
keep your computer secure by updating your computer settings to recommended
security levels. The History Cleaner is a privacy tool that removes all Internet
History usage logs and 75 different activities. The Secure File Eraser is a powerful
deletion tool that ensures the complete destruction of any files you wish to remove
from your machine.

CounterSpy ThreatNet –ThreatNet provides ongoing Spyware threat information,

which is used to update the CounterSpy spyware database. ThreatNet is a
revolutionary network community that connects diverse CounterSpy users to share
and identify new applications and signatures. This information helps block new
spyware.

-3-
System Requirements
Operating Systems - To use CounterSpy, your computer must have one of the
following Windows operating systems:
• Windows 98SE/Me
• Windows 2000 Professional
• Windows XP Professional/Home Edition
• Windows 2003 Server
Note: It is recommended that Service Pack 2 for Windows XP be installed BEFORE
installing CounterSpy.
Note: If you are planning to upgrade your Windows operating system from Windows
98/Me to Windows 2000/XP, you must uninstall CounterSpy first and then reinstall
after the upgrade is complete.
Note: Installation of CounterSpy is not supported on Windows 95/NT, Macintosh, or
Linux computers.
System Requirements - Your computer must meet the following minimum
requirements. If you are installing on Windows 2000/XP/2003, you must install with
administrator privileges.

Windows 98SE/Me
• Intel Pentium processor (or compatible) at 133 MHz for Windows 98; 150 MHz
for Windows Me
• 64 MB of RAM (128 recommended if running Active Protection)
• 20 MB of available hard disk space
• Internet Explorer 5.0 or later

Windows 2000 Professional Edition

• Intel Pentium processor (or compatible) at 133 MHz or higher
• 64 MB of RAM (128 recommended if running Active Protection)
• 20 MB of available hard disk space
• Internet Explorer 5.0 or higher

Windows XP Professional/Home Edition

• Intel Pentium processor (or compatible) at 300 MHz or higher
• 128 MB of RAM
• 20 MB of available hard disk space
• Internet Explorer 5.0 or later

Windows XP Professional/Home Edition

• Intel Pentium processor (or compatible) at 300 MHz or higher
• 128 MB of RAM
• 20 MB of available hard disk space
• Internet Explorer 5.0 or later

-4-
Customer Support
Sunbelt Software offers a number of avenues for obtaining technical support for
CounterSpy.
CounterSpy Knowledge Base contains answers to many frequently asked questions
about CounterSpy.

Online Technical Support

Go to www.sunbelt-software.com/support. Click Ask a Question and fill out the form to
send your electronic inquiry to Sunbelt's technical support staff.

Email
Technical Support: support@sunbelt-software.com
Sales: sales@sunbelt-software.com
Customer Service: customerservice@sunbelt-software.com

Sunbelt Software
101 N. Garden Ave.
Clearwater, FL 33755
Phone: (727) 562-0101
Toll-free technical support: 877-673-1153

-5-
Installing CounterSpy
Before You Install
If you have an older version of CounterSpy, installing a new version automatically
removes the previous version. You can transfer existing option settings to the new
version during installation.
Before you install CounterSpy, here are suggestions on how to prepare your computer:
• If you have any other anti-spyware programs on your computer, you should
uninstall them and restart your computer before installing CounterSpy.
Although removing other anti-spyware programs is not required, it is
recommended. CounterSpy might detect spyware that is already quarantined by
another anti-spyware program, especially if the other anti-spyware program does
not secure its quarantined files.
To uninstall other anti-spyware programs, see the user documentation that came
with the program.
• Close all other Windows programs before installing CounterSpy, including those
programs displayed in the Windows tray.

Installing
To install CounterSpy:
1. If you are installing CounterSpy from a CD, insert the CounterSpy CD into the
CD-ROM drive.
2. In the CounterSpy window, click CounterSpy. (Skip to step number 4.)
Note: If your computer is not set to automatically open a CD, navigate to the CD
drive and then double-click the setup.exe icon.
3. If you downloaded your copy of CounterSpy, locate and double-click on the
downloaded file: CounterSpy.exe.
4. The opening installation window reminds you to close all other Windows
programs. Close those now.
5. Click Next to continue.
6. Read the License Agreement and then click I accept the license agreement. If
you decline to accept the License Agreement, you cannot continue with the
installation.
7. Click Next to continue.
8. If you are upgrading from an older version of CounterSpy, you can opt to keep
your option settings. Click Yes to keep previous settings.
9. Select the folder where you want CounterSpy to be installed, and then click Next.
10. Confirm the installation location, and then click Next.
11. After the installation is complete, click to check the Launch CounterSpy
-6-
 checkbox.
12. Click Finish to exit the installation.
Sometime installing CounterSpy requires you to restart your computer. If that is
necessary, you will see a message that tells you to restart your computer.
If you are installing CounterSpy for the first time, follow the on-screen instructions
and let the CounterSpy Setup Assistant guide you.

After Installing
The Setup Assistant guides you through steps to configure CounterSpy. The process
does not take a long time. With a few short steps, you will be ready to run a
comprehensive spyware scan, disinfect your system and equip it to detect and eliminate
spyware threats.
You will setup the automatic update features, enable Active Protection, decide whether
to participate in ThreatNet, and run your first CounterSpy scan.

Uninstalling
If you need to remove CounterSpy from your computer, you can use the Add/Remove
Programs option from the Windows Control Panel or the Uninstall CounterSpy option
from the Programs menu. During uninstall, Windows may indicate that it is installing
software. Disregard this standard Microsoft installation message.

To uninstall CounterSpy using the Windows Control Panel:

1. On the Windows taskbar, click Start > Settings > Control Panel.
or
1. On the Windows XP taskbar, click Start > Control Panel.
2. In the Control Panel, double-click Add/Remove Programs.
3. In the list of currently installed programs, click CounterSpy.
4. In Windows 2000/Me, click Change/Remove.
In Windows 98, click Add/Remove.
In Windows XP, click Change.
5. Click Yes to confirm that you want to uninstall the product. If you have files in
Quarantine, you are asked if you want to delete them. Your options are:
Yes - Delete the quarantined files from your computer.
No - Leave the quarantined files on your computer, but make them inaccessible.
6. Click Finish, and then click Yes to restart your computer.

-7-
The CounterSpy Home Page
The CounterSpy Home Page is a great place to start, as it serves as the main console
for the entire application. From here, you can access most of CounterSpy's features and
view information about such things as previous scans and CounterSpy settings.

Figure 1: The CounterSpy Home Page.

Access Icons
Three icons on the CounterSpy Home Page take you directly to CounterSpy features.
Click an icon to perform that action or manage those options.

Spyware Scan – Click the Spyware Scan icon to scan your computer, set
scan options, schedule when scans run, view previous scan results, and view quick
stats about CounterSpy. Click Run a spyware scan to start a spyware scan.

Active Protection – Click the Active Protection icon to work with Active
Protection Monitors or to manage blocked items. Active Protection gives you real-
time protection against spyware threats.

System Tools – Click the System Tools icon to use one of CounterSpy’s
powerful system configuration and privacy protection tools. Here, you will find The
PC Explorers, My PC Checkup, the History Cleaner, and the Secure File Eraser.

-8-
Important Information
The Important Information area of the CounterSpy Home Page displays messages and
announcements, based on the status of your CounterSpy installation. Watch the
messages for notices and information that can improve CounterSpy’s performance and
your computer’s security.

Current System Status

The Current System Status section of the CounterSpy Home Page lets you view at a
glance the results of spyware scans, your current protection level, and whether or not it’s
time to update spyware definitions. A Warning or Requires Attention notification appears
when you need to complete a task. Click on an item to go to that CounterSpy feature.
To manage an item in the list, mouse-over that item. CounterSpy displays a popup
window with more information, to help you complete the task.

Figure 2: View a summary. Click to go to that feature.

Last Spyware Scan - Shows the time of the last full spyware scan. In order to keep
your computer free of spyware, run a spyware scan at least once a day. You can do
this manually, or use the spyware scan scheduler.

Last Spyware Scan Results – Summarizes the result of the last spyware scan and
notifies you if your attention is required. For example, if a scan detected spyware
threats, but action has not yet been taken.

Next Scheduled Scan - Displays the time of the next scheduled spyware scan,
based on your schedule settings. Use the scheduled spyware scan to check for and
remove spyware on a regular basis. When the scheduled time arrives, CounterSpy
launches a full spyware scan that runs in the background.
-9-
 Figure 3: Mouse-over an item in the status list to see
more information.

Active Protection - Shows the status of the Active Protection. Active Protection
provides real-time protection against spyware and other malicious threats that may
attack your computer.

Spyware Definitions - Shows the last time you updated spyware definitions and
indicates if definitions are up to date.

Automatic Updates - Shows whether you have CounterSpy's Automatic Updates

feature activated. When you connect to the Internet, the update service automatically
checks to see if new spyware definitions or software updates are available. If they
are available, CounterSpy downloads them.

Help
Click the Help button on CounterSpy pages to see information about
that screen.
Some CounterSpy pages have explanations about specific tasks or settings. When you
see an exclamation point , click the link beside it to learn more about that specific
item.

- 10 -
The CounterSpy Toolbar
When you leave the CounterSpy Home Page, the CounterSpy Toolbar makes it easy to
get around.

Figure 4: Use the toolbar to get around in CounterSpy.

CounterSpy Menus
CounterSpy’s Command Menus are another way to navigate to the information you need
to view or to a task you want to complete.

Figure 5: The CounterSpy Command Menus.

File Menu – Register CounterSpy, Check for updates, or Close CounterSpy.
View Menu – View a Summary, run a Scan, Manage Spyware Quarantined, Manage
Spyware Scan Schedule, view Spyware Scan History, view Active Protection
monitors, view Blocked events, Security Agents, view My PC Explorers, run My PC
Checkup, use History Cleaner, or use Secure File Eraser.
Help Menu – Open the CounterSpy Help System, run the Setup Wizard,
communicate with Technical Support or ThreatNet, purchase or extend your
subscription, contact Sunbelt Software online, view and generate helpful information
about your CounterSpy software.

- 11 -
Getting Started
These steps will get you started with CounterSpy. You will run a Scan to remove
spyware, turn on Active Protection to protect against spyware attacks, run My PC
Checkup to set computer security, erase personal information, and check for
CounterSpy updates.
To run a spyware scan:

1. From the CounterSpy Home Page, click the Spyware Scan icon .
2. Click Scan Options.
3. Click to select Intelligent quick scan.

Figure 6: Select scan options.

4. Click Scan Now.

Figure 7: A scan in progress.

- 12 -
 At the end of the scan, CounterSpy displays a brief summary of the scan results.

Figure 8: Scan Result Summary.

5. Click View Results to close the little summary window and view a list of any
discovered spyware.
The list shows you information about each piece of discovered spyware.
CounterSpy assigns every item a threat level and suggests a Recommended
Action. All of this can help you decide what action to take. The Recommended
Action drop-down list is safely set to the action suggested by CounterSpy, so you
can continue.

Figure 9: Scan Results.

6. Click Take Action to have CounterSpy take the suggested actions to rid your
computer of spyware.
Congratulations! You have just cleaned spyware from your computer. Now learn to
protect it.

- 13 -
To keep your machine protected from new threats, CounterSpy’s Active Protection
Monitors can block spyware before it is installed. Check that CounterSpy’s Active
Protection Monitors are enabled.

7. From the CounterSpy Home Page, click the Active Protection icon .

Figure 10: Active Protection Categories.

You might have enabled Active Protection when you set up CounterSpy.
A green check indicates that the Active Protection Monitors in that category are
enabled.
A red X means that the Monitors in that category are not enabled and your
attention is required.
8. If all three categories have green checks, skip to the next page.
9. If any categories have a red X, click those categories to manage those Active
Protection monitors.
When you click a category, CounterSpy displays the monitors in that category.
10. Click Enable in the Monitors Status area.

- 14 -
 Figure 11: Active Protection is enabled.
Once Active Protection is enabled, spyware is stopped before it is installed.
When a change is made to your computer, CounterSpy alerts you by displaying a
small notification window in the bottom right corner of the computer screen.
CounterSpy makes a decision to allow the, block the change, or ask you to make
a decision.

Figure 12: Active Protection detects changes.

You have scanned your computer for software and turned on Active Protection. Now
have CounterSpy update your computer’s security. Run My PC Checkup to make sure
your computer settings are set at recommended security levels.

- 15 -
11. From the CounterSpy Home Page, click the System Tools icon , and then

click .

Figure 13: My PC Checkup tightens security.

12. Click Start.
When the checkup is complete, CounterSpy displays the Results of Analysis.
This contains a list of security items that can be protected. CounterSpy flags
hazardous security items. The first time you run My PC Checkup, there may be
many suggested items. Subsequent My PC Checkups will find fewer changes to
suggest. CounterSpy is self-tuning, and when you also use Active Protection, it
helps keep your computer secure.

Figure 14: My PC Checkup results.

13. Click Continue to have CounterSpy implement the selected security
- 16 -
 enhancements. CounterSpy tells you how many settings were updated.
You have run a Spyware Scan, turned on Active Protection, and had My PC Checkup
tighten security settings. Next, use the History Cleaner to rid your computer of personal
information that you do not want to fall into the wrong hands.

14. From the CounterSpy Home Page, click the System Tools icon .

15. Click .
16. Click Check all to check all items in the list.

Figure 15: History Cleaner erases personal history.

17. Click Clean History.
Regularly updating CounterSpy is an important part of staying ahead of spyware. New
spyware is discovered every day. You can also schedule when you want CounterSpy to
check for update.
Learn how to check for updates and check for them often.
18. Choose File menu | Check for updates.
You have scanned for spyware, enabled Active Protection, run My PC Checkup to
tighten security, used the History Cleaner to remove software usage information, and
checked for spyware definition updates.
The remaining documentation covers these and other CounterSpy features.
For further information, don’t hesitate to contact one of our friendly technical support
people at www.sunbelt-software.com/support (choose “Ask a Question”) for any
assistance you may need.

- 17 -
Chapter 2: Working with CounterSpy
Spyware Scans
Running a Scan
A CounterSpy scan of your computer looks at files and critical areas of your computer,
checking for any type of spyware. These are in-depth scans of your computer’s hard
drives and processes currently running, the Windows registry, and Internet cookies.
CounterSpy seeks out and provides you options to remove both known and potentially
hazardous, unidentified spyware threats.
You can scan for spyware manually or you can use the Schedule Spyware Scan to
schedule when to have CounterSpy to perform a full system scan for spyware threats.
For more information about scheduling scans, see page 21.
To run a manual spyware scan:
1. From the CounterSpy Home Page, or from any screen with the toolbar, click the
Spyware Scan icon .
Tip: You can also run a spyware scan from anywhere in CounterSpy, by
choosing View menu | Spyware Scan | Run a Scan Now.
2. Click Scan Options to display and select any scan options that apply.
Intelligent quick scan - An Intelligent quick scan runs a complete scan of your
computer where most spyware may be found. This takes only a few minutes, and
can detect more then 99% of known spyware threats. This is the default setting.
Full system scan - A full system scan lets you select from additional scanning
options, in order to perform a more in-depth or customized scan.
Scan memory - A memory scan does an in-depth scan of the processes that
are currently running in memory. It also checks each process that is loaded to
see if it is spyware.
Scan selected drives / folders - A custom file/folder scan lets you select
specific hard drives, folders, or files to include in the scan. Click after the
arrows to open a dialog where you can choose exactly what you want
scanned and not scanned. Note: CounterSpy scans known locations on the
C: drive or operating system installed drive, before scanning other drives.
Deep scan selected folders - A deep scan is a very in-depth scan of your
system. Although this scan is very accurate, it takes much longer to finish.
Scan cookies - This allows you to scan for known spyware Internet cookies.
These can track your Web surfing habits or provide targeted advertising.
Save these options - Save your spyware scan settings. CounterSpy uses your
saved options the next time a scan is run.

- 18 -
 Figure 16: Select scan options.
3. Click Scan Now. At the end of the scan, CounterSpy displays a summary of the
results.

Figure 17: Scan Result Summary.

4. (Optional) Click Do not display this window after a spyware scan to have
CounterSpy skip the summary after a scan in order to go immediately to the list
of discovered spyware.
5. Click View Results to close the summary.
CounterSpy generates a list of spyware that is found during a scan. It provides
information about each piece of spyware, assigns a threat level, and suggests a
Recommended Action. All of this can help you decide what action to take.
6. (Optional) Click a threat to highlight it and display Spyware Details about that
piece of spyware.
- 19 -
 To find out more about the highlighted threat, click the link Learn more about
this spyware..., located at the bottom of the Spyware Details section. This
displays such information as a detailed description, threat alias names, security
and stability information, and information about the author.
7. (Optional) Click the plus sign (+) to view all detected locations. Threat locations
are the files, folders and registry keys where a threat has installed on your
computer. When deleting or quarantining a threat, all areas where the threat is
present are cleaned. Click a location in the list to learn more about that
location.

Figure 18: Select a spyware threat to view

Spyware Details.
8. Review the Threat Level for the selected spyware. Move the cursor over the
threat level indicator. When you see a "?", click and hold to read a definition.
9. Review the Recommended Action drop-down list. It is preset to the action that
CounterSpy suggests.
10. (Optional) Use the Recommended Action drop-down list to select an action other
than the one CounterSpy suggests.
Ignore - Select this action to ignore a threat until the next time you run a spyware
scan.
Quarantine - Select this action to safely remove this threat from your computer
and store it in spyware quarantine. Any threats in your spyware quarantine will
not run on your computer. The advantage of quarantine is you can restore items
back to their original state.
Remove - Select this action to remove the threat permanently from your
computer. Some spyware cannot be quarantined, only removed.
Always Ignore - Select this action to ignore a threat permanently. Much like
Ignore, Always Ignore does not quarantine or remove a threat. In addition,
Always Ignore adds the threat to your Ignored Threats list. Once on the Ignored
Threats list, a threat is not marked as spyware when you run scans. Should you
change your mind, you can edit your Ignored Threats list in Spyware Settings.
- 20 -
 11. (Optional) Click Set a single action for all spyware threats to apply one action
setting to all detected spyware.
12. (Optional) You can select Create restore point when using Windows XP or ME
to save your current computer system settings before you click Take Action.
13. Click Take Action to have CounterSpy take the suggested actions.

Reviewing the Last Scan

If you need time to study a scan before making decisions, you can see the details of the
last completed scan. Scan details can be printed for later review.
To review the last completed scan:
1. From the CounterSpy Home Page, or from any screen with the toolbar, click the
Spyware Scan icon .
2. Click View Details in the Last Completed Scan area.
3. (Optional) Click the printer icon to print a copy of the scan details.

Scheduling Scans
You can schedule customized spyware scans to run unattended on specific dates and
times or at periodic intervals. If you are using the computer when the scheduled scan
begins, it runs in the background. You do not have to stop working.
You have complete flexibility in scheduling custom spyware scans. When you select how
frequently you want a scan to run (such as daily, weekly, or monthly), CounterSpy
presents you with additional options with which you can refine your request.
To schedule a custom spyware scan:
1. From the CounterSpy Home Page, or from any screen with the toolbar, click the
Spyware Scan icon .
2. Click Manage Schedule under the Schedule Scan Details section.
Tip: You can also run a spyware scan from anywhere in CounterSpy, by
choosing View menu | Spyware Scan | Manage Spyware Scan Schedule.

- 21 -
 Figure 19: Define and schedule scans.
3. Choose, under "Select Your Spyware Schedule Scan Times", how frequently you
want a scan to be performed, and then refine your schedule:
Daily - Choose Every Day, or select the days when you want to perform a scan.
Weekly - Choose between Every week, Every other week, or Every three weeks,
and then select the days of the week when you want to perform the scan.
Monthly - Choose between an actual day of the month when the scan will run, or
a relative schedule, like "The first Monday of the month".
4. Under "Start time", set the time when you want to perform the scheduled scan(s).
5. Select Scheduled Scan Options to suit your needs:
Always run a deep scan - CounterSpy will run a deep scan. A deep scan is an
in-depth scan of all of your hard drives.
Automatically quarantine spyware - CounterSpy will automatically quarantine
any spyware threats that could cause harm to your computer. This includes all
spyware, keyloggers, back-door trojans, and especially hazardous adware
applications.
Do not scan for spyware cookies - CounterSpy will not scan for spyware
related cookies.
Automatically remove spyware cookies - CounterSpy automatically will
remove any spyware cookies.
Do not display spyware scan results - If spyware is detected on your
computer, CounterSpy will not display the results in a window.
Do not display the scan progress - CounterSpy displays a small progress
window in the lower right hand corner of your computer when a scan is in
progress. This window displays scan progress, as well as all spyware threats
found during the time the scan has been running. Select this option to disable the
display of this progress window.
6. (Optional) Check Disable Schedule to stop CounterSpy from running a
- 22 -
 scheduled spyware scan. The Disable Schedule check box is a handy way to
suspend scheduled scans.
If you disable scheduled scans, try to run a manual spyware scan at least two or
three times a week.
7. Click Update Schedule when your selections are complete.

Managing Quarantined Spyware

You can also choose to remove quarantined software permanently. After enough time
has elapsed to make you sure that the quarantined software is no longer needed,
remove it from your computer.
If you accidentally quarantine software you want to keep using, you can remove it from
quarantine and restore it to original state.
To restore quarantined spyware:
1. Choose View Menu | Spyware Scan | Manage Spyware Quarantine.
2. Select a quarantined item by placing a check mark beside it to view Spyware
Details about that item.
3. Click Learn more about this spyware to view additional information about that
item.
4. Click Un-quarantine spyware at the bottom of the Spyware Details area to
restore the selected item to its original state.
Note: It is a good idea to restart your computer after you restore an item.
5. To restore multiple items, check each item that you want restored, and then click
Un-quarantine All Checked Spyware.
To remove quarantined spyware permanently:
1. Choose View Menu | Spyware Scan | Manage Spyware Quarantine.
2. Select a quarantined item to view Spyware Details about that item.
3. Click Learn more about this spyware to view additional information about that
item.
4. Click Permanently remove spyware to delete the selected item from your
computer.
To remove multiple items, check each item that you want permanently removed
from your computer, and then click Permanently remove all checked spyware.

- 23 -
Active Protection
Enabling Active Protection
To keep your machine protected from new threats, CounterSpy comes installed with
over 100 Active Protection Monitors. These Monitors stop spyware before it is installed.
Active Protection helps protect your privacy and identity, as well as prevent unauthorized
programs from taking control of your computer.
When software is installed, or when a change is made to your computer, an internet
setting, or an application setting, Active Protection quickly reacts to analyze the change.
CounterSpy makes a decision to allow the change if it is not threatening, block the
change if it is known spyware, or ask you to decide.
To enable Active Protection:
1. From the CounterSpy Home Page, or from any screen with the toolbar, click the
Active Protection icon .
Tip: You can also manage Active Protection from anywhere in CounterSpy, by
choosing View menu | Active Protection.

Figure 20: Click to manage Active Protection settings.

1. Click a category (Internet Monitors, System Monitors, or Application
Monitors) to manage those Active Protection monitors. For information about
Application Monitors, see page 35. For information about System Monitors, see
page 29. For information about Internet Monitors, see page 27.

- 24 -
 Figure 21: Enable all in an Active Protection category.
3. Click Disable under Monitor Status to turn all monitors in that category off. All
Monitors in an Active Protection category are on by default.
4. Click Enable under Monitor Status to turn all monitors in that category on.
5. Click to select and highlight a monitor to see Monitor Details.
6. Click Learn about Selected Monitor to view additional information.
7. Click Disable Selected Monitor to turn off the selected monitor.
8. Click Enable Selected Monitor to turn on a disabled monitor.
9. Click Manage allowed/blocked to view, unblock, or delete any software that was
blocked by an Active Protection Monitor.

Active Protection in Action

When Active Protection detects a spyware threat, it prompts you for action. CounterSpy
displays a small alert window in the bottom right corner of your computer screen. It
contains information about the change. This allows you to make an informed decision
about whether or not to allow the action that CounterSpy suggests.
If you choose to block or allow the threat, you can also choose to always allow or always
block that specific threat. Click the checkbox to remember this action. This causes
CounterSpy to respond to this threat the same way every time an Active Protection
Monitor or scan detects it.

- 25 -
 Figure 22: Active Protection warns you about possible
threats.
To block or allow a threat:
1. Click Block or Allow in the alert window.
When you choose Block, CounterSpy performs a quick block of the threat, which
blocks the installation or execution of the blocked spyware.
After a threat is blocked, CounterSpy asks if you want to run a full spyware scan.
This is highly recommended, as the initial block only removes that specific
instance of the spyware threat.
2. Click Yes to initiate a scan. The CounterSpy scan setup screen is display.

Managing Blocked Items

The Blocked section of CounterSpy contains a list of all items (applications, programs or
settings) that are blocked by an Active Protection Monitor. You can review all the items
that are blocked, and then decide if you want to permanently remove each item or
unblock it.
To manage blocked items:
1. From the CounterSpy Home Page, or from any screen with the toolbar, click the
Active Protection icon .
Tip: You can also manage Blocked items from anywhere in CounterSpy, by
choosing View menu | Active Protection | View All Blocked Events.

- 26 -
 Figure 23: Manage items blocked by Active Protection.
2. Select an item in the Blocked list to view information about that item in the
Blocked Details area.
3. Check an item to select it for action.
4. Click Un-Block item to restore the selected item to its original state.
To unblock multiple items, check the items that you want restored, and then click
Un-block all checked items.
After you unblock an item or items, it is a good idea to restart your computer.
5. Click Permanently remove item to delete the selected item from your computer.
To remove multiple items, check the items that you want removed, and then click
Permanently remove all checked items at the bottom of the screen.

Internet Monitors
Internet Monitors provide real-time protection from applications that make unauthorized
connections to the Internet or change your computer's Internet connections settings,
such as dial-up or wireless connectivity.

Dialup Connection - Monitors for unauthorized dial up activity from your computer's
modem(s). This is used to prevent dialer-type spyware from dialing out without your
knowledge. A dialer is software that dials a phone number using your computer's
modem. Most dialer programs connect to toll numbers without your permission. They
can rack up large phone charges on your phone bill.

Internet Safe Sites - Prevents unauthorized Web sites from being added to your list
of Internet Safe Sites. Safe Sites are Web sites that you trust will not damage your
computer. When you visit a safe site, Internet Explorer will lower the recommended
security and allow the site to run scripts. If Spyware adds an unsafe site to that list,
the scripts that run could be dangerous.

- 27 -
Internet Proxy Server - It prevents unauthorized changes or additions to your
Internet Explorer Proxy Server. The Internet Explore Proxy Server is a server
between the Internet Explorer Web browser and a real server. Proxy servers have
two main purposes: improve performance and filter requests. A Proxy Server
intercepts any request to the real server, to see if it can fulfill the request itself. If it
cannot fulfill the request, it forwards the request to the real server.

Winsock Layered Service Providers - Monitors additions and modifications to your

Windows Winsock Layered Service Providers (LSPs). LSPs (Layered Service
Providers) are sometimes manipulated by spyware applications known as Winsock
Hijackers. LSPs are a way to chain a piece of software to your Winsock 2
implementation on your computer. Since the LSPs are chained together, when
Winsock is used, the data is also transported through each of the LSPs in the chain.
Spyware can use LSPs to see all traffic being transported over your Internet
connection. You should use extreme caution when deleting these objects, because if
they are removed without properly fixing the gap in the chain, you can have loose
Internet access.

Windows Messenger Service - The Protection Monitor Messenger Service

protection disables the Windows Messenger Service. Windows XP and 2000
machines have a "service" running behind the scenes called the "Messenger"
service. This is a normal part of the operating system, and is used by network
administrators to send messages to other users on a company network. The
"Messenger" service allows the "net send" function to communicate across networks.
Another function can use the "Messenger" service to communicate across networks
and these messages are called "Alerters". If you have ever received a message from
your UPS (Uninterruptible Power Supply) that it has passed a self test, or went onto
battery for a moment due to a spike in the power supply - then you have received an
"Alerter" message.

Name Server Protection - Prevents spyware from changing your Domain Name
Servers (DNS). By default, your Internet Server Provider assigns your Domain Name
Server, but spyware can try to change it. If your Name Server is changed, TCP IP
queries could be redirected through a potentially dangerous server.

Spam Zombie Protection - Prevents spyware from sending spam from your
computer. Spambot Prevention prevents your computer from becoming a source for
sending spam. Many spammers take advantage of security gaps and spyware, in
order to install 'spambots', also known as "spam zombies". These are installed on
personal computers with the intention of sending out spam email from that computer,
without the user's knowledge. Spammers can use your computer to send unsolicited
and possibly offensive email offers for products and services. Spammers are using
home computers to send bulk emails by the millions. If a spammer takes over your
computer, you could face serious problems. Your Internet Service Provider (ISP)
may prevent you from sending any email at all until the virus is treated. Treatment
could be a complicated, time-consuming process.

TCP/IP Parameters - It prevents spyware threats from modifying various TCP/IP

parameters used by Windows to send and receive network data. TCP/IP

- 28 -
 configuration parameters are registry parameters that are used to configure the
protocol driver, Tcpip.sys. Tcpip.sys implements the standard TCP/IP network
protocols. Some spyware threats such as CoolWebSearch can modify these
parameters to take advantage of your computer. There may be some unusual
circumstances in customer installations where changes to certain default values are
appropriate. To handle these cases, optional registry parameters can be created to
modify the default behavior of some parts of the protocol drivers. The Windows
TCP/IP implementation is largely self-tuning. Adjusting registry parameters without
careful study may reduce your computer's performance.

WiFi Protection - Monitors for access from other users on your wireless network.
When a new user enters your WiFi network, the Monitor notifies you.

System Monitors
System Monitors provide real-time protection against potential spyware that makes
unauthorized or hazardous changes to your system, such as altering your security
permissions or system settings.

AppInit DLLs - Prevents unauthorized changes or additions to the Windows AppInit

DLLs. Normally, only the Administrators group and the LocalSystem account have
write access to the key containing the AppInit_DLLs value. The AppInit_DLLs
registry value contains a list of dlls that are loaded when user32.dll is loaded. Most
Windows executables use the user32.dll. That means that any DLL listed in the
AppInit_DLLs registry key will also be loaded. This makes it very difficult to remove
the DLL, because it can be loaded during multiple processes, some of which cannot
be stopped without causing system instability. Processes that are automatically
started by the system when you log on also use the user32.dll file. This means that
the files loaded in the AppInit_DLLs value will be loaded very early in the Windows
startup routine allowing the DLL to hide itself or protect itself before you have access
to the system. Technical Information: The AppInit DLLs are loaded via LoadLibrary()
during the DLL_PROCESS_ATTACH of User32.dll. As a result, executables that do
not link with User32.dll will not load the AppInit DLLs. Very few executables do not
link with User32.dll. Because they load early, only API functions exported from
Kernel32.dll are safe to use within the initialization of the AppInit DLLs. The
AppInit_DLLs value has type REG_SZ. This value should specify a NULL-
terminated string of DLLs, which is delimited by spaces or commas. Because spaces
are used as delimiters, no long file names should be used. The system does not
recognize semicolons as delimiters for these DLLs. Only the first 32 characters of the
AppInit_DLLs value are picked up by the system. Because of this 32-character limit,
all of the AppInit DLLs should be located within the SYSTEM32 directory. This
eliminates the need to include a path, thus allowing multiple DLLs to be specified.

Trojan Explorer Protection - Monitors for known Explorer trojans (spyware).

Windows loads explorer.exe (typically located in the Windows directory) during the
startup process. If a file named "explorer.exe" is placed in the C: directory
(C:\explorer.exe), that file is loaded instead of the Windows explorer.exe. Worse, if
c:\explorer.exe is a corrupt file, you are effectively locked out of your system after
you restart. Worse yet, if c:\explorer.exe is a trojan (spyware), it is loaded. Unlike all
other autostart methods, there is no need for any file or registry changes. The
- 29 -
inserted file simply needs to be named c:\explorer.exe.

Context Menu Handler - Prevents unauthorized changes to Windows Context

menus. A context menu is the little menu that you get when you right-click
something. Context menus change, based on what object is in focus when you right-
click. A context menu handler is a shell extension handler that adds commands to an
existing context menu. Context menu handlers are associated with a particular file
class and are called when a context menu is displayed for a member of the class.
While you can add items to a file class context menu with the registry, the items will
be the same for all members of the class. By implementing and registering such a
handler, you can dynamically add items to an object's context menu, customized for
a particular object.

Control.ini Policy - Prevents Internet Explorer control from showing in the Control
Panel. It is possible to disable the seeing of a control in the Control Panel by adding
an entry into the file called control.ini, which is stored in C:\windows\control.ini. From
within that file you can specify which specific control panels should not be visible. If
inetcpl.cpl is set to no (inetcpl.cpl=no), that may be a sign that a piece of software is
trying to make it difficult for you to change your settings, unless it is set to that value
for a specific known reason by an administrator.

Windows Password Protection - Prevents unauthorized changes to your Windows

autologon preferences. Using Windows XP Professional, you can automate the
logon process by storing your password and other pertinent information in the
registry. Using this feature, other users can start your computer and use the account
you enabled to log on automatically. Although enabling autologon can make it more
convenient to use Windows XP Professional, using this feature is a security risk.
Setting a computer for autologon means that anyone who can physically obtain
access to the computer can gain access to all of the computer's contents, potentially
including any network or networks to which it is connected. A second risk is that
enabling autologon causes the password to be stored in the registry in plain text. The
specific registry key that stores this value is remotely readable by the Authenticated
Users group. As a result, this setting is appropriate only when the computer is
physically secured, and unauthorized users are prevented from remotely accessing
the registry.

Windows Update Service - Prevents modifications to your Windows Update Access

settings. The Microsoft Windows operating systems includes an Automatic Updates
feature. If your computer is on and connected to the Internet, this feature can
automatically download the latest Microsoft security updates. Windows Update
Access Restriction prevents computers from connecting to the Windows Update Web
site. This restriction prevents the computer from staying up to date with the latest
Windows updates and service patches from Microsoft.

Host File Protection - Monitors changes to your System Host file. If a new entry is
made to the file, if an older entry is modified, or if an older entry is deleted, an action
alert prompts you to either accept or reject the change. Spyware changes your host
file listings for one reason, to redirect your browser to a chosen Web site. Your
browser references your Host file. It performs, for specific Web site addresses, a

- 30 -
translation (Host File Redirection) from Domain Name (the URL address for a Web
site) to IP Address (a series of numbers that references the physical connection of a
computer or server on the Internet). For example, when you enter
www.somesite.com into your browser, you go to the somesite.com Web site. That
Web site has an IP Address, but you do not need to know what it is, because your
browser to find the site uses the Domain Name. If, however, this entry is in the Host
file: 192.168.0.12 www.somesite.com, each time you enter www.somesite.com into
your browser, the browser checks the Host file, matches what you type to a listing for
"somesite.com", and automatically converts what you type into the IP address in that
listing. Your browser goes to the Web site at 192.168.0.12, which could be anything
that the spyware attacker wants to display. The Host file should not require
modification. Some Hijackers use this technique to redirect popular sites to their Web
site. For example, it is possible to redirect all popular search engines to a Web site of
your choice. That kind of attack can be very hard for the average user to fix, and will
most likely require specialist software or detailed removal instructions. Other
practices involve changing auto.search.msn.com to redirect to a Web site, so
whenever a user types in an incorrect URL, the browser is redirected to
auto.search.msn.com. That is then resolved to a different IP address of the hijacker's
choice. Reset Web Settings does not fix a Host file Hijack. It only resets the search
page to auto.search.msn.com. The Host file remains altered, and any redirection
listing remains active.

Ini File Mapping - Prevents hazardous applications from being installed in an .ini file
mapping location. Newer versions of Windows (2000, XP, etc.) do not generally use
the system.ini and win.ini files. Instead of backwards compatibility, they use a
function called IniFileMapping. Ini file mapping puts all the contents of an .ini file into
the registry, with keys for each line found in the .ini key stored there. When you run a
program that normally reads their settings from an .ini file, Windows first checks the
registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\IniFileMapping, to see if there is an .ini setting that has been
mapped to that file. If a mapping is found, Windows takes settings from there.

Windows Protocols - Prevents hijacker threats from overriding standard protocol

drivers. A technique of some sophisticated spyware is to take control of certain ways
your computer sends and receives information. This is accomplished through the
Windows protocols filters and handlers. Common offenders to this are
CoolWebSearch, Related Links, and Lop.com. Technical Information: Internet
Explorer uses two mechanisms for registering new URL protocol handlers. The first
method is to register a URL protocol and its associated application so that all
attempts to navigate to a URL using that protocol launch the application (for
example, registering applications to handle mailto: or news: URLs). The second
method uses the Asynchronous Pluggable Protocols API, which allows you to define
new protocols by mapping the protocol scheme to a class.

Windows Restrict Anonymous - Prevents modifications to your Windows Restrict

Anonymous settings. Windows has a feature that allows anonymous users to list
domain user names and enumerate share names. Users who want enhanced
security may restrict this functionality. Windows provides a mechanism for
administrators to restrict the ability for anonymous logon users (also known as NULL

- 31 -
session connections) to list account names and enumerate share names. For
example, the Windows NT ACL editor requires listing account names from Domain
Controllers, in order to obtain a list of users and groups in order for a user to be able
to select users and grant them access rights. Windows NT Explorer also uses listing
account names in order to grant access to shared files. Windows NT networks based
on a single Windows NT domain will always be able to authenticate connections to
list domain account information. Windows NT networks that use multiple domains
may require anonymous user logon to list account information. A brief example
shows how anonymous connections are used. Consider two Windows NT domains,
an account domain and a resource domain. The resource domain has a one-way
trust relationship with the account domain. That is, the resource domain "trusts" the
account domain, but the account domain does not trust the resource domain. Users
from the account domain can authenticate and access resources in the resource
domain based on the one-way trust. Suppose an administrator in the resource
domain wants to grant access to a file to a user from the account domain. They
would want to obtain a list of users and groups from the account domain, so that they
can select a user or group and grant access rights. Since the account domain does
not trust the resource domain, the administrator request to obtain the list of users
and groups from the resource domain cannot be authenticated. The connection is
made using a NULL session to obtain the list of account domain users.

Shared TaskScheduler - It prevents unauthorized programs from being added as

auto start values when Windows loads. The files listed in Shared TaskScheduler run
automatically when you start Windows. Windows executes autorun instructions in the
Windows Task Scheduler (or any other scheduler that supplements or replaces the
Task Scheduler). The Task Scheduler is an official part of all Windows versions
except the first version of Windows 95, and is included in Windows 95 if the Microsoft
Plus Pack is installed.

Windows Shell Execute Hooks - Prevents changes to your system's Shell Execute
Hooks. Shell execute hooks are programs that load into the Windows shell,
Explorer.exe. A shell execute hook program receives all the execute commands that
are run on a computer. This type of integrated program can either accept or reject a
command to launch a particular program.

Approved Shell Extensions - Prevents unauthorized changes to Windows Shell

Extensions. Shell Extensions allow developers to add functionality to the existing
Windows shell. Some examples of shell extensions are Context Menus (menus that
change, based on what object is in focus when you right-click), Property Sheet
Handlers (tabbed pages that appear when the Properties menu item is selected from
an object’s context menu), Icon Overlays (appear as the arrow on top of an icon that
points to a shortcut or the hand that appears on shared folders), and Folder
Customizations. These and other extensions can be added to the Windows Shell.

Windows Shell Open Commands - Prevents changes to your system's Shell Open
Commands in the Windows Registry File. What is a Shell Open Command?
Windows executes instructions in the Windows Registry File.
HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* section of the
Registry is subject to spyware attack. A spyware command embedded there can

- 32 -
cause a program to run when any other program is started. If keys don't have the
"\"%1\" %*" value as shown, and have been changed to something like
"\"somefilename.exe %1\" %*", then the Shell Open Command automatically runs
that specified file. Many spyware worms and trojans make changes to the Windows
Registry file. Some of them change one or more of the shell\open\command keys. If
these keys are changed, the worm or trojan can run every time you run certain
programs. For example, if the \exefile\shell\open\command key is changed, the
threat will run every time that you run any .exe file. These spyware threats can also
stop you from running the Registry Editor to try to fix this.

Shell Service Object DelayLoad - Prevents unauthorized programs from being

added as auto start values when Windows loads. The files listed in
ShellServiceObjectDelayLoad are loaded automatically by Explorer.exe when your
computer starts. Because Explorer.exe is the shell for your computer, it will always
start, thus always loading the files under this key. These files are therefore loaded
early in the startup process before any human intervention occurs. Technical
Information: The ShellServiceObjectDelayLoad registry
(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServic
eObjectDelayLoad) contains values that function in a way similar to the Run key. The
difference is that instead of pointing to the file itself, it points to the CLSID's
InProcServer, which contains the information about the particular DLL file that is
being used.

Windows System.ini File - Monitors for additions and modifications to the Microsoft
Windows System.ini file. The Microsoft Windows system.ini file is located in the
Windows directory (C:\windows\system.ini). An initialization file is used by Microsoft
Windows to initialize system settings for the computer. These include font, keyboard,
language and other settings. The shell = statement in the system.ini file is used to
designate what program acts as the Shell for the operating system. The Shell is the
program that loads your desktop, handles windows management, and allows you to
interact with the system. In Windows, that program is explorer.exe. Any program
listed after the shell statement is loaded when Windows starts, and acts as the
default shell. (There used to be some programs that acted as valid shell
replacements, but they are generally no longer used.) It is possible to list other
programs to launch when Windows loads, by adding to the same Shell = command
line, such as Shell=explorer.exe spyware.exe. This line entry in the system.ini file
would cause both programs Windows Explorer and a spyware program to start when
Windows loads.

User Shell Folders Protection - Prevents unauthorized changes to the system's

User Shell Folder settings. Shell folders are special folders that Windows uses to
indicate the default location for many types of files and data. These special folders
are usually the more commonly used system folders such as My Documents, My
Pictures, your Program Files folders and a number of other standard Windows
folders. The default user shell folders location is in %USERPROFILE% which is
"C:\Documents and Settings\user". Some common Shell folders include: CD Burning,
Desktop, Document Templates, Favorites, Installation Path Windows Installer default
install folder location, My Documents, My Music, My Pictures, Programs, SendTo,
Shared Documents, Shared Music, Shared Pictures, Start Menu, Startup, Common

- 33 -
Admin Tools, Common AppData, Common Desktop, Common Favorites, Common
Programs, Common Start Menu, Common Startup, and Common Templates.

Windows Directory Trojans - Warns you when an application tries to replace a

known Microsoft System file with a file that has been altered. A Windows System File
belongs to a set of files that are required for the Windows operating system to
function normally.

Windows Extensions - Prevents unauthorized changes to the system's list of

Windows Extensions. Windows Extensions are used to associate data files with the
application that works with that type of file. For example, the extension ".doc" is
associated with the MS Word application.

Windows Win.ini File - Monitors for additions and modifications to the Microsoft
Windows Win.ini file. The Microsoft Windows initialization file is located in the
Windows directory (C:\windows\win.ini). The win.ini file is used to load settings every
time Microsoft Windows starts. For example, it loads communications drivers, the
selected Windows wallpaper, the selected screen saver, language settings, and font
settings. These and other settings are loaded according to the instructions in the
win.ini file. If this file becomes corrupted Microsoft Windows will either not load, or
will encounter errors as it loads. Any programs listed after the run= or load=
command in the win.ini file will load when Windows starts. This run= statement was
mostly used with older versions of Windows but for backwards compatibility, the
feature still exists. Most programs today do not use a win.ini setting, and if you do not
use older programs, entries for those programs should not exist. The load=
statement was designed to load drivers for your hardware, but is not generally used
today.

Winlogon Shell - Prevents unauthorized changes to your Winlogon Shell setting.

The Winlogon Shell is automatically loaded when a user logs into Windows. The
Shell is the main User Interface (GUI) that the user uses to manage Windows. In
most cases, this is Windows Explorer (Explorer.exe). However, the Windows Shell
can be easily changed to point to another program. If this is the case, this program
will be launched every time a user logs in.

Windows Logon Policies - Prevents unauthorized additions and modifications to

the Windows logon policies. Windows NT logon utility manages user logons and
logoffs. The utility prompts you for a password when you log on and allows you to log
off or shut down. Winlogon is designed around an interactive logon model that
consists of three components: the Winlogon executable, a graphical identification,
and the authentication dynamic-link library (DLL) (referred to as the GINA), as well
as any number of network providers.

Winlogon Userinit - Prevents unauthorized changes to your Winlogon Userinit

setting. Specifies the programs that Winlogon runs when a user logs on. By default,
Winlogon runs Userinit.exe, which runs logon scripts, reestablishes network
connections, and then starts Explorer.exe, the Windows user interface. You can
change the value of this entry to add or remove programs. For example, to have a
program run before the Windows Explorer user interface starts, substitute the name

- 34 -
 of that program for Userinit.exe in the value of this entry, then include instructions in
that program to start Userinit.exe. You might also want to substitute Explorer.exe for
Userinit.exe if you are working off-line and are not using logon scripts. (Note: The
entry remains in the registry to support programs designed for Windows NT 4.0 or
earlier.)

WOW Boot Shell - Prevents spyware from loading a particular file when Windows
starts. WOW\Boot\Shell is a Windows registry entry that allows a program to be
loaded when Windows loads.

Application Monitors
Application Monitors provide real-time protection against threats that make changes to
your installed applications. This can include software that modifies your Internet Explorer
or downloads ActiveX applications from the Internet.

ActiveX Installations - It monitors for ActiveX applications that are being

downloaded with Internet Explorer. If the ActiveX program being downloaded and
installed is known to be safe, the Monitor automatically allows it. If it is known to be
spyware or poses a potential threat, the Monitor automatically blocks it, warns you,
and prompts you for action. ActiveX applications are programs that are downloaded
from Web sites and stored on your computer. These programs are stored in
C:\windows\Downloaded Program Files. They are also referenced in the registry by
their CLSID, which is the long string of numbers between curly braces. Internet
Explorer regularly uses many legitimate ActiveX applications. You can delete most
ActiveX applications from your computer without problem, because you can
download them again. Many of the current security vulnerabilities that exist in
Microsoft's Internet Explorer Web browser exist in the service called "active
scripting". Active scripts are programs written in JavaScript, or sometimes Microsoft's
VBScript and ActiveX. Active scripting can install spyware on your computer. It is a
method known as "drive-by downloading". While it is possible to disable active
scripting completely, there are legitimate sites for which you want active scripting
enabled. For example, http://windowsupdate.microsoft.com (Windows Update
Service) uses active scripting, as do many other legitimate Web sites. There may be
Webmail sites that use active scripting. Some sites with high amounts of contents
such as CNN's news site can also make heavy use of scripts. Online commerce sites
such as CDW and PC Connection also use scripts in their sites. Fortunately, Internet
Explorer has in its design, a way to identify "trusted sites". That is, it is possible to
disable active scripting on a general basis, but enable it for sites that you routinely
visit, such as your Webmail or online commerce sites.

Browser Helper Objects - Monitors additions of Internet Explorer BHOs (Browser

Helper Objects). If the BHO being installed is known to be safe, the Monitor
automatically allows it. If it is known to be spyware, the Monitor automatically blocks
it, and then warns you. A 'Browser Helper Object' (BHO) is an application that
extends Internet Explorer and acts as a plug-in. Spyware, as well as browser
hijackers, often use BHOs to display ads or follow your moves across the Internet. A
number of legitimate applications such as the Google or Yahoo toolbars also use
bHOs. Applications that install BHOs are becoming more and more popular because
BHOs allow application developers to control Internet Explorer. BHO technology has
- 35 -
allowed the development of some very powerful applications that provide useful
functionality to its users. For example, Alexa uses a BHO to monitor page navigation
and show related page links. GetRight and Go!Zilla use BHOs to monitor and control
file downloading. Flyswat, Quiver, Blink, and iHarvest use BHOs to extend and
control Internet Explorer. It is possible that there are BHOs installed on your
computer that you do not know about. What this means is that while there are some
good uses for BHOs, they may not necessarily need your permission to install. Some
are used for malicious purposes, like gathering information about your Internet usage
habits. A lot of spyware and BHOs are poorly written. This can cause anything from
incompatibility issues to the corruption of important system functions. This can make
unsolicited BHOs not only a threat to your security, but to your system's stability.

Disable Regedit Policy - Prevents spyware from disabling the Regedit functionality.
The Disable Regedit Policy prevents Regedit from being run, because an entry in the
registry has changed. Regedit is a system application that is used to change settings
in the system registry. The registry contains information about how your computer
runs and what software is installed on the computer. Changing the registry
improperly can result in your system no longer working. Note: Many administrators
for corporate networks lock this on purpose.

Internet Explorer Security Settings - Monitors for changes in Internet explorer

settings that could compromise some of the more secure settings. This could allow a
remote Web site to exploit your computer, possibly allowing ActiveX controls to be
installed with a "drive-by download". Your browser security preference settings are
your first line of defense in stopping the theft or unwanted viewing of confidential,
personal information. The most popular browsers offer you the ability to receive an
alert or notification when any of the following occurs: (1) Changes between secure
and insecure transmission modes, (2) invalid site certificates (this setting notifies you
when a site's SSL certificate is invalid or has expired, and an invalid certificate will
deactivate SSL), (3) a transmission is sent over an "open" or unsecured connection,
(4) a forms submittal is redirected (this setting warns you if information being
submitted on a Web-based form is being sent to a Web site other then the one that
you are currently viewing).

Tip: Here are more ways to improve your Internet Explorer security: (1) My PC
Checkup can recommend and automatically modify security settings. (2)
Microsoft Internet Explorer offers advanced security options. To access these
options in Internet Explorer: Select Tools | Internet Options, and then select the
Advanced tab. Among other choices, the Advanced tab contains a Security
section that includes several configuration options pertaining to encrypted
communications. Although most of the default settings are acceptable, certain
security levels disable the first four items by default. You should enable these
four items for maximum browser: (1) Check for publisher's certificate revocation,
(2) Check for server certificate revocation (requires restart), (3) Do not save
encrypted pages to disk, and (4) Empty Temporary Internet Files folder when
browser is closed.

Internet Explorer Third Party Cookies - Prevents unauthorized cookies from being
added as acceptable 3rd party cookies. Cookies are little files that Web sites drop

- 36 -
onto your computer, so that they can recognize you on your return visits. Many
cookies are quite useful. For example, those that let sites identify you and log you in
automatically to private member areas. Others are not so benign. Some gather
information without your knowledge and track your Web usage. Third-party cookies
are those planted by Web sites that are external to the one you are visiting. For
example, sites such as www.ninemsn.com use third-party cookies for advertising
purposes. First-party cookies are those used by the site you are actually viewing.

Internet Explorer Explorer Bars - Monitors modifications made to your list of

Internet Explorer Bar applications. An Explorer bar (or band) is a panel, similar to the
Favorites, History or Search panels in Internet Explorer or Windows Explorer.

Internet Explorer Extensions - Monitors modifications made to your list of Internet

Explorer Extensions applications. Internet Explorer Extensions control buttons on the
main Internet Explorer toolbar. They also control what items, in addition to those that
are listed there by default, are displayed in the Internet Explorer 'Tools' menu.

Internet Explorer Menu Extensions - It prevents spyware from changing your

Internet Explorer Menu Extensions. Internet Explorer Menu Extensions are menu
options found in the Context Menu of Internet Explorer. To see these options, right
click the Web page you are viewing in the browser.

Internet Explorer Plugins - Prevents hazardous spyware from installing Internet

Explorer Plugins. Internet Explorer Plugins are pieces of software that get loaded
when Internet Explorer starts. These pieces add functionality to the browser.

Internet Explorer Reset Web Settings - Prevents spyware from changing your
Internet Explorer 'Reset Web Settings' protection. Internet Explorer uses a file on
your computer if you need to reset options to Windows defaults. That file is stored in
C:\windows\inf\iereset.inf and contains all the default settings that will be used. When
you reset an Internet Explorer setting to its default, Internet Explorer reads that file
and changes the setting to the value listed in the file. If spyware changes the
information in that file, you can be re-infected when you reset a feature, because
Internet Explorer reads incorrect information in the iereset.inf file. Note: Be aware
that it is possible for iereset.inf settings to be legitimately changed by a Computer
Manufacturer or the Administrator of a computer.

Internet Explorer Restrictions - Prevents Internet Explorer Restrictions. Internet

Explorer Restrictions are administrative locks that prevent the changing of options or
home page settings in your Internet Explorer. This is accomplished by changing
some settings in the registry. Locked options should only be by an administrator.

Internet Explorer Security Zones - Prevents unauthorized changes to your Internet

Explorer Security Zones. Internet Explorer 6 takes precautionary measures to help
you have a secure browsing experience. Preserving the security of your computer
when you browse the Web is a balancing act. The more open you are to downloads
of software and other content, the greater your exposure is to risk. However, the
more restrictive your settings, the less useful the Internet becomes. The security
features of Internet Explorer 6 aim to strike an effective balance. When you first
install Internet Explorer, it corrals all Web sites into a single zone—the Internet
- 37 -
zone—and stands guard with a medium level of security. This helps you browse
securely, but should prompt you before downloading potentially unsafe content.
Internet Explorer also offers three other zones, including Trusted and Restricted
zones, to which you can assign Web sites that you trust completely or that arouse
your suspicion. You can add to the Trusted sites zone those sites that you trust, like
Windows Update, where you can download the latest security updates for your
computer or operating system. To see what Web sites are listed in the Internet
Explorer Trusted and Restricted sites list: Click Internet Options on the Internet
Explorer Tools menu, click the Security tab, click Trusted sites or Restricted sites,
and then click the Sites button to view the list. Click Cancel twice when you are
finished.

Internet Explorer ShellBrowser - Prevents changes or additions to your Internet

Explorer's shell. The Internet Explorer ShellBrowser contains information and
settings about an instance of Internet Explorer. If these settings are modified, or if a
new ShellBrowser is added, the new ShellBrowser can take over full control of
Internet Explorer. It can add toolbars, menus, buttons, or much more.

Internet Explorer Toolbars - Monitors modifications made to your Internet Explorer

Toolbar applications. Internet Explorer Toolbars are the toolbars that are underneath
your navigation bar and menu in Internet Explorer.

Internet Explorer Trusted Sites - Prevents unauthorized sites being added to your
list of Trusted Sites. Trusted Sites are Web sites that you trust not to damage your
computer. Internet Explorers security is based upon a set of zones. Each zone has
different security in terms of what scripts and applications can be run while using that
zone. It is possible to add Web sites to zones. If that happens and you browse a
Web site that was added to a low security zone, that Web site can run scripts on your
computer. Internet Explorer sets up the Trusted zone with a low security level to
make it easier for you to do such things as download software without prompting.
Add a site to this zone only if you trust that it would never cause harm to your
computer.

Internet Explorer URLs- Monitors changes to your Internet Explorer URLs, in order
to prevent browser hijacking. An Internet Explorer URL is an address for commonly
viewed sites, like your Home Page, search engines or Web directory sites. When
spyware hijacks your Web browser, attempts to view these common Web sites can
be redirected to an alternative Web site of the hijacker's choice. A browser Hijacker
can also disallow access to certain Web pages. For example, the site of an anti-virus
software manufacturer might be blocked. These programs have also been known to
disable installed Anti-virus and anti-spyware software. Some of the Internet Explorer
URLs that are protected by this Monitor include: Internet Explorer Start Page,
Internet Explorer Search Page, Internet Explorer Default_Page_URL, Internet
Explorer Local Page, Internet Explorer Search Bar, Internet Explorer
Default_Search_URL, Internet Explorer CustomizeSearch, Internet Explorer
SearchAssistant, Internet Explorer SearchUrl Local page, Internet Explorer
SearchUrl Blank page, Internet Explorer SearchUrl Desktop navigation failure,
Internet Explorer SearchUrl Navigation canceled, Internet Explorer SearchUrl
Navigation failure, Internet Explorer SearchUrl Offline information, Internet Explorer

- 38 -
SearchUrl PostNotCached, and Internet Explorer SearchUrl mozilla.

It is possible for a browser hijacker to change the default prefix that is appended to
an URL when one is not included. For example, if you type in "google.com", the
browser would normally add the http:// to the front of what you type. This part is
called the "URL prefix", and it is not fixed to http://. The prefix values are stored in a
registry at: HLM\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
HLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefix. For example:

If you change the default prefix from: “http://” to “http://www.google.com/search?q=“

the browser will automatically go to google.com if you don't type the http:// part of a
URL. With the default prefix value set to the above google.com URL, if you typed
“security.com” into your browser address bar, you would not go to
http://www.security.com. Instead, what you would get would be a search for
"security.com" on google.com. Browser hijackers can make good use of this
technique. Instead of querying a public search engine, like Google, the spyware
could always cause your entry to query a private search engine instead. Internet
Explorer URL prefixes that are monitored and protected include DefaultPrefix, ftp,
gopher, home, mosaic, and www.

Internet Explorer WebBrowser - Prevents changes or additions to your Internet

Explorer's WebBrowser. The Internet Explorer WebBrowser contains information and
settings about an instance of Internet Explorer. If these settings are modified or a
new WebBrowser is added, the new WebBrowser can take over full control of
Internet Explorer. It can add toolbars, menus, buttons, or much more.

Installed Components - Monitors for additions to your installed component list. An

installed component is a program or application that is installed with the Windows
Operating System. For more information, visit:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;123876

Process Execution - Alerts you if an unknown process is attempting to run on your

computer and if a known spyware process is trying to run, this Monitor prevents it
from starting, and warns you that it has tried. It gives you the option to remove the
spyware before it can run. This is a powerful feature, because it can prevent any
known spyware installer from being able to install spyware onto your computer. An
executed process is a program or application that is currently running on your
computer. You can see a list of most running processes in your Task Manager.

Application Restrictions - Prevents unauthorized additions and modifications to the

applications restriction policies, as defined by the restrict run setting. An
administrator can restrict what programs a user can run, by modifying the
RestrictRun setting. Warning: If you are the person who applies Group Policy, do not
apply a run restriction to your own computer. If applied too broadly, this policy can
prevent administrators from running Group Policy or the registry editors. As a result,
once applied, you cannot change this policy except by reinstalling Windows!
Technical Information:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. The
RestrictRun subkey contains a list of programs that restricted users can run. This list

- 39 -
is used only when the value of the RestrictRun entry is 1. This subkey stores the
contents of the Show Contents box in the Run only allowed Windows applications
Group Policy. Group Policy adds this subkey and its entries to the registry when you
enable the policy. If you disable the policy or set it to Not configured, Group Policy
deletes this subkey and its entries from the registry. The entries in this subkey list all
of the Windows programs that the affected users can run. If a program is not
represented by an entry in this subkey, users cannot run the program. If no entries
appear in this subkey, users cannot run any programs that Windows Explorer starts.
Each entry in this subkey represents a Windows program, like Notepad. It contains
the name of the executable file for the program, like Notepad.exe. (The number that
names this entry represents only the order in which the programs are entered. It
does not affect the feature.)

Running Process - Alerts you if an unknown process is attempting to run on your

computer and if a known spyware process tries to run, this Monitor prevents it from
starting, and then warns you. CounterSpy gives you the option to remove the
spyware, before it gets a chance to run. A running process is a program or
application that is currently running on your computer. You can see a list of most
running processes in the Windows Task Manager.

Script Blocking - Prevents spyware or malicious scripts from running on your

computer. A script is a program written with a scripting language, such as Visual
Basic Script or JavaScript. It can be executed without user interaction. Scripts can be
opened with text editors or word processing programs, so they are very easy to write
or change. A script can be written to perform malicious activities when it is started.
You can unknowingly receive a malicious script by opening an infected document or
email attachment, viewing an infected HTML email message, or visiting an infected
Internet Web site. Script Blocking detects Visual Basic, JavaScript and other script-
based software, without the need for specific virus definitions. It monitors scripts for
virus-like activity and alerts you if it is found.

StartUp Files - Monitors additions and modifications to your list of startup programs.
When a new program is added to your user startup folder or if one is added to the
"all users" startup program folder, this Monitor alerts you. If the program being added
is known to be safe, this Monitor automatically allows it to be added. If the program
being added is known to be spyware, this Monitor automatically blocks it, and then
warns you. If a program being added is unknown, you can select the Send Feedback
checkbox to report it to Sunbelt’s Research Center. Startup files are files (or
shortcuts to files) that are located in your startup folder. Files that are in the startup
folder are automatically loaded when Windows starts. If it is a program, the program
starts. If it is a shortcut to a program, the program that the shortcut points to starts. If
it is a file that is associated with a program, the associated program starts. For
example: If you put a Microsoft Word document (or a shortcut to one) in your Start
Up folder, Microsoft Word will automatically start, and it will open that document
when your computer starts. If you put a music file (or a shortcut to one) in the startup
folder, your audio software will start and it will play the music file. If you put an HTML
file (or a shortcut to one) that contains a list of your Internet favorites in the startup
folder, Internet Explorer (or your preferred browser) will start and it will open that
Web page for you when the computer starts.

- 40 -
The User Profile Startup Folder is your personal Startup folder. Each person who has
a profile setting on the computer has a User Profile Startup folder. Any files or
shortcuts placed in this folder are run when the user with that profile logs in. (In the
path shown below, LoginName = the name you use to log onto the computer.) This
folder is usually found in:

C:\windows\start menu\programs\startup
C:\Documents and Settings\LoginName\Start Menu\Programs\Startup

The All Users Startup Folder contains any files or shortcut files that are to run when
any user logs onto the computer. This folder applies to all Windows NT, 2000, XP
and 2003 versions. Possible folder paths are:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Startup Registry Files - Monitors additions and modifications to the list of startup
programs that are listed in your system registry keys. Startup registry keys are a
number of registry entries in the Windows registry. They store paths to applications
on your computer. Applications that are listed in any of these registry keys are
automatically loaded when Windows starts. These keys generally apply to Windows
98, ME, NT, 2000, XP, and 2003.

URL Search Hooks - Prevents unauthorized changes to your Internet Explorer's

URL Shell Hooks. A URL Search Hook is used when you type an address in the
location field of the browser, but do not include a protocol such as http:// or ftp:// in
the address. When you enter such an address, the browser will attempt to figure out
the correct protocol on its own, and if it fails to do so, will use the UrlSearchHook in
an attempt to try to find the location you are seeking. URL SearchHook is a COM
object, which is used by the browser to translate the address of an unknown URL
protocol. When attempting to browse to a URL address that does not contain a
protocol, the browser will first attempt to determine the correct protocol from the
address. If this is not successful, the browser will create URL Search Hook objects
and call each object's Translate method until the address is translated or all of the
hooks have been queried.

- 41 -
System Tools
My PC Checkup
My PC Checkup helps tighten computer security. It updates your computer settings to
recommended “best practices” security levels. My PC Checkup thoroughly scans your
computer for over 1000 different settings, suggests recommended changes, and then
allows you to execute the recommended changes. Please Note: Settings that are
changed by My PC Checkup cannot be undone using CounterSpy.
The first time you run My PC Checkup, there may be many recommended changes.
Subsequent My PC Checkups will find fewer changes to suggest. CounterSpy is self-
tuning, and when you also use Active Protection, it helps keep your computer secure.
To Run My PC Checkup:
1. From the CounterSpy Home Page, or from any screen with the toolbar, click the

System Tools icon , and then click .

Tip: You can also run My PC Checkup from anywhere in CounterSpy, by
choosing View menu | System Tools | My PC Checkup.

Figure 24: My PC Checkup checks computer security.

Last Ran On tells you when My PC Checkup was last run.
Items Scanned shows how many of the hundreds of security settings that
CounterSpy can check were unprotected, and therefore scanned the last time My
PC Checkup was run.
Items Protected shows how many security settings are already set at their
maximum security level.
2. Click Start.
When the checkup is complete, CounterSpy displays the Results of Analysis.
- 42 -
 This contains a list of security items that can be protected. Highly hazardous
security flaws are flagged with an icon to the left of the item.
3. (Optional) Click an item in the list to view Details about that item, and then click
Learn more to see additional information about it.
4. (Optional) Uncheck an item to keep CounterSpy from changing it.

Figure 25: My PC Checkup is self-tuning.

5. Click Continue to have CounterSpy implement the selected security setting
changes.

The History Cleaner

The History Cleaner is a privacy tool that removes all Internet History usage logs and 75
different activity histories from the most popular windows and Internet applications.
History Cleaner, which works like a Windows cleaner, allows you to delete your Web
browsing and search history, Windows temporary folders, and your search history. In
addition, you can select to erase the history stored by many popular applications, such
as Real Player, Windows Media Player, Quicktime, Winzip, ICQ, and MSN Messenger.
To use the History Cleaner:
1. From the CounterSpy Home Page, or from any screen with the toolbar, click the

System Tools icon , and then click .

Tip: You can also run the History Cleaner from anywhere in CounterSpy, by
choosing View menu | System Tools | History Cleaner.

- 43 -
 Figure 26: Select History Cleaner items for details.
2. (Optional) Click Show only available history to display only those History
Cleaners that are for applications that you have installed on your computer.
CounterSpy checks each of the available History Cleaners to see if any
applications are associated with it, and then hides those cleaners that are not
required.
Click Show all history to see all the History Cleaners that are included with
CounterSpy. If a cleaner requires an application that you do not have installed on
your computer, that eraser is displayed, but remains grayed out in the list and is
not active.
3. Select an item in the History Cleaner list to view information in the Details about
that item.
4. Click Erase selected item to clean the history for the selected item.
5. To erase multiple items, check each item in the list that you want erased, or click
Check all to check all items in the list.
6. Select the Remember Checked option for CounterSpy to remember what
activities you want cleaned in the future.
7. Click Clean History.

The Secure File Eraser

The Secure File Eraser is a powerful deletion tool that ensures the complete destruction
of any files you wish to remove from your machine. The Secure File Eraser will
completely remove all traces of any documents, images, music, movies, or applications
you wish to remove from your computer.

Warning: Files you erase this way cannot be retrieved, even with special data
recovery utilities!

- 44 -
To use the Secure File Eraser:
1. From the CounterSpy Home Page, or from any screen with the toolbar, click the

System Tools icon , and then click .

Tip: You can also run the Secure File Eraser from anywhere in CounterSpy,
by choosing View menu | System Tools | Secure File Eraser.

Figure 27: Secure File Eraser deletes files or folders.

2. Click Browse to locate the files or folders that you want to erase, or drag-and-
drop files or folders onto the Files to be Erased area at the right of the screen.
3. (Optional) Right-click on an item to be erased, and then select More Information
to view details about the selected file or folder.
4. (Optional) If you change your mind, right-click on an item to be erased, and then
select Remove to remove the file or folder from the files to be erased list.
5. After you are sure that the files you have selected are ones you want
permanently erased, click Erase Now.
6. (Optional) Check Add an “Erase Files” option to your Windows Explorer
menu to add a Secure File Eraser command to your Windows Explorer shortcut
menu.
7. To use a Secure File Eraser Windows Explorer shortcut, select a single file or a
group of files and right-click in Windows Explorer. There is now an Erase File(s)
command in the shortcut menu.
8. (Optional) Un-check Add an 'Erase Files' option to your Windows Explorer
menu to remove the Secure File Eraser Windows Explorer shortcut.

- 45 -
My PC Explorers

Note: My PC Explorers are for use by Advanced Users.

My PC Explorers let you explore and manage key elements of your system. The different
My PC Explorers allow you to view and modify settings on your computer that are
normally hidden and difficult to change.
My PC Explorers are very powerful. With My PC Explorers, you can find out what
applications are currently connected to the internet, find out what programs automatically
start when windows starts, see and modify which applications are changing your Internet
settings, and much more.

Available PC Explorers.
Applications
• Downloaded ActiveX, see page 47
• Internet Applications, see page 48
• Running Processes, see page 49
• Startup Programs, see page 47
Internet Explorer
• Internet Explorer BHOs, see page 49
• Internet Explorer Details, see page 51
Networking
• Windows Host File, see page 51
• Winsock LSPs, see page 52
System
• Shell Explorer Hooks, see page 53
To use the My PC Explorers:
1. From the CounterSpy Home Page, or from any screen with the toolbar, click the

System Tools icon , and then click .

Tip: You can also access the PC Explorers from anywhere in CounterSpy, by
choosing View menu | System Tools | My PC Explorers.

- 46 -
 Figure 28: Click to select a My PC Explorer.
2. Click an Explorer on the left to view the information and options that it provides.

Figure 29: Click My PC Explorers when you are done.

3. When you have finished using an explorer, click My PC Explorers on the left
side of the screen to return to the list of available Explorers.

My PC Explorers - Applications
Downloaded ActiveX
My PC Explorers Downloaded ActiveX displays all the downloaded and currently
installed ActiveX programs for Internet Explorer. Each program is evaluated and labeled
Safe, Unknown, or Hazardous.

To use My PC Explorer - Downloaded ActiveX:

1. Click an ActiveX program in the list to highlight it and display information about

- 47 -
 the program in the ActiveX Details area.
2. Click Block this ActiveX to block the selected program.
For information about how to manage blocked items, see page 26.

3. Click Learn more about this ActiveX… to view additional information.

About ActiveX Programs

Internet Explorer uses ActiveX controls for interaction between the browser and
some third party applications and the operating system. ActiveX controls are similar
in function to browser plug-ins. As updated versions of third-party programs like
Shockwave and Flash become available, it is necessary to update the ActiveX
control for those programs in Internet Explorer.

ActiveX programs are a great tool for providing interactive programs for Internet
Explorer. Unfortunately, they provide a means for installing spyware onto a
computer. These are known as "drive by installations". A drive by download is an
ActiveX program that is automatically downloaded to your computer, often without
your consent or even your knowledge. Unlike a pop-up download, which ask
permission, a drive by download is invisible to the user and can be initiated simply by
visiting a Web site or viewing an HTML email message.

Internet Applications
The Internet Applications My PC Explorer displays a list of all programs that are currently
connected to a remote computer or are listening for connections from a network or the
Internet. CounterSpy lists the Local Connection IP Address and Remote Connection IP
Address for each connected application.

To use My PC Explorers – Internet Applications:

• Click an Internet Connected Application in the list to highlight it and display
information about the connection in the Connection Details area.

About Internet Connected Applications

An Internet connected application is a program that runs on your computer and is

currently connected to a remote computer on the Internet or sitting on a local port,
just waiting to establish an Internet connection.

Some common applications use the Internet. These include programs like Internet
Explorer, Microsoft Outlook Express, or other programs that need to send and
retrieve information over the Internet.

There are many spyware programs, particularly Remote Administration (RAT)

spyware, that are installed onto your computer for the purpose of transmitting data to
a remote location. These can also wait on the Internet, “listening” for attacker
commands.

- 48 -
Running Processes
My PC Explorers Running Processes displays a list of all the processes (programs) that
are currently running on your computer. Windows Task Manager displays these same
processes, with fewer details.

To use My PC Explorer – Running Processes:

1. Click a running program in the list to highlight it and display information about the
program in the Application Details area.
2. Click Stop the process from running now to end the application.
3. Click Learn more about this application… to view additional information.

About Running Processes

A running process is an application program that is currently running on your

computer. A process can be anything from a required Windows system application,
to a third party application, like office productivity programs or Internet Explorer.

Startup Programs
My PC Explorers Startup Programs lists all the applications that can startup and run
when you start your computer or log into Windows.

To use My PC Explorers – Startup Programs:

1. Click a startup program in the list to highlight it and display information about the
program in the Startup Program Details area.
2. Click Block this startup program to stop it from running when you start your
computer or log into Windows.
For information about how to manage blocked items, see page 26.

3. Click Permanently remove startup program to delete the program from your
computer.
4. Click Learn more about this program… to view additional information.

About Startup Programs

Many programs that you install are set to run automatically when you start your
computer and load Windows. For the majority of cases, this type of behavior is fine.
Unfortunately, spyware, hijackers, trojans, worms, and viruses can load that way,
too. It is important to check startup registry keys.

My PC Explorers – Internet Explorer

Internet Explorer BHOs
My PC Explorer Internet Explorer BHOs displays a list of all BHOs installed on your
computer. The list shows the name of each BHO, as well as information about the file
(DLL) that is installed as the BHO's application. For each BHO displayed, CounterSpy
- 49 -
shows a flag representing if the BHO is known, if it is safe (known to be spyware free) or
if it is harmful (contains or is spyware).

To use My PC Explorers – Internet Explorer BHOs:

1. Click a BHO in the list to highlight it and display information about the program in
the BHO Details area.
2. Click Block this BHO to keep it from running.
For information about how to manage blocked items, see page 26.
3. Click Permanently remove this BHO to delete the BHO from your computer.
4. Click Learn more about this BHO… to view more information.

About BHOs

A 'Browser Helper Object' (BHO) is an application that extends Internet Explorer and
acts as a plug-in. They let developers customize and control Internet Explorer.
Spyware, as well as browser hijackers, often use BHOs to display ads or follow your
moves across the Internet. A number of legitimate applications such as the Google
or Yahoo toolbars use BHOs.

When Internet Explorer starts, it first reads the Windows registry file, in order to
locate installed BHOs and then creates them. Created BHOs then have access to all
the events and properties of that browsing session. The APIs for building BHOs give
developers almost complete control over Internet Explorer.

Applications that install BHOs are becoming more and more popular because BHOs
allow application developers to control Internet Explorer. For example, Alexa uses a
BHO to monitor page navigation and show related page links. GetRight and Go!Zilla
use BHOs to monitor and control file downloading. Flyswat, Quiver, Blink, and
iHarvest use BHOs to extend and control Internet Explorer. BHO technology has
allowed the development of some very powerful applications that provide useful
functionality to its users.

It is possible that there are BHOs installed on your computer that you do not know
about. What this means is that while there are some good uses for BHOs, they may
not necessarily need your permission to install. Some are used for malicious
purposes like gathering information about your Internet usage habits. Some
companies go out of their way to hide the presence of the spyware BHOs that they
install. They go so far as to find ways around the most popular detection tools by
changing their product just enough to avoid detection, until the next version of
detection software can be released.

A lot of spyware and BHOs are poorly written. This can cause anything from
incompatibility issues to the corruption of important system functions. This makes
them not only a threat to your security, but to your system's stability.

- 50 -
Internet Explorer Details
My PC Explorers Internet Explorer Details allows you to review what URLs are set for
Internet Explorer. This includes such things as your home page, browser address search
URLs, and hidden URLs that Internet Explorer requires. Unfortunately, these URLs are
commonly taken advantage of by URL hijackers. You can modify settings for each URL
and you can save your settings for later use.

To use My PC Explorers – Internet Explorer Details:

1. Click a setting in the list to highlight it and display information about the setting in
the Setting Details area.
2. Click Change URL/Page to modify the selected setting.
3. Click Learn more about this setting… to view more information.
4. Click Save Default Settings to make the current settings the default settings.
5. Click Restore Default Settings to replace all settings with the default settings.

About Web browser hijacking

When your Web browser is hijacked, your attempts to view some Web sites (such as
common search engines or popular Web directory sites) are automatically redirected
to an alternate Web site of the hijacker's choice.

A browser hijack might also disallow access to certain Web pages, like anti-virus and
anti-spyware sites. For example, a hijack might block you from getting to the site of
an anti-virus software manufacturer like Symantec, in order to prevent updates to
that program from discovering that the browser has been hijacked.

My PC Explorers – Networking
Windows Host File
My PC Explorers Windows Host File shows you the current listings in your Windows
Host file. You can disable or remove a Host file entry.

To use My PC Explorers – Windows Host File:

1. Click a Host File in the list to highlight it and display information about the setting
in the Host Details area.
2. Click Block Host to make the Host file inactive.
For information about how to manage blocked items, see page 26.
3. Click UnBlock Host to remove a block from the Host file.
4. Click Permanently Remove Host to delete the Host file from your computer.
5. Click Learn more about this Host… to view more information.

- 51 -
 About the Windows Host File

Your browser references your Host file and performs a translation for specific Web
site addresses (Host File Redirection) from Domain Name (the URL address for a
Web site) to IP Address (a series of numbers that references the physical connection
of a computer or server on the Internet).

For example, when you enter www.somesite.com into your browser, you go to the
somesite.com Web site. That Web site has an IP Address, but you do not need to
know what it is, because your browser uses the Domain Name to find the site. If,
however, this entry is in the Host file:

192.168.0.12 www.somesite.com

each time you enter www.somesite.com into your browser, the browser checks the
Host file, matches what you type to a listing for "somesite.com", and automatically
converts what you type into the IP address in that listing. Your browser goes to the
Web site at 192.168.0.12, which could be anything that the spyware attacker wants
to display.

The Host file should not need to be modified. Some Hijackers use this technique to
redirect popular sites to their Web site. For example, it is possible to redirect all
popular search engines to a Web site of your choice. That kind of attack can be very
hard for the average user to fix, and will most likely require specialist software or
detailed removal instructions. Other practices involve changing auto.search.msn.com
to redirect to their Web site, so whenever users type an incorrect URL, their browser
is redirected to auto.search.msn.com. That is then resolved to a different IP address
of the hijacker's choice.

Reset Web settings does not fix a Host file Hijack. That only resets the search page
to auto.search.msn.com. The Host file remains altered, and any redirection listing
remains active.

Winsock Layered Service Providers (LSPs)

My PC Explorers Winsock Layered Service Providers shows all Layered Service
Providers that are installed on your computer. Each LSP is evaluated and labeled Safe,
Unknown, or Hazardous.

To use My PC Explorers – Winsock LSPs:

1. Click an LSP in the list to highlight it and display information about the LSP in the
LSP Details area.
2. Click Learn more about this LSP to view more information.

About Winsock Layered Service Providers

A Winsock Layered Service Provider (LSP) is a program that sits in the middle of the
computer's Winsock layer. That layer is used for all network communications, both
internally and on the Internet. A LSP program can intercept and modify all data that

- 52 -
 goes in and out of your computer's network.

Windows Shell Explorer Hooks

My PC Explorers Windows Shell Explorer Hooks lets you view and block any of your
computer's Windows Shell Execute Hooks. Each Windows Shell Execute Hook is
evaluated and labeled Safe, Unknown, or Hazardous.
Note: Before blocking a Shell Execute Hook, please pay proper attention to what you
are blocking. Blocking certain Shell Execute Hooks can cause your computer or
some of programs to stop functioning normally.

To use My PC Explorers – Shell Explorer Hooks:

1. Click a Windows Shell Execute Hook in the list to highlight it and display
information about it in the Shell Execute Hook Details area.
2. Click Block this shell execute hook to keep the program from being loaded into
the Windows shell.
For information about how to manage blocked items, see page 26.

3. Click Learn more about this LSP to view more information.

About Windows Shell Execute Hooks

A shell execute hook is a program that is loaded into the Windows shell. The
Windows shell is Explorer.exe. A shell execute hook program receives all commands
that are run on your computer. This type of integrated program can either accept or
reject a command to launch a particular program.

- 53 -
CounterSpy Settings

Figure 30: CounterSpy Settings.

Automatic Update Settings

CounterSpy Automatic Updates communicate with Sunbelt Software’s CounterSpy
Update server and download any new spyware definitions or software updates, based
on a schedule you define. Because the Sunbelt Software Research Team may identify
new spyware threats daily, to ensure your spyware protection is always current, enable
Automatic Updates.
When you select Automatic Updates, CounterSpy checks for an Internet connection
every five minutes, until a connection is found. Once a connection is available,
CounterSpy checks for updates. After that, CounterSpy checks for updates every four
hours.

Stay protected automatically

You can have CounterSpy automatically check for spyware definition and software
updates on a pre-set schedule.

Stay protected automatically (recommended) - Check this option to enable the

automatic update options for CounterSpy.

Definition update notifications

Spyware definitions are files that contain specific signature information about spyware
threats. These definitions allow CounterSpy to detect and protect against spyware,
adware, trojans and worms. CounterSpy's award-winning scanning engine uses a
definition library of over 100,000 spyware threat files and settings.

- 54 -
 Apply new spyware updates without interrupting me (recommended) - Check
this option to install new spyware definition updates when they become available. If
you uncheck this option, CounterSpy alert you when updates are available, allowing
you to update manually.

Software update notifications

Software updates offer minor improvements to your installed product. These differ from
product upgrades, which are newer versions of entire products. Program updates that
have self-installers to replace existing software code are called patches. Patches are
usually created to extend operating system or hardware compatibility, adjust a
performance issue, or fix bugs.

Notify me when updates or new versions of CounterSpy are available - Check

this option to have CounterSpy check for new software updates or software patches
when it checks for spyware definition updates. If software updates are available
CounterSpy downloads them, and then prompts you that they are ready to be
installed.

Active Protection Settings

New spyware threats are released almost daily. To keep your machine protected from
new threats, CounterSpy comes installed with over 100 Active Protection Monitors.
Active Protection stops spyware files before they can act, stopping most threats before
they can even become installed. Active Protection helps protect your privacy and
identity, as well as prevent unauthorized programs from taking control of your computer.

Startup options
Enable the CounterSpy Active Protection on startup. (recommended) - Check
this to have CounterSpy automatically start Active Protection each time you start
your computer.

Script Blocking Active Protection option

Script blocking prevents unknown scripts such as .vbs, .reg, or .bat files from running.
Select how to respond when a script tries to run on your computer. You can disable
script blocking.

Ask me what to do (recommended) - Select this option to have CounterSpy prompt

you every time a script is executed on your computer. Once prompted, you can allow
the script to continue or block the script from executing.

Automatically prevent all scripts from running. - Select this if you want
CounterSpy, without asking for your input, to prevent many hazardous scripts from
executing on your computer.

- 55 -
Alert Settings
An alert refers to a popup window that appears in the bottom right of your Windows
desktop whenever Active Protection detects a possible security violation, suspicious
activity, or spyware attempting to install on your computer. These alerts notify you that
Active Protection has automatically allowed or blocked an event on your computer.

Blocked Alerts
When Active Protection prevents a change to your computer, a Blocked alert is
displayed. This can occur when a known spyware setting or application is installed or
attempts to install.

Enable blocked alerts - Check this to allow non-interactive alerts to display when
Active Protection successfully blocks a known threat.

Allowed Alerts
Allowed Alerts occur when Active Protection detects a change to your system, but
recognizes that it is being made by a known non-spyware applications, such the Google
toolbar.

Enable allowed alerts - Check this to allow non-interactive alerts to display when an
application that passes inspection is allowed.

Show alert if an ignored threat has been detected and allowed to run - Check
this to display an alert if an ignored threat has been installed or is executing on your
computer.

ThreatNet Settings
ThreatNet is a worldwide network of users who report on new spyware outbreaks to
Sunbelt. When CounterSpy’s Active Protection observes an unknown but potential
threat, the can anonymously send information about the threat to Sunbelt's Spyware
Research Center.
The research center can then identify new threats as they occur, making updates
available to protect users from new spyware.
Click Yes. I would like to join the Network and help fight spyware
anonymously, if you would like to join the network.
All information sent to and from ThreatNet is transmitted in a secure and private manner.
The data sent in each user’s report is completely anonymous. A report only includes
simple threat signatures, and never includes personal information that can associate you
or your computer with any sent data.

- 56 -
Spyware Scan Settings
Dealing with Spyware Threats
Display the scan results window after a spyware scan - Check this to have
CounterSpy display the results of spyware scans when they complete.

Ignored Spyware Threats

These are spyware threats that were added to your ignored threats list with the ‘Always
Ignore’ option under the Recommended Actions section of the Spyware Scan Results
page. These identified threats will be ignored in future spyware scans.
To remove items from your 'Always Ignored Threats' list:
1. Check the threats you want to remove.
2. Double-click an item to view more information about that item.
3. Click Remove.

General Settings
User Modes
CounterSpy offers two user modes. These user modes generally reflect the expertise
you have with computers. You should try to select a user mode that best meets your
experience level with using your computer.

Beginning User - A beginning user is restricted from some of the actions that might
otherwise be performed when presented with various alerts. These restrictions are
based CounterSpy's recommended action.

Advanced User - An advanced user is one that is familiar with much of the
functionality of a computer. This can range from a very technical user, to a skilled
power user.

If you select the Advanced User mode, you will have complete control over blocking,
deactivating and removing installed applications. It is important to understand that
selecting this mode allows you to take any action on various alerts, regardless of
whether the action is recommended by CounterSpy.

Note: It is extremely important when using this mode that you completely understand
what you are doing, before taking actions like blocking program installations.

Additional Settings
Include technical information in selection details - Check this checkbox to
include technical details for most information presented. For example, CLSIDs are
displayed for some of the various My PC Explorers, in addition to names and file
information.

- 57 -
Updating
Rogue programmers and companies that want to defraud computer users are always
developing Spyware. They do it to steal personal and financial information, invade your
privacy, cause your computer to send spam, or to divert processor power. CounterSpy's
research experts continuously update CounterSpy to protect your computer from the
latest threats.
Spyware definitions are files that contain specific information about spyware threats.
These definitions allow CounterSpy to detect and protect against spyware, adware,
trojans and worms. CounterSpy's scanning engine uses a robust definition library with
well over 100,000 spyware threat files and settings.
Update spyware definitions as soon as you install CounterSpy. When you know that your
spyware definitions are up-to-date, continue to update them regularly. Sunbelt releases
new spyware definitions when new spyware is discovered. This can happen once a day
or every few days. CounterSpy checks for updates if your computer is connected to the
internet. If you are not connected to the Internet when a it is time for a scheduled update,
be sure to check when your computer is again connected.

Note: With the exception of the 15-day trial period, a valid CounterSpy subscription
is required for you to receive updated spyware definitions, so be sure to keep your
CounterSpy subscription current. During the 15-day trial you will also receive
updates.
CounterSpy software updates offer continuous improvements to your installed product.
These differ from product upgrades, which are newer versions of entire products.
Program updates that have self-installers to replace existing software code are usually
created to extend operating system or hardware compatibility, adjust a performance
issue, or fix bugs.

How to Update
Automatic Updates and Update Notifications
Using CounterSpy's Automatic Updates feature, CounterSpy automatically
communicates with the CounterSpy Update server. It checks for and downloads any new
spyware definitions or software updates. Automatic Updates are performed on a
schedule that you define.

Tip: If you enable Automatic Updates in the settings section, updating becomes even
easier. With Automatic Updates enabled, CounterSpy checks for newly released
updates, downloads them when they become available, and makes it possible for
you stay current, without any effort at all.
To enable automatic updates and notifications:
1. Click Automatic Updates on the CounterSpy Home Page. The CounterSpy
Automatic Update Service Settings are displayed.

- 58 -
 Figure 31: Update automatically to defeat new threats.
When you enable Automatic Updates, CounterSpy checks for an Internet
connection every five minutes. Once a connection is available, CounterSpy
checks for updates.
2. Click Stay protected automatically to enable automatic update options for
CounterSpy.
3. Select when you want updates to take place: at System Startup, Daily, Every
Other Day, or Every Week.
4. Select the time you want the update to take place.
5. Check Apply new spyware updates without interrupting me to have
CounterSpy automatically install downloaded updates. Unchecked, CounterSpy
does not automatically apply the updates. Instead, it alerts you when updates are
available, so that you can install them manually.
6. Check Notify me when updates or new versions of CounterSpy are available
to have CounterSpy notify you that it is time to update CounterSpy.
7. Click Save.

Manual Updates
There are some situations where you cannot use CounterSpy's automatic updates
feature. These reasons can include personal preference, technical considerations, or
corporate standards. If you cannot enable Automatic Updates, you can still stay 100%
updated by manually performing regular updates.
To update spyware definitions and CounterSpy software manually:

Choose File menu | Check for updates, or click Spyware Definitions on the
CounterSpy Home Page.

CounterSpy checks for the latest spyware definitions and software updates. If either
are available, follow the on-screen instructions to perform the update.

- 59 -
Why you might not be able to use Automatic Updates
CounterSpy checks for updates and downloads available updates through a standard
port, port 80, which is also the port for regular HTTP Internet traffic. Because of its
design there should be few problems connecting to the update servers in a wide range
of network configurations. Most software and hardware based firewalls and proxy
servers should not prevent the update service from functioning normally.
There are situations that can prevent automatic updates. For example, you have an
ISDN router that is set to automatically connect to your Internet service provider (ISP). In
that case, many connections will be made, with connection and phone charges possibly
being incurred for each connection. If this is a problem, you can set your ISDN router to
not automatically connect to the ISP or disable CounterSpy Automatic Update.

About your Subscription

Your CounterSpy purchase includes a one-year subscription to spyware definition
updates and software updates. You will be prompted to renew your subscription when it
is due to expire. (If you do not renew your subscription, you cannot obtain any spyware
and software updates and will not be protected against newly discovered spyware
threats.)
Your subscription to CounterSpy includes several benefits:

Regular Definition Updates - Spyware programs change frequently. Stay safe from
these unwanted programs by having the latest update to CounterSpy's definitions
database.

Premier Customer Support - Spyware is incredibly invasive and can easily disrupt
essential system functionality. CounterSpy is backed by Sunbelt Software expert
technicians who will support you through any spyware and adware problems you
encounter.

Access to the Sunbelt Software Research Center – The research center is a great
resource for essential information about the latest online threats, insights into
managing spyware, and user tips. Visit the research center at http://research.sunbelt-
software.com.

CounterSpy Software Updates - Sunbelt Software provides CounterSpy

subscribers with regular enhancements to the application. As long as you stay
current with your subscription, you are entitled to free upgrades and major product
releases on a regular basis.
Note: The 15-day trial version of CounterSpy includes all the benefits above. At the end
of 15 days, you will be prompted to purchase an annual subscription in order to continue
receiving updates.

- 60 -
Appendix A - What is Spyware?
Spyware is software that is installed onto your computer without your knowledge or
permission. It collects personal information, like the Web sites that you have visited or
even your user names and passwords. Spyware is often associated with adware.
Adware also is installed onto your computer without your knowledge. Adware generates
a stream of unsolicited advertisements, affecting your productivity. These
advertisements often contain pornographic images or other material that you could find
inappropriate. The extra processing that is required to support spyware or the display of
adware advertisements could tax your computer and hurt performance. There are
programs that are downloaded that can affect your browser's home page or search page
settings.
Spyware is used for two general purposes: surveillance and advertising. Surveillance
software includes key loggers, screen capture devices, and Trojans. Corporations,
private detectives, law enforcement, intelligence agencies, or even suspicious spouses
would use this kind of spyware. Advertising spyware is installed along with other
software or when ActiveX controls are downloaded from the Internet. In the hopes of
targeting your interests, advertising spyware can log information about you, including
passwords, email addresses, Web browsing history, online buying habits, computer's
hardware and software configurations, and personal information, such as the name, age,
or sex of the user.
Spyware programs fall into these categories:

Adware – software that displays advertisements. Some adware can generate a

stream of unsolicited advertisements that clutter the desktop and affect your
productivity. The advertisements can contain pornographic images or material you
could find inappropriate. The extra processing required tracking your viewing habits
or to display advertisements can tax your computer and hurt system performance.

Spyware – software that collects personal information and computer or Web usage
information from your computer, usually to facilitate advertising. Spyware programs
can be bundled as a hidden component on other software packages, or it can be
downloaded from the Internet. These little programs are usually installed secretly
onto your computer. They try to run without detection.

Browser Plug-ins – programs that are installed into a Web browser. Plug-ins can
come in the form of toolbars, or can take the form of a search or navigation feature.
They can also be extra task buttons on your Web browser. Although some plug-ins
perform useful functions, many plug-ins are harmful to your computer. They often
have complete access to your Web browser, and can modify, spy or even redirect
tasks as you perform them.

Browser Hijackers – malicious programs that change your Web browser settings,
usually altering the default start (home) and search pages. A browser hijacker can
modify nearly every part of a Web browser, including adding bookmarks and
redirecting your searches to alternate sites.

- 61 -
 RAT (Remote Administration Tool) – trojan-type software programs that provide
someone (the attacker) with the ability to remotely control your computer. The
attacker usually has full access, while your computer listens on the Internet for
instructions.

Key Loggers – programs that run in the background, recording all the keyboard
entries (keystrokes) that are made on your computer. Keystrokes are logged, and
then the log is hidden for later retrieval. The log can then be secretly shipped by
email or over the Internet.

Remote Installers – programs that are installed on your computer without your
knowledge. Once installed, they connect to a remote server and download more
programs and files. These new files are then installed on the computer, again without
your knowledge.

Commercial Key Loggers – programs that are installed by someone who has
access to your computer. They are used to explicitly monitor the activity of computer
users. These types of program can be installed so that they remain hidden from
other users. Commercial Key Loggers can be purchased from commercial vendors.

Dialer – software that uses your computer's modem to dial a phone number. Most
dialer programs connect to toll numbers without your awareness or permission,
running up phone charges on your phone bill.

Low Risk Adware – adware that is designed to do something like show

advertisements via popups. What is different is that this type of adware program is
installed with your knowledge. It conforms to program standards, which are usually
presented to you prior to downloading and installation. A low risk adware program
will not transmit personal or identifiable information.

File Sharing Programs, also known as P2P (Peer to Peer) – popular applications.
They are used to share files, such as movies and music, across the Internet. Many
freeware and shareware file sharing programs such as Grokster, Kazaa and
Bearshear bundle adware with their product. Download the product, and you get the
adware. Sometimes they are also bundled with spyware software. Although most file
sharing programs themselves are safe, the adware and spyware programs that come
with them could be dangerous.

How Spyware Is Installed

A lot of content that is available on the Internet is not designed to covertly watch your
actions. Unfortunately, many internet "freebees", as well as some over-the-counter
software programs are secretly bundled with spyware. After all, spyware can give
advertisers an inside look at what interests you online. It can also lead to the disclosure
of sensitive personal data.
There are many ways that spyware can be installed on your computer. Occasionally, you
might give your permission to install a spyware-type tool. Sometimes spyware hides in
another program that you are installing. Sometimes spyware fools you into downloading
and installing it, often by pretending to be something useful. Here are some ways that
- 62 -
Spyware is installed.

Drive-by Download - A program that is automatically downloaded to your computer,

often without your consent or even your knowledge. Unlike a pop-up download,
which asks for your permission (albeit in a calculated or devious manner), a drive-by
download is invisible. It can start automatically when you visit a Web site or viewing
an HTML email message. Frequently, a drive-by download is installed along with
other applications. For example, file sharing programs might include downloads for
spyware that tracks and reports user information for targeted marketing purposes. An
adware program that generates pop-up advertisements using that information might
be downloaded at the same time as the tracking and reporting programs. If your
computer's security settings are lax, it may be possible for drive-by downloads to
occur without any action on your part.

Commercial Product Installation Bundling - When you download commercial or

shareware programs, you might get more than just the programs. You might get lots
of plus spyware. For example:

Grokster (a popular peer-to-peer file sharing program) installation can lead to the
installation of BullGuard, Cydoor, EBates Moe Money Maker, GAIN, Golden
Retriever, IGetNet, IPinsight, King Solomon's Casino, MyWay Speedbar,
NetPalNow.com, NewtonKnows, Purity Scan, Sidestep, and Webhancer.

iMesh (another file sharing program) includes GAIN, Cydoor, Hotbar, eZula TopText,
New.Net, CommonName, SideStep, NetPal, FavoriteMan, VX2, FlashTrack, and
BonziBuddy.

Misrepresentation of Intention - A product that promises to block ads, might

actually deliver them. A product that promises to stop spyware might actually be a
method of installing spyware.

Misrepresentation of Source - A product might claim to be from a well-known,

trustworthy company. Spyware can display a Web page that resembles, for example,
a Microsoft product installation page, even when it is not a Microsoft product at all.

Silent Download and Execution of Arbitrary Code - This occurs when an already
installed program causes the download and installation of other programs, without
your consent or knowledge. Those other programs are usually spyware or adware.

Commercial Spyware, Keyloggers and RATs - Commercial spyware products

such as ISpyNow are small enough to be attached to an email. NETObserve
Keylogger logs Internet conversation, window activity, application activity, clipboard
activity, printing, keystrokes, Web site activity, and captures screenshots and via
Webcam. Commercial spyware products can be quite stealthy, too. STARR does not
show up as an icon, does not appear in the Windows system tray, does not appear in
Windows Programs, does not show up in the Windows task list, cannot be
uninstalled without a pre-specified password, and does not slow down the computer.

- 63 -
Is All Spyware Hazardous?
No. Not all threats detected by a spyware scan are hazardous enough for you to
remove. When a spyware scan is complete, a list of any detected threats is displayed.
The first column of the results screen is called Recommended Actions. Based on a
number of factors about each threat, CounterSpy preselects a recommend action. This
is just a suggestion. You can change the recommended action for a threat to any action
you would like taken. In most cases, if a threat is of low risk or has no risk at all,
CounterSpy will display that information next to the threat.
Cookies
The least hazardous of all threats are cookies. A cookie cannot decrease the security of
your computer. In most cases, cookies that are detected as spyware threats are those
that provide cross-site tracking, in order to build profiles about a user and prove more
targeted marketing.
If you are not concerned with cookies, un-check the 'Scan Cookies' option before
running a spyware scan.
File sharing programs
Most file sharing programs are not completely hazardous, however when you install file
sharing programs, like Morpheus, Kazaa, or iMesh, they often install additional spyware
or adware programs onto your computer.
They may or may not tell you that they are doing this; if they do tell you, they will do so in
the license agreement. Unless you read the license agreement carefully, you will have
no way of knowing that additional programs are going to be installed. Because of this,
some P2P file sharing programs are hazardous and some are not hazardous.
CounterSpy attempts to remove any spyware installed by these programs, while not
removing the file sharing programs.
Low risk adware
Generally, if the software EULA (End User License Agreement) is not violated, then
software is generally not considered spyware. In the case of a program like Alexa, which
is detected by CounterSpy as potential spyware, Alexa itself is not spyware, because it
conforms to its license agreement. In fact, Alexa's license agreement is very
straightforward. It describes every point of contact with Alexa's remote servers.
If you run Alexa and it serves a purpose to you, then do not remove it. If you want to be
completely certain that Alexa is not acting as spyware, remove the 'related Links' feature
of the product or remove Alexa completely by using the Windows Add/Remove
Programs feature.

Signs of Spyware Infection

Below are some signs that your computer might be infected with spyware.
• Your Web browser's home page is set to an undesirable Web site and you
cannot change it back.
• You are experiencing problems with pop-up ads both when you are online
browsing the Internet or even when you are not on the Internet.
• Your computer is running slower then normal, and your connection to the Internet
- 64 -
 is not as fast as it used to be.
• You experience abnormal network activity on your modem or broadband
connection device (cable or DSL modem).
• When you are using your favorite search engine, your searches are redirected to
a non-familiar search engine or unrelated Web site.
• Items that you did not add begin showing up in your Favorites list or Start-up
menu.

How to Maintain Protection

Avoid Spyware
You can do a lot to avoid exposing your computer to spyware attacks. Here are some
Internet and computer tips, as well as notes about some common spyware traps.

Click Responsibly!

Before spyware can be installed on your computer, you usually have to click on
something. Make this your rule: Do not click anywhere, unless you know it is safe.

Avoid Popup Ads or Dialogs

Creators of deceptive software use popup ads and dialogs to trick people into
loading their software. For example, you open your browser and up pops a dialog
box. It asks if you want to download software. "Click Yes or No." Do not do it! Do not
click EITHER Yes or No. It is unlikely that clicking "No" might not make the popup go
away. It is more likely that you will help download spyware to your computer.

Here is what to do. Try to close the Web page or dialog by clicking the "X" in the top
right corner of the window. If that does not close the window that asked you to
download something, close your browser. Restarting a browser to continue using the
Internet is better than allowing your computer to be attacked by spyware.

Avoid Unsolicited Email "Spam!"

Always delete unsolicited email. Never open them. Unsolicited email is also called
spam. It can use Internet Explorer or your email client to push spyware onto your
computer. Get rid of unsolicited email without reading it when you can; turn off the
preview pane to delete messages without opening them. In Outlook 2003, Tools |
Options, click on the Security tab and select Change Automatic Download Settings.
Make sure "Don't download pictures or other content automatically in HTML email" is
checked. Learn how to use any Junk email filters offered by your email provider.

Watch out for Free Software Downloads

Don't install anything unless you know exactly what it is.

Your computer can become the target of spyware when you download internet data,
such as utilities, games, toolbars, media players, or other software. Be careful about
installing software directly from Web sites. Read all disclosures, including license
- 65 -
 agreements and privacy statements. Read the end-user license agreement (EULA)
carefully, as some EULAs will actually tell you that if you install the program in
question, you have also decided to install some spyware with the software. Check
independent sources as well, as some EULAs will not tell you about spyware.

Watch out for Internet Cookies

While they may not be the worst form of spyware, information gathered via cookies
can sometimes be matched with information gathered elsewhere to provide
surprisingly detailed profiles of you and your browsing habits. Learn to use the
options in your browser that allow you to clear the cache and off-line files. That is
where cookies linger. Remember, though, if you dump the cookies, you can no
longer rely on your computer to log you automatically into Web sites. You'll have to
have passwords handy, so gather that information before you start removing those
and all the other cookies that have landed on your computer as a result of your
Internet usage.

Be Careful About Using File Sharing Programs

Also known as P2P, peer-to-peer, file sharing programs are popular applications.
They are used to share files, such as movies and music, across the Internet. Many
freeware and shareware file sharing programs such as Grokster, Kazaa and
Bearshear bundle adware with their product. Beware! Download the product, and
you get the adware, too.

Although most file sharing programs themselves are safe, the adware and spyware
programs that might come with them could be dangerous. Never download
executables via P2P, because you cannot be certain what it is that you are
downloading. It is a good idea to download only executables from reputable vendors
or well-known and endorsed sites.

Security Settings and System Updates

If you use MS Internet Explorer as your Web browser and the Security Setting is set to
the lowest value, your computer can easily be targeted by spyware. Keep the Security
Setting set at medium or higher. Doing that will help you better control what is installed
onto your computer. A low security setting allows cookies and spyware programs to be
stored easily in your computer's memory. In Internet Explorer, the security settings for
the Internet Zone should be set to at least medium. Deny the browser permission to
install any ActiveX control you have not requested. Use the My PC Checkup wizard on a
regular basis to keep your computer's security level current. More Information

System and Tool Updates

Always keep current with operating system security updates. Make sure the Windows
update service is always running to stay current with security patches and service packs.
Make sure to run CounterSpy on a regular basis and keep scheduled scans and updates
running.
Give your CounterSpy some backup. In addition to running CounterSpy, make sure to

- 66 -
run a software or hardware firewall and antivirus application to protect you against
hackers and viruses.

Use Security Patches

You can help keep your computer safe by making sure the operating system takes
advantage of security updates. Little flaws in the Windows operating system can become
targets for spyware developers. Microsoft is continually working to fix flaws that those
developers might try to exploit. Be sure to take advantage of any security patches that
are posted on the Microsoft Web site.

Installing Patches Automatically Using Windows Update

Microsoft Windows operating systems includes an Automatic Update feature. If your
computer is on and connected to the Internet, the feature automatically downloads the
latest Microsoft security update.
To use automatic updating with Windows XP and Windows 2000:
1. Click Start, and then click Control Panel.
2. Click Performance and Maintenance.
If the Performance and Maintenance category is not visible, click Switch to
Category View on the upper left of the window.
3. Click System to open the System Properties dialog box.
4. On the Automatic Updates tab, check the box next to Keep my computer up to
date.
5. Choose Automatically download the updates and install them on a schedule
that I specify.
Microsoft strongly recommends choosing Automatically download the updates,
and install them on the schedule that I specify.
If you choose the option to automatically download and install updates, select a
day and time when your computer will be on, so the installation process can be
finished. Note: Microsoft recommends a daily update.
6. If you set up Automatic Updates to notify you or if your machine was off at the
scheduled installation time, you will see a notification balloon in your Windows
system tray. Click the notification balloon to review and install the updates.
To use automatic updating with Windows ME:
1. Click Start, and then click Control Panel.
2. Click Automatic Updates.
3. If you do not see the Automatic Updates icon, click View all Control Panel
options on the upper left of the window.
4. Click Automatic Updates.
5. Choose an Automatic Updates setting. We recommend automatically
downloading the updates. Follow the rest of the steps to complete setting up
Automatic Updates.
- 67 -
 6. Click Automatically download updates and notify me when they are ready to
be installed.
Note: Microsoft Office users should also visit the Office Update site to install the
latest security releases.

Using the Windows Update Website

Here is how you can bring your computer up to date now. You can also use these
instructions to keep up with the latest non-critical updates. Microsoft does not support
automatic updates for Windows 95/98/NT operating systems, so you will need to update
your computer manually if you are running any of those operating systems.
To Install Patches Manually:
1. Go to the Windows Update Web site at http://windowsupdate.microsoft.com.
2. Click Scan for Updates. Windows Update scans your computer and gives you a
pre-selected list of critical updates, including service packs.
3. Note: Slower modems may take several hours to download all recommended
updates the first time you use Windows Update. Your download times will vary
depending on how long it has been since you last updated software, and how
fast your modem is. To reduce download times, run Windows Update when you
will not be using your computer for other Internet-related tasks.
4. In the Pick updates to install list on the left side of your screen, click Critical
Updates and Service Packs. Windows Update will create a list of the updates
appropriate for your computer. (Critical updates will be selected for download
automatically.)
5. Click Review and install updates. Select the updates to install, including any
service packs and the critical updates pre-selected for you, and then click Install
Now. You may need to restart your computer after installing the updates.
6. Click Review and install updates.
Note: Be sure to go back to Windows Update after rebooting to check for any
additional updates. You may need to do this several times.
Note: Microsoft Office users should also visit the Office Update site to install the
latest security releases.

Keep CounterSpy Current

Rogue programmers and companies that want to defraud computer users are always
developing Spyware. They do it to steal personal & financial information, invade your
privacy, cause your computer to send spam, or to divert processor power. CounterSpy's
research experts continuously update CounterSpy to protect your computer from the
latest threats.
Software updates offer minor improvements to your installed product. These differ from
product upgrades, which are newer versions of entire products. Program updates that
have self-installers to replace existing software code are called patches. Patches are
usually created to extend operating system or hardware compatibility, adjust a
performance issue, or fix bugs. For information about how to keep CounterSpy updated,
- 68 -
see page 54.

Prepare for Emergencies

It is important to prepare in case your computer is infected by spyware. To prepare for
emergencies:
• Back up your files regularly and keep more than just the most recent backup.
• If you are using a computer that cannot start from a CD, create a set of
Emergency Disks. It is important to be able to start your computer if it crashes,
and then scan for spyware.
• If you are using Windows XP, use the System Restore feature to backup your
computer on a regular basis.

- 69 -
Appendix B: Fight Back! ThreatNet
Join ThreatNet
ThreatNet is a worldwide network of users who report on new spyware outbreaks to
Sunbelt. When CounterSpy’s Active Protection observes an unknown but potential
threat, the user is provided the option of anonymously sending information on the threat
to Sunbelt's Spyware Research Center.
The research center can then identify new threats as they occur, making updates
available to protect users from new spyware.

ThreatNet Privacy Policy

All information sent to and from ThreatNet is transmitted securely and privately. The data
sent in each user’s report is completely anonymous. A report only includes simple threat
signatures, and it never includes personally information that can associate you or your
computer with any sent data.

Using ThreatNet with a Firewall

All the features of ThreatNet and CounterSpy’s Automatic Updates Service are
completely compatible with existing software and hardware firewalls on the market
today. Both use the standard HTTP port 80 to communicate with the remote servers and
the client (CounterSpy) software.

If you are running a firewall

If your computer is running a software-based firewall, please make sure that port 80 is
open. By default, port 80 should already be open to allow standard HTTP web-based
traffic to flow. Additionally, some software-based firewalls restrict access to various
programs that connect to the Internet. If your firewall operates this way, you will want to
make sure the following CounterSpy applications have permission to access the Internet
over port 80 (HTTP):

CounterSpyMain.exe (the primary CounterSpy application)

filenameDtServ.exe (provides access to ThreatNet for reporting unknown

applications)

CounterSpyUpdater.exe (provides functionality to update the latest spyware

definitions)

filenameServAlert.exe (provides access to ThreatNet for reporting unknown

applications)

If you are running Windows XP firewall Service Pack 2

If you are running Windows XP with Service Pack 2, and have the Internet Firewall
enabled with application protection, you need to make sure that the following
CounterSpy applications have permission to access the Internet:
- 70 -
CounterSpyMain.exe (the primary CounterSpy application)

filenameDtServ.exe (provides access to ThreatNet for reporting unknown

applications)

CounterSpyUpdater.exe (provides functionality to update the latest spyware

definitions)

filenameServAlert.exe (provides access to ThreatNet for reporting unknown

applications)

- 71 -
Appendix C: Common Terms
Common Spyware Terminology and Definitions
• Adware - Any software application in which advertising banners are displayed
while the program is running. Adware can track your online browsing habits and
display ads, based upon your online activities. Web sites often deposit adware
onto your computer. An adware program should be considered spyware when it
is installed without your consent, or if it sends information to unauthorized
parties.
• Anti-spyware software - Software that protects a computer from spyware
infection. Spyware protection software finds and removes spyware without
system interruption.
• Browser Hijacker (or Home Page Hijacker) - A program that can change the
settings in your Internet browser. Most often, this includes your search page
URLs, in order to redirect all Internet searches to a specified pay-per-search site.
Also targeted are your default home page settings, which can be diverted to
another page, often a pornography site.
• Drive-by download - When programs are downloaded without your knowledge
or consent. This is most often accomplished when the user clicks to close or
respond to a random advertisement or dialogue box.
• Firewall - A firewall prevents computers on a network from communicating
directly with external computer systems. Firewalls provide effective protection
against worm infection, but do not protect against spyware like Trojans, which
hide in legitimate applications, and then install secretly onto your computer when
the legitimate application starts. A firewall typically consists of a computer that
acts as a barrier through which all information passing between the networks and
the external systems must travel. Firewall software analyzes information passing
between the two computers, and rejects it if it does not conform to pre-configured
rules.
• Operating System - The operating system is the underlying software that
enables you to interact with your computer. The operating system controls the
computer's storage, communications, and task management functions. Examples
of common operating systems include Microsoft Windows, MS-DOS, MacOS,
and Linux.
• Personally Identifiable Information (PII) - Information such as your name,
address, phone number, credit card information, bank account information, or
social security number.
• Privacy Policy - The responsibilities of an organization that is collecting personal
information, as well as the rights of an individual who provides personal
information. A legitimate organization should explain why information is being
collected, how it will be used, and what steps will be taken to limit improper
disclosure. Individuals should be able to obtain their own data and make
corrections if necessary.
• "Opt-out" - Options presented by spam email. These options are often fake. For
example, if you respond to a request to remove something, you may well be
subjecting yourself to more spam. By responding, the sender knows that your
email account is active. A 2002 study performed by the FTC demonstrated that in
- 72 -
 63% of the cases where spam offered a "remove me" option, the option either did
nothing or resulted in more spam email.
• Shareware - Software that is distributed for evaluation without cost. Shareware
usually requires payment to the author for full rights to the software.
• Spam - Unsolicited commercial email. It is often sent in bulk, via "open-relays" to
millions of computer email accounts. It takes a toll on an Internet users' time,
their computer resources, and the resources of Internet Service Providers (ISP).
Most recently, spammers have begun to send advertisements via text message
to cell phones.
• Spyware - Spyware is software that transmits information to a third party, without
notifying you. It is also called malware, trackware, hijackware, scumware,
snoopware or thiefware. Some privacy advocates even call legitimate access
control, filtering, Internet monitoring, password recovery, security, and
surveillance software "Spyware" because those could be used without notifying
you.

- 73 -
Index
Access Icons ...............................................................8 Deleting Quarantined Spyware................................. 23
Access to CounterSpy Features...................................8 Deleting with Secure File Eraser.............................. 44
Actions on Discovered Spyware ...............................20 Dialer ....................................................................... 62
Active Protection.....................................................14 Dialup Connection.................................................. 27
Active Protection.................................................3, 10 Disable Regedit Policy............................................ 36
Active Protection ......................................................24 Disable Schedule ................................................ 21, 23
Active Protection Blocked Items ..............................26 Display Results in Window After Scan .................... 21
Active Protection settings .......................................55 Do Not Display the Scan Progress ........................... 21
ActiveX Installations...............................................35 Do Not Scan for Spyware Cookies........................... 21
Advanced User ........................................................57 Downloaded ActiveX.............................................. 47
Adware................................................................61, 72 Drive-by download ................................................. 72
After Installing............................................................7 Drive-by Download ................................................ 63
Alert Settings ...........................................................56 Email Technical Support ............................................ 5
All Users Startup Folder ...........................................41 Enable Active Protection.................................... 14, 24
Allowed Alerts..........................................................56 File Menu ................................................................ 11
Always Ignore...........................................................20 File Sharing Programs ..................................... 62, 64
Always Run a Deep Scan..........................................21 Firewall ................................................................... 72
Anti-spyware software............................................72 Full System Scan...................................................... 18
AppInit DLLs ..........................................................29 General Settings ....................................................... 57
Application History...................................................43 Getting Help............................................................ 10
Application Monitors..............................................35 Getting Started ......................................................... 12
Application My PC Explorers................................47 Grokster .................................................................. 63
Application Restrictions .........................................39 Hardware Firewall.................................................... 70
Approved Shell Extensions.....................................32 Help ......................................................................... 10
Automatic Update Settings .......................................54 Help Menu .............................................................. 11
Automatic Updates ...........................................10, 58 History Cleaner .................................................... 3, 43
Automatically Quarantine Spyware ..........................21 Host File Protection................................................ 30
Automatically Remove Spyware Cookies.................21 How CounterSpy Works ............................................ 3
Avoiding Spyware ...................................................65 How to Restore a Quarantined Item ......................... 23
Before Installation.....................................................6 Ignore ....................................................................... 20
Beginning User ........................................................57 Ignored Spyware Threats.......................................... 57
BHO Protection.........................................................35 iMesh ....................................................................... 63
BHOs ........................................................................49 Ini File Mapping..................................................... 31
Blocked Alerts ..........................................................56 Installation.................................................................. 6
Blocked Events .........................................................26 Installed Components ............................................ 39
Browser Helper Objects .........................................35 Installing CounterSpy................................................. 6
Browser Hijacker ....................................................72 Intelligent Quick Scan .............................................. 18
Browser Hijackers...............................................39, 61 Internet Applications ................................................ 48
Browser Plug-ins .....................................................61 Internet Explorer BHOs ........................................... 49
Check for Updates ..................................................59 Internet Explorer Details .......................................... 51
Commercial Key Loggers.......................................62 Internet Explorer Explorer Bars ............................... 37
Commercial Product Installation Bundling..........63 Internet Explorer Extensions .................................... 37
Commercial Spyware, Keyloggers and RATs ......63 Internet Explorer Menu Extensions ..................... 37
Common Terms ........................................................72 Internet Explorer Plugins ...................................... 37
Context Menu Handler...........................................30 Internet Explorer Reset Web Settings .................. 37
Control.ini Policy ....................................................30 Internet Explorer Restrictions .............................. 37
Cookies .....................................................................64 Internet Explorer Security ........................................ 36
CounterSpy Features...................................................3 Internet Explorer Security Settings ...................... 36
CounterSpy Home Page ..............................................8 Internet Explorer Security Zones ......................... 37
CounterSpy Installation ..............................................6 Internet Explorer ShellBrowser............................ 38
CounterSpy Menus .................................................11 Internet Explorer Third Party Cookies................ 36
CounterSpy Settings .................................................54 Internet Explorer Toolbars ................................... 38
CounterSpy Startup Options .....................................55 Internet Explorer Trusted Sites ............................ 38
CounterSpy Subscription ..........................................60 Internet Explorer URLs......................................... 38
CounterSpy Toolbar ...............................................11 Internet Explorer WebBrowser ............................ 39
Create Restore Point .................................................21 Internet History ........................................................ 43
Customer Support .......................................................5 Internet Monitors ................................................... 27
Dealing with Spyware Threats ..................................57 Internet Proxy Server ............................................ 28
Deep Scan Folders ....................................................18 Internet Safe Sites................................................... 27
Definition update notifications..................................54 Keeping CounterSpy Current ............................... 68
Keeping your Spyware Definitions Current .........58 Show all history ...................................................... 44
Key Loggers.............................................................62 Show only available history ................................... 44
Last Spyware Scan....................................................9 Silent Download and Execution of Arbitrary Code
Last Spyware Scan Results.......................................9 ............................................................................. 63
Low risk adware......................................................64 Software Firewall ..................................................... 70
Low Risk Adware....................................................62 Software update notifications ................................... 55
LSP Protection ........................................................28 Software Updates ..................................................... 58
LSPs..........................................................................52 Spam........................................................................ 73
Maintaining Protection..............................................65 Spam Zombie Protection ....................................... 28
Manual Updates ......................................................59 Spyware.......................................................... 3, 61, 73
Menu Commands....................................................11 Spyware Defined ...................................................... 61
Misrepresentation of Intention ..............................63 Spyware Definitions ............................................... 10
Misrepresentation of Source ..................................63 Spyware Details ....................19, 48, 49, 50, 51, 52, 53
My PC Checkup ..................................................3, 42 ThreatNet............................................................ 3, 70
My PC Explorers ....................................................46 ThreatNet Privacy Policy....................................... 70
Name Server Protection .........................................28 ThreatNet Settings.................................................... 56
Networking My PC Explorers...................................51 Spyware Installation................................................. 62
Next Scheduled Scan.................................................9 Spyware Quarantine ................................................. 23
Operating System....................................................72 Spyware Scan Options Explained ............................ 21
Opt-out.....................................................................72 Spyware Scan Schedule ........................................... 21
P2P............................................................................62 Spyware Scan Settings ............................................. 57
Peer to Peer ...............................................................62 Spyware Scanning .................................................... 3
Permanently Remove Quarantined Spyware.............23 Spyware Scans ......................................................... 18
Personally Identifiable Information ......................72 StartUp Files........................................................... 40
PII.............................................................................72 Startup options ......................................................... 55
Preparing for Emergencies ....................................69 Startup Programs ...................................................... 49
Print Scan Results .....................................................21 Startup Registry Files ............................................ 41
Privacy ......................................................................43 Stay protected automatically .................................... 54
Privacy Policy..........................................................72 Subscription Details ................................................. 60
Process Execution ...................................................39 System and Tool Updates......................................... 66
Quarantine.................................................................20 System Monitors..................................................... 29
RAT..........................................................................62 System Requirements ................................................. 4
Re-activate item ........................................................26 System Tools ....................................................... 3, 42
Recognizing Spyware Infection..............................64 TCP/IP Parameters ................................................ 28
Recommended Actions .............................................20 Technical Support ...................................................... 5
Remote Installers ....................................................62 Terms ....................................................................... 72
Remove .....................................................................20 Threat Levels............................................................ 20
Remove Quarantined Spyware..................................23 Threat Locations....................................................... 20
Removing Files with Secure File Eraser ...............44 Tightening Security Settings .................................... 42
Removing Files with the Secure File Eraser ...........3 Toolbar.................................................................... 11
Restore Blocked Events ............................................26 Trojan Explorer Protection ................................... 29
Restoring Blocked Items...........................................26 Uninstalling CounterSpy ............................................ 7
Restoring Quarantined Spyware ...............................23 Un-quarantine All Checked Threats ......................... 23
Running Processes ............................................40, 49 Un-quarantine Threat ............................................... 23
Running Protection Monitors ................................14 Update Notifications ................................................ 58
Scan Cookies ............................................................18 Update Schedule....................................................... 21
Scan Memory............................................................18 Updating CounterSpy............................................... 58
Scan Selected Drives.................................................18 Updating Spyware Definitions ................................. 58
Scannings..................................................................18 URL Search Hooks................................................. 41
Scheduling a Custom Spyware Scan.........................21 User Modes .............................................................. 57
Script Blocking........................................................40 User Profile Startup Folder....................................... 41
Script Blocking Active Protection ............................55 User Shell Folders Protection ................................ 33
Secure File Eraser ...............................................3, 44 View a Description of a Threat ................................ 13
Security Patches........................................................67 View Menu .............................................................. 11
Security Settings and System Updates ......................66 Welcome .................................................................... 3
Set a Single Action Option........................................21 What is Spyware?..................................................... 61
Setting Up a Scheduled Scan ....................................21 What to do when Spyware is Discovered ................. 13
Settings .....................................................................54 WiFi Protection ...................................................... 29
Shared Task Scheduler...........................................32 Windows Directory Trojans .................................. 34
Shareware................................................................73 Windows Extensions .............................................. 34
Shell Open Commands .............................................32 Windows Host File................................................... 51
Shell Service Object DelayLoad.............................33 Windows Logon Policies ........................................ 34
Windows Messenger Service ..................................28 Windows Update Website ........................................ 68
Windows Password Protection...............................30 Windows Win.ini File............................................. 34
Windows Protocols .................................................31 Windows XP Firewall Service Pack 2...................... 70
Windows Restrict Anonymous...............................31 Winlogon Shell........................................................ 34
Windows Shell Execute Hooks...............................32 Winlogon Userinit .................................................. 34
Windows Shell Explorer Hooks................................53 Winsock Layered Service Providers ............... 28, 52
Windows System.ini File ........................................33 Working with CounterSpy........................................ 18
Windows Update.......................................................67 WOW Boot Shell .................................................... 35
Windows Update Service........................................30
End User License Agreement
End-User License Agreement for CounterSpy(TM)
Sunbelt Software
End User License Agreement
CounterSpy
This Software Product is protected by intellectual property laws and treaties. The
Software Product is licensed, not sold.
PLEASE CAREFULLY REVIEW THE FOLLOWING TERMS AND CONDITIONS OF
THIS SOFTWARE PRODUCT LICENSE (THE "LICENSE AGREEMENT"). THIS
LICENSE IS A LEGALLY BINDING CONTRACT BETWEEN YOU (THE "LICENSEE")
AND Sunbelt SOFTWARE PRODUCT DISTRIBUTION, INC. ("SUNBELT").
1. INTRODUCTION: The following Software license terms and conditions apply to all of
the Software Product (the "Software Product") that is delivered or downloaded under this
license. If, after reviewing the terms and conditions which follow this paragraph, you do
not wish to be bound by its provisions, do not download the Software Product or, if the
Software Product has been delivered by CD ROM, destroy the CD ROM or return it to
Sunbelt. If the Software Product has already been downloaded then immediately delete
the Software Product. Once the Software Product has been downloaded or accessed all
of the provisions of this License Agreement apply, even if the Software Product is
subsequently deleted or returned. Any use of the Software Product by the Licensee shall
constitute unqualified acceptance of this Agreement.
2. EVALUATION VERSION LICENSE GRANT: If you have downloaded or otherwise
received an evaluation version of the Software Product, you are authorized to use the
Software Product on a royalty-free basis for evaluation purposes only during the initial
evaluation period of generally, thirty (15) days. You have the option to register for full
use of the Software Product at any time during the evaluation period by following the
instructions in the accompanying documentation, including the payment of the required
license fee. Registration will authorize you to use an unlocking key which will convert the
Software Product to full use, in accordance with the terms and conditions provided
below. Your use of the Software Product for any purpose after the expiration of the initial
evaluation period is not authorized. Upon expiration of the limited evaluation period, the
Software Product may automatically disable itself.
3. GRANT OF LICENSE. This Section of the License Agreement describes your general
rights to install and use the Software Product. The license rights described in this
Section are subject to all other terms and conditions of this License Agreement. Any use,
modification, reproduction, release, performance, display or disclosure of the Software
Product shall be governed solely by the terms of this Agreement and shall be prohibited
except to the extent expressly permitted by the terms of this Agreement.
3.1. LICENSE: The Software Product is provided on a non-exclusive, non-transferable
basis, and may not be copied, modified, or enhanced without the advance written
authorization of Sunbelt. The Software Product includes significant elements, including
its organization, algorithms, and logic, which Sunbelt has maintained as confidential
information, which constitute trade secrets of Sunbelt, and which are protected by U.S.
patent and/or copyright law and international treaty. Licensee agrees not to attempt to
disassemble, reverse compile, or reverse engineer the Software Product. The Software
Product under this Agreement is the exclusive property of Sunbelt. This License
Agreement does not grant Licensee any ownership right or title to, or interest in the
Software Product or any part thereof, and Sunbelt retains all such rights, title, and
interest.
3.2. GENERAL LICENSE GRANT TO INSTALL AND USE THE SOFTWARE
PRODUCT. This product is licensed on a per-user basis. You may install and use one
copy of the Software Product on any computer, device, workstation, terminal, or other
digital electronic or analog device ("Device") in your organization, so long as you are the
only user of the software. ANY NETWORK OR OTHER TYPE OF DISTRIBUTED USE
OF THIS SOFTWARE PRODUCT, IS STRICTLY PROHIBITED EXCEPT AS ALLOWED
IN 3.3 BELOW.
3.3. ALTERNATIVE LICENSE GRANT FOR STORAGE/NETWORK USE. As an
alternative to the rights granted in the previous section, you may install a copy of the
Software Product on one storage Device, such as a network server, and allow
individuals within your business or enterprise to access and use the Software Product
from other Devices over a private network, provided that you acquire and dedicate one
license for each individual user.
3.4. RESERVATION OF RIGHTS. All rights not expressly granted under this License
Agreement are reserved by Sunbelt.
4. DISCLAIMER OF WARRANTY: THE SOFTWARE PRODUCT IS PROVIDED "AS IS"
AND WITHOUT WARRANTY EXCEPT AS PROVIDED IN THE FOLLOWING
PARAGRAPH. Sunbelt DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND
WARRANTIES OF NON-INFRINGEMENT AND PERFORMANCE.
5. LIMITED WARRANTY: Sunbelt warrants that the Software Product covered by this
License Agreement will, for a period of thirty (30) days following its installation, operate
in accordance with the specifications found in the manual accompanying the Software
Product.
6. LIMITATION OF LIABILITY: Sunbelt makes no representations or warranties that the
operation of the Software Product will be uninterrupted or error free, or that it will
produce the results desired by the Licensee. Sunbelt does not agree to provide
modifications, enhancements, improvements or bug corrections, even if errors in the
Software Product are reported to Sunbelt. Sunbelt SHALL NOT BE LIABLE FOR ANY
SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING DAMAGES
FOR LOSS OR BUSINESS, LOSS OF PROFITS, BUSINESS INTERRUPTION, ETC.)
ARISING FROM LICENSEE'S USE, OR THE INABILITY OF LICENSEE TO USE, THE
SOFTWARE PRODUCT, EVEN IF Sunbelt HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
7. LICENSEE REMEDY: If Sunbelt is liable to Licensee for the breach of any of
Sunbelt's obligations under this License Agreement, Licensee's sole and exclusive
remedy shall be, at Sunbelt's option, to either receive a refund for the price Licensee
paid for the use of Sunbelt's Software Product (less any taxes, shipping fees, etc.), or
the repair or replacement of any defective Software Product.
8. LIMITATION ON EXPORTS: Licensee agrees that Licensee will not export or re-
export the Software Product outside of the United States to any individual, business,
third party, or other entity, or to any country subject to United States export restrictions.
Any Licensee who receives the Software Product outside the United States agrees not
to re-export the Software Product except as permitted by laws of the United States.
9. U.S. GOVERNMENT RIGHTS: If you are obtaining Software Product on behalf of any
part of the United States Government, the Software Product shall be deemed
"commercial computer software" and "commercial computer software documentation,"
respectively, pursuant to DFAR Section 227.7202 and FAR 12.212, as applicable.
10. LOSS OF DATA LIMITS AND LIABILITY: Sunbelt and its suppliers do not guarantee
to accuracy of scanning known as spyware scanning. Sunbelt shall not be held liable or
responsible for ANY inaccuracy of the spyware scanning process. This includes but is
not limited to the loss of any data.
11. MISCELLANEOUS: Licensee may make one backup copy for archival purposes only
of the Software Product, provided Licensee agrees not to grant access to such backup
Software Product to any other individual or business entity. Licensee agrees not to alter
or delete any copyright notice which is included with the Software Product. Except as
expressly stated herein, there are no other agreements, understandings between the
parties, or obligations on the part of Sunbelt relative to the Software Product. The laws of
the State of Florida shall apply to the terms of this License Agreement.
12. YOU ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT AND
UNDERSTAND IT, AND THAT BY INSTALLING OR USING THE SOFTWARE
PRODUCT YOU AGREE TO BE BOUND BY ITS TERMS AND CONDITIONS. YOU
FURTHER AGREE THAT THIS AGREEMENT IS THE COMPLETE AND EXCLUSIVE
STATEMENT OF THE RIGHTS AND LIABILITIES OF THE PARTIES. THIS
AGREEMENT SUPERSEDES ALL PRIOR ORAL AGREEMENTS, PROPOSALS OR
UNDERSTANDINGS, AND ANY OTHER COMMUNICATIONS BETWEEN US
RELATING TO THE SOFTWARE PRODUCT OR THIS AGREEMENT.

01/18/2005