Setup SSL VPN

就算你的老闆出差到中國，也能透過SSL VPN 連回公司存取內部資料，甚至避開偉哉網路長城的封鎖，藉由香港的線路正常瀏覽新聞及相關網站。或許，有人會說為什麼不用PPTP VPN，我個人認為PPTP  其實沒有想像中方便，尤其對於一般使用來說，光找出連線設定恐怕就有一定的複雜度，更何況無法預期身處的網路環境是否允許PPTP 封包通過。

至於，啟用的設定方式也很簡單，記得三大原則：
● VPN 使用者及群組的設定
● 防火牆Policy 的設定
● 路由設定

當然，這次還是拿FG60B（FortiOS 3.0 MR7）當範例：

1) 到VPN -> SSL，啟用SSL VPN。參考上方的網路架構圖，設定Tunnel IP 範圍為「192.168.254.1 至 192.168.254.50」。

由於我假設的內部網路為網域環境，所以在進階設定的DNS及WINS Server，都指定AD主機的IP。實務上，如果公司同樣有網域環境，強烈建議設定成跟內部網路環境一樣，在網芳連線上也比較不會有問題。

2) 到User -> Local 新增使用者。

本範例為建立一個使用者「sslvpn」於本機上。記得..密碼要設定啊！

3) 到User Groups -> 新增群組。

範例所建立的群組名稱為「SSLVPN_GP」，設定SSL VPN 的Tunnel IP 範圍與先前設定一樣，為「192.168.254.1 至 192.168.254.50」。注意！類型需選擇「SSL_VPN」，並且將已經建立好的帳號「sslvpn」選取至Members 裡。

至於其他選項的功能，有興趣的人可以翻原廠文件：SSL VPN User Guide 3.0 MR7。

4) 到Firewall -> Policy ，新增相關Policy。依據最上方的網路架構及設想可能的用途，VPN 進來的用戶端及內部網路必須能互相溝通，而且VPN用戶端可透過該設備上網。所以必須增加下列Policy：

● Wan1 -> Internal。注意！「Action」的類型請務必選擇「SSL-VPN」，並且允許「SSLVPN_GP」群組可使用SSL VPN。

其實，這條Policy 就是攸關使用者能否透過https存取及登入的設定，沒有建立這條就啥都別談了。

● Internal -> ssl.root。「ssl.root」指的就是SSL VPN 的網路環境位置，故要讓內部網路能存取到VPN 用戶端的資源，則必須建立相關Policy。

● ssl.root -> Internal。這…不用特別解釋了吧…

● ssl.root -> Wan 1。這點要注意的是，因為SSL VPN 用戶端在撥入後，需要透過Fortigate上網，所以務必勾選「NAT」，不然你就在內部網路玩小圈圈就好了。

完成後，除了原本就有的「Internal -> wan 1」，一共增加了四條Policy。

5) 到Router -> Static，新增一筆Static Route。由於SSL VPN  的Tunnel IP Range 範例設定為192.168.254.[1-50]，所以我就直接設定「192.168.254.0/255.255.255.0」。注意！Device 類別請記得選「ssl.root」。

你高興的話也可以不要新增啦，只是連上去會發現不能互通而已。

以上就算是完成所有設定。

接著進行測試，請先確認Fortigate 的外部IP及SSL VPN 的Login Port。

然後輸入「https://外部ip:10443」，就能看到登入畫面了。請記得加上「https」跟「埠號」，否則到死都連不上。

如果是初次登入，在登入後應該會跳出安裝ActivX 的要求。想連SSL VPN 的話，乖乖裝就對啦！

連接成功就會出現像下面這兩張圖一樣的訊息。

很讚吧！用HTTPS 網頁登入的方式就能完成SSL VPN 連線，就代表你的電腦只要能上網，就能輕鬆連回公司內部。

對～～關掉那個頁面，VPN 也就跟著斷了… 

所以，我個人強力推薦到Fortinet 技術支援網站下載SSL VPN 撥接軟體。（限定已註冊用戶）

撥接方式更為簡單，只要預設的SSL VPN Login Port 沒有更動（預設為10443）， 輸入IP 後連埠號都無須輸入，再鍵入帳號密碼選「Connect」，就能連上SSL VPN 囉！

就算不小心點到「X」，也只會縮到右小角的工具列中。

上面教的步驟真的是快速設定，所以Policy 的Source 及Destination Address 都是設定「all」，而且連防護的Protection Profile 都沒加上。

如果對Fortigate 有一定熟悉度的人，我還是建議認真把相關防護設定好，不然哪天被玩很大就麻煩了。

下一篇再來討論「如何切割VPN通道」，也就是VPN 用戶端除了進公司內部網路的流量走VPN 通道，其餘都還是走原本的對外線路。應該沒人希望哪天老闆到荷蘭出訪看紅燈區的櫥窗女郎，上Internet 查資料時還要透過半個地球外的Fortigate 吧！？

相關參考文件：
Fortinet Knowledge Center - SSL VPN User Guide（簡體版）

Tags: Fortigate, SSL VPN

Setup Fortigate Site to Site IPEC VPN

快速設定Fortigate Site to Site IPEC VPN

Tags: Fortigate, IPSec, VPN

How to configure a Trust Relationship?

A. Domains by default are unable to communicate with other domains, which means somewhere in domain x cannot access any resource that is part of domain y. Before a trust trust is configured

• an administrator in x cannot give permission to any user of domain y for files or printers
• a user of domain y cannot sit at a workstation that is part of domain x and logon

After a trust relationship is defined, say x trustsy the following happens

• users of domain y can sit at a workstation that is part of domain x and logon to their own domain y (it will be displayed in the domain dropdown box)
• an administrator of domain x can grant permission to any user of domain y to file and print resources
• users of domain y are included in the Everyone group of domain x

In the example above x is the trusting domain, and y is the trusted domain. Also the above is a one-way trust relationship, i.e. while domain y users can use domain x resources, users of domain x cannot use domain yresources. A two-way relationship would allow each domain to access resources of the other (if given permission).

The basics of a trust relationship is to first configure domain y to allow domain x to trust it, and then configure domain x to trust domain y:

1. Log onto domain y as Administrator
2. Start User Manager for Domains (Start – Programs – Administrative Tools)
3. Select “Trust Relationships” from the Policies menu
4. Click the Add button to the Trusting Domains box
5. Enter the name of the domain you want to be able to trust you, i.e. domain x
6. You can type a password in the Initial Password and Confirm Password, however this is only used when the trust relationship is started. You can leave it blank Click OK to complete the addition
7. Close the Trust Relationship dialog box
8. Log off of domain y and logon onto domain x as Administrator
9. Start User Manger for Domains, and choose “Trust Relationships” from the Policies menu
10. Click the Add button to the Trusted Domains box
11. Enter the name of domain y and the password if one was configured in step 6
12. Click OK and close the User Manager for Domains application.
13. Domain x now trusts domain y

Tags: domain trust

Launching Control Panel Apps from the Command Line

Tags: Control Panel

Windows Server Licensing

Windows Server Licensing

I have been using Windows Server for many years, but always from the technical side. I have never had to worry about licensing issues as the servers were installed and licensed by others. Now I am entering into areas where I am responsible for licensing as well. I expected that it would be relatively straight forward, but it is not. Here I will attempt to demystify it a bit.

I started out my research by reading Microsoft’s own information. Unfortunately it let me more confused than before. I then performed some searches, including on the title of this blog post. It turned up only other users asking similar questions, but no good sources of information.

This post pertains to Windows Server 2008, however most things remain true for Windows Server 2003.

Accuracy

I believe that there are several sections of the license agreements that are open to various interpretations. I have in good faith done my best to make this post both easy to understand and accurate. You should however check with a Microsoft Licensing Specialist if you still have questions, and I also welcome corrections or additions.

Target Audience

Most large businesses have dedicated contacts within Microsoft and long ago learned the ins and outs of licensing. While potentially useful to all, my general target is small business who are considering buying retail or are looking into the lower entry volume license programs Microsoft offers which start with as few as 5 licenses.

Many small businesses simply buy Windows Server retail and have no idea about CAL’s or other restrictions. These small businesses, especially in developing countries often have little or no contact with Microsoft and simply install a retail copy of Windows Server and during installation set Concurrent Connections to 999, never knowing that to be properly licensed they also need to acquire CAL’s.

Editions

Windows 2008 Server comes in Web, Standard, Enterprise, and Datacenter as listed here. There is also a Small Business Edition which is based on Standard. To see all the differences go to Windows Server 2008: Overview of Editions, but then you will need to read the 6 separate pages listed in More Editions Information. Here is a summary of the most important differences in a single table.

Web Edition

The Web Edition has most “backside” features removed including DHCP server, DNS server, and even the ability to act as a file server. The Web Edition can run SQL Server, however it is not allowed to serve database clients other than software that runs on the server itself. The Web Edition is limited to Internet clients only, and while open to interpretation I believe use as an Intranet server or even an Extranet server over a VPN, even if it only served web services, or even web pages would not be within the license. More details

Standard and Enterprise

Standard and Enterprise are very similar, however Enterprise can use more memory, more processors, and has failover, clustering, and other Enterprise features.

Datacenter and Enterprise

Datacenter at first look is not easily differentiated from Enterprise aside form its unlimited virtual use rights. The major differences are:

• Datacenter is licensed per processor
• Datacenter can scale to systems with more than 8 processors. 32 for x86 and 64 for x64
• Datacenter supports hot add/replace of memory and hot add/replace processors. Enterprise supports only hot add memory.

Note that Datacenter is per processor, not per machine. So if you have a machine with 4 processors, Enterprise would only need one license, however for Datacenter you would need 4 licenses. This is why the virtual use rights are unlimited, because as you use more you will need more processors to handle the load.

The key to deploying Datacenter in a cost effective manner seems to be a big powerful processor with lots of cores. Intel has already talked about processors with 32 cores and in the future we may see many more. As more and more cores are built into processors in the future, Microsoft might adjust how Datacenter is licensed to include cores somehow into the licensing. Note that Datacenter does not include any CAL’s, but they are still required where a CAL is normally needed.

Enterpise makes more sense when you need only limited virtualization, but require a lot of processors.

Pricing

The prices above listed above are for the US and are retail. Prices do vary by country. Even in the US most resellers sell Windows 2008 below the suggested retail price. A quick online search at the time of writing listed an generally available price for Standard at $841 instead of $999.

Volume Licensing

Most companies skip retail completely and use volume licensing where even larger discounts are offered. Volume licensing programs start at just 5 licenses so volume licensing is not just for large companies. Naturally the more licenses bought, the greater the discount.

CAL’s

Client Access License (CAL’s) are the most confusing part of Windows licensing. Those who have been working with them for years think it is simple, but for new people trying to decipher them it is actually quite complicated.Client licensing tries to explain it, but I have had several people read it and come away more confused than before. So let me see if I can simplify it.

For each and every user who is not on the Internet, or is not anonymous (i.e. logged in, or otherwise identifiable) you need a CAL. If they work for you as an employee or contractor, they need a CAL. So in short, if you have 50 employees and contractors you need 50 CAL’s. Retail CAL’s sell for about $30 each in the US.

CAL’s can be per user, or per device. And servers can track them per seat (user or device), or per server. So there are actually 6 ways to calculate CAL’s, and you can mix methods as well, so it gets complicated quickly. I will not cover per server here, but if all of your servers are used only by a few users at a time, but you have many users the per server option can be less expensive. This is a niche however and thus most users choose per seat.

If you choose per seat, you still have two choices. Per user, or per device. You can simply count up how many client computers you have and buy that many CAL’s. So 50 computers, 50 CAL’s. But if you have users who have multiple computers, then it is more economical to license per user instead of per device. If you share computers such as in a factory, that is one computer but 3 x 8 hour shifts per day, then it is more economical to license per device. The good news here is that you can mix them. You can use per device CAL’s for the factory, and per user CAL’s in the office. They cost the same, because they are the same CAL, you just decide how to use it.

You only need one CAL per device or user, even if you have multiple servers. This is a common point of confusion, yet I did not see any entry in the FAQ nor overview documents at Microsoft. I finally found the official answer on a completely separate section of Microsoft.com.

In this case, only 3 CAL’s are needed. Most Windows Server License come with CAL’s included. So in this case if both were Windows Server Standard which normally comes with 5 CAL’s, the company would already have: 10 CAL’s – 3 CAL’s used = 7 more available CAL’s.

Virtual Guest

Recently Microsoft made an adjustment extending host licenses to include virtual machine guest rights. That is you may no longer need separate licenses for each virtual machine guest, depending on your configuration and host edition. Many people remember the number 4 and believe that all Server editions allow 4 included guests. This is true for Enterprise, but not Standard or Web. Standard allows only 1 virtual guest to share the same license, and Web does not allow any. This is available not only for Windows Server 2008, but also Windows Server 2003 R2.

External Connector License

To many it appears you need an External Connector License to expose Windows Server to the Internet. This is not true, any Windows Server can serve Internet users so long as they are not employees of your organization, are anonymous, and you are not hosting applications specifically for them. An External Connector License allows you to included non-anonymous users directly into your back end if they are not employees of contractors of your company. It is meant to allow access by vendors, and other limited use externals.

What is an anonymous user?

“If access to the instances of server software is only through the Internet without being authenticated or otherwise individually identified by the server software or through any other means”

To me this is one of the biggest “problem clauses” in the license. Many people think that an anonymous user is anyone that does not authenticate using Windows authentication. However Microsoft clearly states that DHCP and DNS server usage constitutes an authenticated user.

And what about third party software? If web forum is installed, users who log into the web forums are not anonymous.

Weaknesses

In most cases the pricing of Windows Server is quite economical. However there are some cases where it does not fit well economically.

Small businesses most likely to use retail, and only have one server. Large businesses get volume discounts and typically only need one CAL for each user, but have many servers. So their cost per user can be quite low. While a small business may only need one server, they not only are likely to buy retail but still need a CAL for each user. For example:

• Medium Size Business: 3 Servers x $850 + 600 CAL’s x $30 = $18500 / 500 users = $43 per user
• Small Business: 1 Server x $850 + 50 CAL’s x $30 = $1850 / 50 = $47 per user
• Tiny Business: 1 Server x $850 + 15 CAL’s x $30 = $1300 / 15 = $87

The small and medium do not differ very much per user, however that is expected as with more users more servers are needed. However the tiny business pays quite a bit more. The numbers I used are average retail prices in the US. The medium business also has access to greater discounts using volume licensing, so in fact their per user is significantly lower than this example.

Many business need a small server to provide NAT, DHCP, and basic file sharing. They use very little of Windows server. Windows Vista and XP can do NAT and DHCP through Internet connection sharing, but file sharing has a limit of 5 simultaneous connections and file sharing connections do not time out very quickly. The next step up is to Windows Server which becomes quite expensive on the low end for such basic features only. Large business already have CAL’s, so adding a Windows server only incurs the cost of a new server license.

Wizard

There is an online licensing wizard. Unfortunately you need to know quite a bit about licensing even before you can use the wizard. For example it makes you choose before hand the edition of Windows 2008 and makes no recommendations based on this.

Note: The wizard seems to be Internet Explorer only, but no warning is given. So to be sure it works, use Internet Explorer.

Scenarios

I have presented a few commons scenarios as I understand them. But again, before committing to any interpretation I have posted here, please contact and verify your exact situation with a Microsoft Licensing Specialist.

Scenario – Web Server with Virtualization

Requirement: A public web server, but for security reasons 4 virtual machines are needed as well.

In such a scenario if there is no backend access, no CAL’s would be required. But Standard only includes virtual use rights for 1 guest. Web edition might look attractive, but it does not have virtualization functionality and includes no virtualization rights. Enterprise includes 4 virtual use rights, but Datacenter may look attractive as it includes unlimited virtual rights and is less expensive.

However the best option is to purchase on Standard which includes 1 virtual use right, and then 3 licenses for 3 additional web editions. Non discounted retail cost: $999 + $469 * 3 = $2406

Scenario – Internet Router

Requirement: Internet routing, firewall, file sharing as guest. 10 Users.

While it might appear that CAL’s are not required, Microsoft clearly states that DHCP and other aspects required in this example require CAL’s. Thus the best option is Standard + 5 CAL’s.

http://www.kudzuworld.com/blogs/Tech/20080928.EN.aspx

Tags: CAL, Windows Server Licensing

Fixing Bad Sectors On Hard Disk

Fixing Bad Sectors On Hard Disk

Problem of Bad Sector

While running your computer, you may receive error messages suggesting your hard disk might contain bad sectors. The errors are typically flagged as “CRC” or “Cyclic Redundancy Error”. Some of your data files are missing, unreadable or corrupted and it takes forever or impossible to access certain files and folders. This may be a cause of bad sector problems. Sectors are pie-sliced divisions of a hard disk. And a bad sector is a sector on the disk which data cannot be written or read due to a physical damage or inconsistencies of parity checking bits on disk. Any data that is written or stored on that area is likely to be lost or corrupted. Data residing on the rest of the disk may be unaffected and the disk is considerably usable if the bad sectors are few.

Bad sectors are mainly due to the magnetic weakening of the domain and mechanical faults. Over time, the magnetic areas of a disk lose its magnetism and hence its inability to retain data. Such bad sectors have the tendency to spread and are usually non-repairable. Mechanical faults include physical shocks to the disk, abrupt power shutdowns and disruptions during read-write operations. Head crash can also cause bad sectors and lead to permanent data loss on the disk. When bad sectors spread, it can result in system instability when important system files are destroyed. Mild corrupted data however can be corrected by most file system utilities.

Unknown to most, the bad sectors could some times be due to bad parity checking bits written on disk. Most modern disk while storing data will transparently store parity bits together with the data. When the data is read, the parity bits are also retrieved and compared to ensure the data integrity. This goes on without the knowledge of normal user. When the parity bits are corrupted for some reasons, it will result in bad sector errors. In this case, through some proprietary recovery software, ADRC could actually repair the bad sectors without loss of data by correcting or rewriting the corrupted parity bits on disk.

Very often, bad sectors are manifested as a result of failing Read Write head. When the Read Write heads fail to read and interpret the magnetic signals normally, the same kind of bad sectors errors could occur. Frequently, bad sectors are also early signs of disk crash as it deteriorates over time.

Solution to Bad Sector Problem

If the disk is still working well, important data should be backed up immediately to avoid further data loss. If the system respond is virtually “hanging” to a standstill and you have valuable data, the best option is to consult a data recovery specialist without doing this yourself.

Commonly, a full format process should be able to “mask” the bad sectors or earmark the bad sectors in file allocation table. One could continue to use the disk while the operating system will take notice of the location of bad sectors and avoid them altogether.

Another common CHKDSK utility provided by Windows Operating System may help to detect and mark for bad sectors. During a surface scan, it attempts to write data to that sector and then read back what it wrote. If the two do not match, the sector is marked as bad as it does not maintain data integrity. The operating system will note the particular sector and avoid writing new data onto that area of disk. After which, the bad sector will be remapped to a special sector on the drive which is reserved for this purpose.

For Windows 98, ME users, follow these steps:

1. To do this, click Start, point to Programs

2. Point to Accessories, point to System Tools and select ScanDisk

3. Select the Thorough option and click Automatically Fix Errors

4. Click Start

For Windows XP/2000 users, follow these steps:

1. On the desktop, double click on My Computer

2. <>Right click and select Properties on the erroneous drive
3. Open the Tool Tab

4. Select Check Now under Error Checking
   
5. Select the option to Automatic Fix File System Errors and Scan For And Attempt Recovery For Bad Sectors
   
   
   CHKDSK offers 2 modes of scanning:
   • Error Checking

     This mode scans your computer’s files and folders. It searches and repairs any minor corrupted files and inconsistencies it detects.

   • Surface Scan

     This mode scans every sector of the disk and identifies bad sectors. When a bad sector is detected, CHKDSK will automatically mark it as bad and the system will refrain from writing further data into that sector. The bad sectors will then be remapped with working ones on the disk. Due to the intensive nature of the scan, surface scan mode typically takes very long time to perform. Time range can stretch from a few hours to a few days.

   
   

6. Click Start

It must be pointed out here that one must use CHKDSK with extreme care because if the disk is failing imminently, such operation may stress the disk to a point of complete failure. Put it ironically, if you have a good working disk, try it. If you think your disk is failing imminently, , refrain from using CHKDSK.

Tags: bad sectors

Dell – Windows XP Stop 0xED Unmountable Boot Volume Error

Windows XP Stop 0xED Unmountable Boot Volume Error

Overview

The STOP 0x000000ED UNMOUNTABLE_BOOT_VOLUME error is likely to occur on Dell™ systems when the Microsoft® Windows® XP operating system NTFS file system has been corrupted. To repair the file system, perform the following three steps: install the Recovery Console, restart the computer to the Recovery Console, and then run the CHKDSK /R command against the volume.

• Install the Recovery Console
• Restart the Computer to the Recovery Console
• Run the CHKDSK /R command

Click the links above for detailed instructions.

NOTE:

The instructions in this document may include using the Operating System, Drivers and Utilities, or Tools CDs that were shipped with your system order. Dell no longer ships these items with every system order.As an alternative to using the CDs you can do the following: You can locate hardware drivers for your Dell hardware by searching the Downloads section on <>support.dell.com. You can use PC Restore if you need to reinstall your operating system, drivers, and Dell installed software. For information about PC Restore refer to Dell Knowledge Base article: “What is Dell™ PC Restore by Symantec and what will it Restore on My Computer?”

Additional Information

NOTE:

The rest of this article covers topics and/or procedures that are not covered by Dell’s limited warranty or supported by Dell’s technical support staff.These guidelines are provided as a courtesy to you; Dell technical support neither guarantees nor assists customers in completing these steps. If you need help with the remainder of this article, or if you need help with your hardware, software, or peripherals as a result of actions taken because of this article, you can visit the Dell Community Forum. The Community Forum provides a free, virtual location for customers to discuss problems, pose questions, and offer solutions to a myriad of issues. Also, you can call the Dell HelpDesk anytime if you need help. For a fee, HelpDesk technicians are trained to answer “how to” questions on many third-party software applications and popular electronic products, as well as offer assistance to help clean up your computer and teach you how to protect against virus and spyware attacks. To learn more about Community Forums, visit the Dell Community Forums website. To learn more about HelpDesk, visit the Dell HelpDesk website. To learn more about Dell’s limited warranties, visit the Dell Warranty website.

Prior to booting to the Windows XP Recovery Console, you must install the Recovery Console. To do this, perform the following steps:

1. Insert the Windows XP CD into the CD drive.Click the Start button and then click Run. The Run window appears. In the Open: field, type the following line:
   X:\i386\winnt32.exe /cmdcons
   where X is the drive letter of the CD drive.
2. Click the OK button.
3. Follow the instructions on the screen to finish setup.
4. Click the Start button, click Turn off the computer and then click Restart.

Return to Overview

To restart the system so that it boots to the Recovery Console, perform the following steps:

1. Insert the Windows XP CD.
2. Configure the computer to boot from the CD drive.
   The prompt Press any key to boot from CD… appea

1. Press the space bar.
   The system will start the Windows XP setup process and at the bottom of the screen the following prompt briefly appears:
   Press F6 if you need to install a third party SCSI or RAID driver…
   The Welcome to Setup screen appears.
2. If Windows XP does not natively support the hard drive controller that is in the system, press the <F6> key and proceed.

1. If you pressed the <F6> key in the last step, press the <S> key when prompted and then load the appropriate driver off the floppy disk with the hard drive controller driver.
   The Welcome to Setup screen appears.
2. Press the <R> key. The Recovery Console starts and presents a numbered list of Windows installations that it detected on the hard drive. On most systems there will be just one choice.
3. Press the number corresponding to the installation you are troubleshooting and then press the <Enter> key.
4. Type the administrator password to log onto the installation. If there is no administrator password, press the <Enter> key.
   The Recovery Console command prompt appears.

Return to Overview

To run the CHKDSK /R command, perform the following steps:

1. Insert the Windows XP CD into the CD drive.
2. Boot the system from the CD drive.
   The prompt Press any key to boot from CD… appears.
3. Press the space bar.
   The Welcome to Setup dialog box appears.
4. Press the <R> key to repair Windows by using the Recovery Console.
5. Select the number that is associated with the Windows installation you want to log on to, then type the administrator password (or press press the <Enter> key if no administrator password exists).
6. From Recovery Console, type the following command:
   CHKDSK /R
7. Press the <Enter> key.
8. From the Recovery Console, type the following command:
   exit
9. Press the <Enter> key to restart your computer.
10. If the system still will not boot to the hard drive, attempt to run the CHKDSK /R command again. Depending on the corruption on the hard drive, it may take several tries to achieve a complete repair.

Return to Overview

Tags: blue screen, BSOD, Dell

How to remove MalwareDoc or Malware Doctor (Uninstall Instructions)

How to remove MalwareDoc or Malware Doctor (Uninstall Instructions)

What this programs does:

MalwareDoc is a clone of the rogue called AntiSpy Knight. This program is classified as a rogue because it uses deceptive advertising, attempts to trick users into thinking it’s a different program, and show false results when scanning your computer. The developers of MalwareDoc were also sloppy when they cloned AntiSpy Knight into MalwareDoc as shown by the Registry key HKEY_CURRENT_USER\Software\Malware Doctor\AntiSpy Knight. When testing MalwareDoc on a freshly formatted computer it still found infections. Unfortunately, these infections were legitimate Microsoft programs that includes files such as C:\Windows\Notepad.exe, C:\Windows\regedit.exe, and C:\Windows\System32\xcopy.exe. A large concern is that infected users who are unfamiliar with this program may mistakenly delete files thinking they are infections when in fact they are files required for the proper operation of Windows.

MalwareDoc screen shot
For more screen shots of this infection click on the image above.
There are a total of 3 images you can view.

When installed, MalwareDoc will be configured to start automatically when you boot your computer. Once running, it will scan your computer and display a variety of infections on your computer that cannot be removed unless you first purchase the program. As described above, these infections are all fake and are only being shown to scare you into thinking you are infected and to have you purchase the program. To further confuse users, when the installer creates the autostart entry in your Windows Registry that is used to start the program automatically, they chose a name that is used by a legitimate software. This name is Alcmtr and normally is associated with the a piece of audio software from RealTek. The reason they chose a legitimate name was to make it further appear like a program that should be allowed to run.

MalwareDoc is an unwanted program and has no redeeming qualities. It was not created to help anyone, but rather to steal your money. Instead of using this software, please use the free removal guide outlined below to remove MalwareDoc and any malware that was installed with it.

Threat Classification:

• Information on Rogue Programs & Scareware

Advanced information:

View MalwareDoc files.
View MalwareDoc Registry Information.

Entries for this program found in the Add or Remove Programs control panel:

Malware Doctor version 1.0

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 – HKLM\..\Run: [Alcmtr] C:\Program Files\Malware Doctor\Malware Doctor.exe

Guide Updates:

02/19/08 – Initial guide creation.

1. Print out these instructions as we will need to close every window that is open later in the fix.
2. Download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:Malwarebytes’ Anti-Malware Download Link
3. Once downloaded, close all programs and Windows on your computer, including this one.
4. Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malwarechecked. Then click on the Finish button.
6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
   
7. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer forMalwareDoc related files.
8. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
   
9. When the scan is finished a message box will appear as shown in the image below.
   

   You should click on the OK button to close the message box and continue with the Malware Doctor removal process.

10. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
11. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    

    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

12. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
13. You can now exit the MBAM program.

Your computer should now be free of the Malware Doctor program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

c:\Program Files\Malware Doctor
c:\Program Files\Malware Doctor\htmlayout.dll
c:\Program Files\Malware Doctor\maincfg.xml
c:\Program Files\Malware Doctor\Malware Doctor.exe
c:\Program Files\Malware Doctor\unins000.dat
c:\Program Files\Malware Doctor\unins000.exe
c:\Program Files\Malware Doctor\Validation.dll
c:\Program Files\Malware Doctor\GUI
c:\Program Files\Malware Doctor\GUI\help.htm
c:\Program Files\Malware Doctor\GUI\index.htm
c:\Program Files\Malware Doctor\GUI\main.css
c:\Program Files\Malware Doctor\GUI\options.htm
c:\Program Files\Malware Doctor\GUI\protect.htm
c:\Program Files\Malware Doctor\GUI\r_index.htm
c:\Program Files\Malware Doctor\GUI\r_protect.htm
c:\Program Files\Malware Doctor\GUI\r_support.htm
c:\Program Files\Malware Doctor\GUI\register.htm
c:\Program Files\Malware Doctor\GUI\status.htm
c:\Program Files\Malware Doctor\GUI\support.htm
c:\Program Files\Malware Doctor\GUI\update.htm
c:\Program Files\Malware Doctor\GUI\images
c:\Program Files\Malware Doctor\GUI\images\about.png
c:\Program Files\Malware Doctor\GUI\images\banner.png
c:\Program Files\Malware Doctor\GUI\images\button-back.png
c:\Program Files\Malware Doctor\GUI\images\button-back-active.png
c:\Program Files\Malware Doctor\GUI\images\button-back-hover.png
c:\Program Files\Malware Doctor\GUI\images\focusled.png
c:\Program Files\Malware Doctor\GUI\images\greenpoint.png
c:\Program Files\Malware Doctor\GUI\images\header.jpg
c:\Program Files\Malware Doctor\GUI\images\header.png
c:\Program Files\Malware Doctor\GUI\images\header_right.jpg
c:\Program Files\Malware Doctor\GUI\images\header-hover.png
c:\Program Files\Malware Doctor\GUI\images\help.ico
c:\Program Files\Malware Doctor\GUI\images\noconnection.png
c:\Program Files\Malware Doctor\GUI\images\ok.png
c:\Program Files\Malware Doctor\GUI\images\options.ico
c:\Program Files\Malware Doctor\GUI\images\options.png
c:\Program Files\Malware Doctor\GUI\images\progress-back.png
c:\Program Files\Malware Doctor\GUI\images\progress-body.png
c:\Program Files\Malware Doctor\GUI\images\progress-body-dark.png
c:\Program Files\Malware Doctor\GUI\images\protect.png
c:\Program Files\Malware Doctor\GUI\images\protection.ico
c:\Program Files\Malware Doctor\GUI\images\redpoint.png
c:\Program Files\Malware Doctor\GUI\images\regicon.png
c:\Program Files\Malware Doctor\GUI\images\register.png
c:\Program Files\Malware Doctor\GUI\images\scan.ico
c:\Program Files\Malware Doctor\GUI\images\sectionheader.png
c:\Program Files\Malware Doctor\GUI\images\sectionheaderred.png
c:\Program Files\Malware Doctor\GUI\images\shield.png
c:\Program Files\Malware Doctor\GUI\images\status.ico
c:\Program Files\Malware Doctor\GUI\images\stripback.png
c:\Program Files\Malware Doctor\GUI\images\support.png
c:\Program Files\Malware Doctor\GUI\images\tab.png
c:\Program Files\Malware Doctor\GUI\images\tabback.png
c:\Program Files\Malware Doctor\GUI\images\tab-hover.png
c:\Program Files\Malware Doctor\GUI\images\thanx.png
c:\Program Files\Malware Doctor\GUI\images\toolbarback.png
c:\Program Files\Malware Doctor\GUI\images\update.ico
c:\Program Files\Malware Doctor\GUI\images\update.png
c:\Program Files\Malware Doctor\GUI\images\warning.png
c:\Program Files\Malware Doctor\GUI\images\warningicon.png
c:\Documents and Settings\All Users\Start Menu\Programs\Malware Doctor
c:\Documents and Settings\All Users\Start Menu\Programs\Malware Doctor\Malware Doctor.lnk

Associated MalwareDoc Windows Registry Information:

HKEY_CURRENT_USER\Software\Malware Doctor
HKEY_CURRENT_USER\Software\Malware Doctor\AntiSpy Knight
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Doctor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malware Doctor_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Alcmtr”

Tags: Malware Doctor, Malware removal