after i apply the hosts immunization whenever i go to any website and run a netstat in the command prompt i keep connecting to www. 007guard.com when i turn the hosts immunization off is does not connect to that site when surfing.

:banghead:

Looks like you're missing the first hosts file entry for localhost 127.0.0.1, so that www. 007guard.com would be the first one pointing to 127.0.0.1 now, and netstat finds it in reverse lookup first ;)

A host file usually starts like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhostImportant is the last line, which always should be the first uncommented (uncommented means not starting with the # sign) line.

hi, im actually having same problem.

the www. 007guard.com keep getting in my netstats. scanned with many cleaner especially my trusted spybot S&D but it still there.

i used Process Explorer and see so many process have the 007guard on it.
here is 1 screenshot of my yahoo messenger process.

http://img402.imageshack.us/img402/5379/spyg.jpg

i used hijackthis, also dont see any suspicous entry.

so i checked my hosts file and see that 007guard is there on the list.
i assume my pc should be protected already. but its not.

so i used combofix, and combofix deleted the hosts file created by spybot and only leave the address 127.0.0.1 localhost

and them the problem gone.

after restarted my pc few times, i satisfied until 1 week later i downloaded latest version of spybot, update it and apply immunization.

and ther it is again. 007guard is on the list and the problem repeated again.

so what i do is, delete the 007guard from the hosts list, then its okay.

my question is, i dont know what to ask. :scratch:
but i ask anyway, why is this happening. does immunization from spybot did this? (seems like it does).

this my netstat list :


C:\Documents and Settings\bzzts>netstat

Active Connections

Proto Local Address Foreign Address State
TCP BzztsIntel:1028 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1031 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1034 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1036 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1037 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1044 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1048 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1050 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1052 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1054 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1060 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1064 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1065 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1067 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1072 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1084 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1088 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1090 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1092 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1095 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1098 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1100 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1102 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1107 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1110 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1112 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1116 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1122 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1131 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1134 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1136 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1140 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1141 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1144 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1154 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1155 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1158 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1160 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1161 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1162 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1178 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1179 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1182 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1184 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1186 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1188 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1197 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1200 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1204 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1206 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1210 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1218 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1222 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1241 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1248 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1251 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1253 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1255 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1257 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1259 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1261 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1267 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1269 007guard.com:10080 ESTABLISHED
TCP BzztsIntel:1270 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1275 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1277 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1279 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1281 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1285 007guard.com:10080 FIN_WAIT_2
TCP BzztsIntel:1287 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1289 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1291 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1293 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1295 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1299 007guard.com:10080 ESTABLISHED
TCP BzztsIntel:1301 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1303 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1313 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1337 007guard.com:10080 ESTABLISHED
TCP BzztsIntel:1338 007guard.com:10080 ESTABLISHED
TCP BzztsIntel:1381 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1383 007guard.com:10080 ESTABLISHED
TCP BzztsIntel:1389 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:1391 007guard.com:10080 ESTABLISHED
TCP BzztsIntel:4981 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:4987 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:4997 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:4999 007guard.com:10080 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1025 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1042 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1046 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1056 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1057 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1062 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1074 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1076 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1078 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1079 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1082 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1085 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1094 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1104 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1111 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1118 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1119 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1124 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1125 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1128 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1130 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1138 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1146 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1148 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1165 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1168 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1170 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1172 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1174 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1176 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1190 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1192 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1194 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1196 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1202 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1208 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1212 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1213 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1216 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1220 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1224 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1226 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1227 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1228 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1230 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1235 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1236 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1239 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1243 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1246 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1263 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1265 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1269 ESTABLISHED
TCP BzztsIntel:10080 007guard.com:1273 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1283 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1285 CLOSE_WAIT
TCP BzztsIntel:10080 007guard.com:1297 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1299 ESTABLISHED
TCP BzztsIntel:10080 007guard.com:1305 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1307 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1311 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1315 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1317 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1319 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1321 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1323 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1325 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1327 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1329 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1331 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1333 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1335 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1337 ESTABLISHED
TCP BzztsIntel:10080 007guard.com:1338 ESTABLISHED
TCP BzztsIntel:10080 007guard.com:1341 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1343 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1345 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1347 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1349 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1351 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1353 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1355 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1357 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1359 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1361 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1363 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1365 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1367 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1369 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1371 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1373 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1375 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1379 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1383 ESTABLISHED
TCP BzztsIntel:10080 007guard.com:1385 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1387 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:1391 ESTABLISHED
TCP BzztsIntel:10080 007guard.com:4983 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:4989 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:4991 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:4993 TIME_WAIT
TCP BzztsIntel:10080 007guard.com:4995 TIME_WAIT
TCP BzztsIntel:1030 www.geekstogo.com:http (http://www.geekstogo.com:http) TIME_WAIT
TCP BzztsIntel:1032 www.bleepingcomputer.com:http (http://www.bleepingcomputer.com:http) TIME_WAIT
TCP BzztsIntel:1035 www.us.debian.org:http (http://www.us.debian.org:http) TIME_WAIT
TCP BzztsIntel:1039 rcm.amazon.com:http TIME_WAIT
TCP BzztsIntel:1040 cache.filehippo.com:http TIME_WAIT
TCP BzztsIntel:1045 social.bidsystem.com:http TIME_WAIT
TCP BzztsIntel:1049 hk-in-f99.google.com:http TIME_WAIT
TCP BzztsIntel:1051 banner.cari.com.my:http TIME_WAIT
TCP BzztsIntel:1053 rcm:http TIME_WAIT
TCP BzztsIntel:1055 forum.lowyat.net:http TIME_WAIT
TCP BzztsIntel:1061 www.imageshare.web.id:http (http://www.imageshare.web.id:http) TIME_WAIT
TCP BzztsIntel:1066 l.sharethis.com:http TIME_WAIT
TCP BzztsIntel:1068 www.google:http (http://www.google:http) TIME_WAIT
TCP BzztsIntel:1069 www.google:http (http://www.google:http) TIME_WAIT
TCP BzztsIntel:1071 hk-in-f99.google.com:http TIME_WAIT
TCP BzztsIntel:1073 hk-in-f99.google.com:http TIME_WAIT
TCP BzztsIntel:1086 www.board4all.cz:http (http://www.board4all.cz:http) TIME_WAIT
TCP BzztsIntel:1089 hk-in-f99.google.com:http TIME_WAIT
TCP BzztsIntel:1091 rcm:http TIME_WAIT
TCP BzztsIntel:1093 ac3.msn.com:http TIME_WAIT
TCP BzztsIntel:1097 bs.yandex.ru:http TIME_WAIT
TCP BzztsIntel:1099 anrtx.tacoda.net:http TIME_WAIT
TCP BzztsIntel:1101 s7.addthis.com:http TIME_WAIT
TCP BzztsIntel:1103 www.google:http (http://www.google:http) TIME_WAIT
TCP BzztsIntel:kpop bleepingcomputer.us.intellitxt.com:http TIME_WA
IT
TCP BzztsIntel:1113 media.fastclick.net:http TIME_WAIT
TCP BzztsIntel:1115 pubads.g.doubleclick.net:http TIME_WAIT
TCP BzztsIntel:1117 apps.rockyou.com:http TIME_WAIT
TCP BzztsIntel:1123 forum.xda:http TIME_WAIT
TCP BzztsIntel:1133 z.about.com:http TIME_WAIT
TCP BzztsIntel:1135 images.adsyndication.msn.com:http TIME_WAIT
TCP BzztsIntel:1137 www.gravatar.com:http (http://www.gravatar.com:http) TIME_WAIT
TCP BzztsIntel:1142 bs.yandex.ru:http TIME_WAIT
TCP BzztsIntel:1143 bs.yandex.ru:http TIME_WAIT
TCP BzztsIntel:1145 rd.apmebf.com:http TIME_WAIT
TCP BzztsIntel:1156 forums.majorgeeks.com:http TIME_WAIT
TCP BzztsIntel:1157 cdn.at.atwola.com:http TIME_WAIT
TCP BzztsIntel:1159 geekstogo.us.intellitxt.com:http TIME_WAIT
TCP BzztsIntel:1163 blog.taragana.com:http TIME_WAIT
TCP BzztsIntel:1164 up.nytimes.com:http TIME_WAIT
TCP BzztsIntel:1166 media.fastclick.net:http TIME_WAIT
TCP BzztsIntel:1180 d13.zedo.com:http TIME_WAIT
TCP BzztsIntel:1181 bleepingcomputer.us.intellitxt.com:http TIME_WA
IT
TCP BzztsIntel:1183 d13.zedo.com:http TIME_WAIT
TCP BzztsIntel:1185 ai.pricegrabber.com:http TIME_WAIT
TCP BzztsIntel:1187 bs.yandex.ru:http TIME_WAIT
TCP BzztsIntel:1189 www.google:http (http://www.google:http) TIME_WAIT
TCP BzztsIntel:1199 up.nytimes.com:http TIME_WAIT
TCP BzztsIntel:1201 cdn.at.atwola.com:http TIME_WAIT
TCP BzztsIntel:1205 apps.rockyou.com:http TIME_WAIT
TCP BzztsIntel:1207 www.google:http (http://www.google:http) TIME_WAIT
TCP BzztsIntel:1211 wwp.icq.com:http TIME_WAIT
TCP BzztsIntel:1219 m1.2mdn.net:http TIME_WAIT
TCP BzztsIntel:1223 www.is1.clixgalore.com:http (http://www.is1.clixgalore.com:http) TIME_WAIT
TCP BzztsIntel:1242 geekstogo.us.intellitxt.com:http TIME_WAIT
TCP BzztsIntel:1249 www.google:http (http://www.google:http) TIME_WAIT
TCP BzztsIntel:1252 ty-in-f118.google.com:http TIME_WAIT
TCP BzztsIntel:1254 www.is1.clixgalore.com:http (http://www.is1.clixgalore.com:http) TIME_WAIT
TCP BzztsIntel:1256 z:http TIME_WAIT
TCP BzztsIntel:1258 status.icq.com:http TIME_WAIT
TCP BzztsIntel:1260 pubads.g.doubleclick.net:http TIME_WAIT
TCP BzztsIntel:1262 status.icq.com:http TIME_WAIT
TCP BzztsIntel:1268 ty-in-f118.google.com:http TIME_WAIT
TCP BzztsIntel:1271 social.bidsystem.com:http ESTABLISHED
TCP BzztsIntel:1272 pubads.g.doubleclick.net:http TIME_WAIT
TCP BzztsIntel:1276 sitecheck2.opera.com:http TIME_WAIT
TCP BzztsIntel:1278 status.icq.com:http TIME_WAIT
TCP BzztsIntel:1280 blog.taragana.com:http TIME_WAIT
TCP BzztsIntel:1282 pubads.g.doubleclick.net:http TIME_WAIT
TCP BzztsIntel:1286 sitecheck2.opera.com:http FIN_WAIT_1
TCP BzztsIntel:1288 status.icq.com:http TIME_WAIT
TCP BzztsIntel:1290 ty-in-f118.google.com:http TIME_WAIT
TCP BzztsIntel:1294 ty-in-f113.google.com:http TIME_WAIT
TCP BzztsIntel:1296 www.assoc:http (http://www.assoc:http) TIME_WAIT
TCP BzztsIntel:1300 social.bidsystem.com:http ESTABLISHED
TCP BzztsIntel:1302 s4.histats.com:http TIME_WAIT
TCP BzztsIntel:1304 hk-in-f99.google.com:http TIME_WAIT
TCP BzztsIntel:1310 hk-in-f99.google.com:http TIME_WAIT
TCP BzztsIntel:1314 pubads.g.doubleclick.net:http TIME_WAIT
TCP BzztsIntel:1339 media.socialreach.com:http ESTABLISHED
TCP BzztsIntel:1340 media.socialreach.com:http ESTABLISHED
TCP BzztsIntel:1382 login.router:http TIME_WAIT
TCP BzztsIntel:1384 www.safer:http (http://www.safer:http) ESTABLISHED
TCP BzztsIntel:1390 fastspeedtest.net:http TIME_WAIT
TCP BzztsIntel:1392 www.kushari.org:http (http://www.kushari.org:http) ESTABLISHED
TCP BzztsIntel:4982 neutrino.cpp.in:http TIME_WAIT
TCP BzztsIntel:4988 z.about.com:http TIME_WAIT
TCP BzztsIntel:4998 www.rslinks.org:http (http://www.rslinks.org:http) TIME_WAIT
TCP BzztsIntel:5000 scenereleases.info:http TIME_WAIT

C:\Documents and Settings\bzzts>anyway, what is this 007guard anyway? how to permanently block this thing from invading my pc?

Hello,

It does not actually connect to that site.
Seems like your netstat has a look what its written in the restricted zones and the host file.
By the immunization of Spybot - Search & Destroy the baddies are blocked.
That means that the sites where the baddies come from are added to the restricted zones in order to block them.
So 007guard is added to the restricted zones in order to block it.

Best regards
Sandra
Team Spybot

Hello,

It does not actually connect to that site.
Seems like your netstat has a look what its written in the restricted zones and the host file.
By the immunization of Spybot - Search & Destroy the baddies are blocked.
That means that the sites where the baddies come from are added to the restricted zones in order to block them.
So 007guard is added to the restricted zones in order to block it.

Best regards
Sandra
Team Spybot

thanks for your reply. however i still not satisfy.
my next question :

1- do u mean everything is okay? that UDP/TCP to www. 007guard.com is safe?

2- how to get rid of this situation? (if u can help find solutions).
becoz my other compewter are all okay and dont hav this problem. (and i hate to format my pc).

thanks again. :red:

thanks for your reply. however i still not satisfy.
my next question :

1- do u mean everything is okay? that UDP/TCP to www. 007guard.com is safe?

2- how to get rid of this situation? (if u can help find solutions).
becoz my other compewter are all okay and dont hav this problem. (and i hate to format my pc).

thanks again. :red:

Did you check if you got this entry in your HOSTS file? 127.0.0.1 localhost
If not, edit your hosts file with notepad and add it before every other entry.

I get the same connected to 007guard thing, and yes, 127.0.0.1 localhost is the first entry in the hosts file.

What is going on here?

Is there a connection or not? Netstat and IE properties TCP/IP connections say there is a connection.

There is a connection - to 127.0.0.1.

It is not a connection to 007guard.com though - that's a misinterpretation by netstat, displaying just a "random" (possible last?) 127.0.0.1 entry and not the first from the hosts file.

Connections to 127.0.0.1 are "to" your local machine - a loop redirection to block access to the actual address of specific bad hosts (like 007guard.com).

Without the hosts file entry, access to 007guard.com would lead to the real bad server, with this, access will be kept "inside" your machine and will enter the nirvana. Since there are many such sites, programs that use the IP address (127.0.0.1) to later display an associated domain (007guard.com) might show invalid names, since there are many and its impossible to find the correct one. Usually, access to 127.0.0.1 would be legit "local" communication.

I understand and like what Spybot Search & Destroy is doing in my host file. Problem is I need to track the connected IPs to my machine. Why would they not make 127.0.0.1 localhost the first in the host list. I want to change to have it as the first entry. I tell it to not protect my host file, so I can change it, but I still can not modify it. I know that I can boot Windows 7 in safe mode and change it but:

- Why can I not change the host file with out going in to safe mode (reboot twice) just to do this.
- I have done this in the past but SS&D insists on modifying it back to there on list. I do not want this to happen if it is so hard to put the local host address as the first entry.

Again I need to see the connected IP address via Windows 7 Resource Monitor.

Just frustrating... :mad:

Hi all,

Sorry to contribute to this thread so late. I have found some information that might be relevant.

On Windows 7, localhost resolution has been moved to the DNS. Therefore, it no longer appears as first line of the HOSTS file.
http://serverfault.com/questions/4689/windows-7-localhost-name-resolution-is-handled-within-dns-itself-why

When you apply Spybot's Immunization on Windows 7, the first few lines of your HOSTS file are


# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com



As you can see, the first uncommented line corresponds to www.007guards.com, which is what netstat displays.

In order to avoid potential problems in the future, You should not add "localhost" as first uncommented line in your HOSTS file.

But what you can do is add a custom line (the line in bold below) in your HOSTS file, like


# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 localhost_NAME_OF_MY_COMPUTER
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com


By doing this, netstat will no longer display www.007guard.com.

Hi all. Thought I'd share my experience / observations.

I'm using Windows 7 32bit Home Edition. My Firefox 4 recently slowed way down. I thought it was my network (I'm the only device on my ADSL2+) but I fired up another 2 machines (MacBook and a Windows 7 notebook) and none of these had any browser difficulties.

So being somewhat computer savvy, I performed a netstat -f and saw a few connections to 007guard.com Not recognising this web address I Googled it, and now I'm aware that I'm infected with some sort of malware / spyware app running on my system somewhere.

I installed spybot and had it modify my hosts file. Then I checked netstat -f again and the 007guard.exe connections were still there (attached to firefox.exe).

I could at this point edit the rules in my Windows firewall to block these outgoing connections, but it's much easier to do it by modifying the hosts file.

I then checked my hosts file (in c:\windows\system32\drivers\etc) and spybot didn't disable the 127.0.0.1 localhost entry. So I tried editing the hosts file. It wouldn't save. So I disabled the read-only setting, saved it, then re-enabled the read-only setting.

Another netsta -f showed no more (reported) connections were being attempted to 007guard.com (note that I didn't reboot my Win7 machine at this point).

Now, this doesn't mean that the 007guard.exe malware has been removed. It just means that whatever process (attached to my firefox.exe app) is trying to access the 007guard.com website is now not being reported because we are "swallowing" the request (the attempted connections are being resolved successfully).

My firefox 4 browser (still open) is still very very slow as I expected (we've not removed the malware, only hidden it's connection reporting).

So I still need to locate what app is responsible for the malware and then determine how to remove it. Given netstat -f was reporting the connections to 007guard.com came from firefox.exe, then I must have a rogue toolbar or plugin or something.

I'll need to comment out the 127.0.0.1 localhost entry in my hosts file so I can see if netstat -f still reports the outgoing connections. If yes, I'll also need to fire up IE9 and Chrome and Safari to see if any of these browsers are also infected.

I used the Windows Resource Monitor to determine where outbound connections to 007guard.exe were coming from ... see attachment JPG. Be sure to watch the connections list for a few minutes to see if any attempts to 007guard.exe appear.

------------------

Ok, my results:

- ff4 still showing outbound connections to 007guard.exe are being attempted (but not succeeding because of our hosts file modified by spybot)

- chrome: nothing

- ie9: yes, attempted connections to 007guard.exe from iexplorer.exe

- safari: yes, attempted connections to 007guard.exe from safari.exe

- weather_tracker.exe shows attempted outbound connections. This is a windows gadget that displays weather info.

- mDNSResponder.exe shows attempted outbound connections.

Now I'm beginning to think that it's not some wayward toolbar or firefox plugin, because multiple apps are being hijacked. Hmmm ... if I shutdown firefox and run the other apps again? Ok, I shut down firefox and started IE9 - yep, sure enough, it tries to make outbound connections to 007guard.com!

So now I have a few leads to go on. I'll report back if I get any further.

Cheers for now.

Mark

Sydney, Australia

Incidentally, I searched my entire hard dirve (C: and all external USB thumbrives and USB hard drives) for "007guard" but found nothing.

I also searched my registry (via regedit) for "007guard" and found nothing.

I'll keep trying to work this out ...

Ok, searched my entire drive collection and registry for "2search". Nothing.

Put Windows into Safe Mode and ran Malwarebyte, Spybot and others. Nothing.

So I decided to modify my hosts file once again, to see how it is utilised by Windows 7 and it's apps that request name resolution. My thinking was that because 007guard.com appeared 1st in the list (after all the #comment lines) that it might be used to resolve all 127.0.0.1 addresses ... (unreasonable in my mind because that's not how I understand the hosts file works).

---------------------------------------
-- my hosts file after spybot added stuff
---------------------------------------
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost

# Start of entries inserted by Spybot - Search & Destroy
# This list is Copyright 2000-2008 Safer Networking Limited
127.0.0.1 007guard.com <--- note this is the 1st effective entry
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
cut ...

Note: In this configuration, 007guard.com shows up in various netstat -f tests


---------------------------------------
-- my modification
---------------------------------------
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
127.0.0.1 mydummydomainname.com <--- note this is now the 1st effective entry

# Start of entries inserted by Spybot - Search & Destroy
# This list is Copyright 2000-2008 Safer Networking Limited

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
cut ...

Note: In this configuration, iexplore.exe showed an outbound connection to mydummydomainname.com !!!! See attached screenshot of Remote Monitor. And I didn't see any outbound connection to 007guard.com (I sat and watched all connections being made while I opened upp Firefox 4, Chrome, IE9 and Safari). When I fired up these other browsers, sure enough, they all wanted to form connections with mydummydomainname.com !!!! So now I am totally baffled because as I stated before, this is not how I understood the hosts file behaved.

This is my understanding:

a) when the os wnts to resolve an IPP address, it uses the following services in order:
- call arp to get the host name (as per RFC 826)
- arp cache in computer memory

b) when the os wants to resolve a host name (ie. 007guard.com) it looks in the following places in order:
- hosts file
- dns
- wins
- local broadcast
- lmhosts file

c) NETBIOS names are resolved like so (in order):
- netbios name cache in memory
- wins
- local broadcast
- lmhosts file
- hosts file
- dns

So therefore any app/process trying to resolve 127.0.0.1 shouldn't be using the hosts file (so why default to the 1st entry in the hosts file?). I'm baffled ...

Time to do some research ...

=Mark

Hello,

Did you read the first site of this 3 year old post? :wink:

Best regards
Sandra
Team Spybot

@Spybotsandra

Do you mean the 1st post dated Nov 2007 by Smokeyjoe (and responded to by PepiMK)?

If you do then the posts were not clear at all. No where has it been discussed if the 007guard.com entries in a netstat -f output (or any other such utility) were caused by an actual malware process still running in the User's system, or if these entries are simply the remnants of a mis-configured HOSTS file (caused by Spybot).

I set about clarifying the issue for myself with some indepth research and analysis.

Basically, Spybot does not detect whether the 127.0.0.1 localhost entry exists or not in the hosts file (such an entry *is* required to ensure that "localhost" deoesn't resolve to the 1st entry in the hosts list, namely 007guard.com)

I hope your next release of Spybot (an otherwise excellent tool) fixes this oversight.

Cheers,

Mark

Hello,

You're not really connected to the site "007guard.com". There must be a problem with Spybots host file which uses a list of malware/adware sites in the form of "007guard.com" to point to the loop back 127.0.0.1 which is your computer. You would never reach the site.
You can try disabling Spybot's immunization feature. Reboot and see if anything improves.
You will find more information about this in our forum:
hosts immunisation. www.007guard.com (http://forums.spybot.info/showthread.php?t=20443&highlight=007guard)
007Guard (http://forums.spybot.info/showthread.php?t=52652&highlight=007guard)

Best regards
Sandra
Team Spybot

I to have fallen victim 2 the 007 guard problem my self here is what I have learned from my experience I got in my home network from a spefic hacker the my online game console I had a dialog with this indivdual hacker not knowing this individual is a hacker then invited 2 facebook by this hacker this hacker tryed 2 pose as a potential online friend only 2 turn out 2 be a hacker and a cyber grifter I discovered I had and still remain hacked by this individual hacker I discovered this individual hacker was in my computer and network through netstats tried every form of anti-virus program and anti-malware program including spybot S&D and every function it has because I new who the hacker is I reported the hacker 2 www.ic3.gov and still await a responce im telling you have 007guard on your computer like me you probably no the hacker who put it there you just didnt relize it was someone you know and met online this program takes hold of any messanger you use or any PC game you play without letting go no matter how many times you terminate connection with it! You can terminate connection with it on your web browser and it will return connection with your browser in only a matter of time and spybot must make an update that will get rid of this maleware because it will not go away no matter what you do and it refuses termination from any messenger you use and any game you play on your PC but believe me if you have 007guard on your PC its also on your home network and any machine you have in your home or place of buissness its in your PC, cellphone,gameconsole,or tablet PC etc. And was put there by someone you met,know, and talk 2 online or better stated someone you thought you knew you need to go through your friends lists on absolutely everything your IM's, your social network pages, and even your gaming console talk 2 all your friends ask them questions check for inconsistancies in there answers think about how you met them what you talk 2 them about and what where the circumstances you met them under and what your friendship is with them figure out what your situation is with them now because make no mistake if you have 007guard on your PC you are being targeted by an individual hacker/cybergrifter who is looking for something to gain from you once you have figuard out who your supposed friend is that is doing this 2 you! Once have done that you should report this individual to www.ic3.gov as soon as possiable and remember you probably only know 50 percent of who your indvidual victimizer really is so try 2 get as much truth about them as possiable but report everything you know about them the truth they told you and the lies they told you it's all important 2 the authoritys go 2 ww.ic3.gov and tell them all you can about the hacker/cybergrifter you can again it will all be important!!! meanwhile I wait pationtly for my responce from www.ic3.gov Spybot S&D please come up with fix for this malware problem because right now neither you or anyone else has a solution for this 007guard malware problem PLEASE!!!

@cowby22,

I started to read your post, but without punctuation and paragraphs, I quit after two lines.

Hello,

You're not really connected to the site "007guard.com". There must be a problem with Spybots host file which uses a list of malware/adware sites in the form of "007guard.com" to point to the loop back 127.0.0.1 which is your computer. You would never reach the site.
You can try disabling Spybot's immunization feature. Reboot and see if anything improves.
You will find more information about this in our forum:
hosts immunisation. www.007guard.com (http://forums.spybot.info/showthread.php?t=20443&highlight=007guard)
007Guard (http://forums.spybot.info/showthread.php?t=52652&highlight=007guard)

Best regards
Sandra
Team Spybot

In laypersons terms can you tell me if this is a bug or not? If it is should I apply the fix others are suggesting? I am a novice and alarmed about this whole issue and would like my PC to be SECURE. Thanks. PS if it is a bug when will you guys fix it?

It's not a bug.


There is a connection - to 127.0.0.1.

It is not a connection to 007guard.com though - that's a misinterpretation by netstat, displaying just a "random" (possible last?) 127.0.0.1 entry and not the first from the hosts file.

Connections to 127.0.0.1 are "to" your local machine - a loop redirection to block access to the actual address of specific bad hosts (like 007guard.com).

Without the hosts file entry, access to 007guard.com would lead to the real bad server, with this, access will be kept "inside" your machine and will enter the nirvana. Since there are many such sites, programs that use the IP address (127.0.0.1) to later display an associated domain (007guard.com) might show invalid names, since there are many and its impossible to find the correct one. Usually, access to 127.0.0.1 would be legit "local" communication.

It's not a bug.

Sorry to open this old thread but I've got something I don't understand, and wish some input as to my concern.
At the bottom of this image (see attachment) it mentions something about two files related to SB S&D connecting to the guard address in question. Also, not shown, Internet Explorer popped in there but I failed to capture it.

11869

Should I be concerned here? :confused:

Thanks Much,