PDA

View Full Version : www.007guard.com connection established?



Nortd
2010-08-13, 14:07
Hi, anyway I have SpyBot installed on my system, I update, scan and immunize on a regular base and just today I noticed while using the Windows 7 Task Manager's "Resource Monitor" under Networking that every time I open my Firefox a connection is established with the (www)007guard.comwhich is a reported malware site.


Now, since I immunize every time I update the software, I know how it works. It basically binds the badware site to a loop which is redirected to the host local address.
Or something like that.

This is what it says in my host file:


# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com


Everything fine there?

Here is a picture of my netstat:
http://img40.imageshack.us/img40/9936/netstat.png


So why is there a connection established to this site?
Even after I open firefox every once in a while there are again a couple of bits send to this site.
So why are bits send to that site all the time? even if its just 1 or 3 bits,sometimes more.

Gopher John
2010-08-13, 16:04
See Registry changes (http://forums.spybot.info/showthread.php?t=58843) and hosts immunisation. www.007guard.com (http://forums.spybot.info/showthread.php?t=20443) threads. It's not actually connecting. Do a TraceRoute to www.007guard.com and post the result here.

Nortd
2010-08-13, 16:17
See Registry changes (http://forums.spybot.info/showthread.php?t=58843) and hosts immunisation. www.007guard.com (http://forums.spybot.info/showthread.php?t=20443) threads. It's not actually connecting. Do a TraceRoute to www.007guard.com and post the result here.

Thanks for answering.

Iv done the TraceRoute and the link is immunized by the SpyBot because it pings my local host address 127.0.0.1 which is all fine and great.

What I would like to know is why it sends bits to it, like when I open firefox and later on randomly.

lardboy
2010-08-13, 19:51
I think you need to uncomment the 127.0.0.1 Localhost line.

Commenting out that line leads to confusion and feedback from various sources that 127.0.0.1 is www.007guard.com instead of localhost.

Uncomment that line and everything that is currently reported as a connection to www.007guard.com will be reported as a connection to localhost correctly.

Nortd
2010-08-14, 08:18
I think you need to uncomment the 127.0.0.1 Localhost line.

Commenting out that line leads to confusion and feedback from various sources that 127.0.0.1 is www.007guard.com instead of localhost.

Uncomment that line and everything that is currently reported as a connection to www.007guard.com will be reported as a connection to localhost correctly.

From what I have read from numerous sources the local host address in Windows 7 is commented for a reason by Windows itself.

It even says in the description:

localhost name resolution is handled within DNS itself.


Does anyone know why I only have problem with this loop?
What about the thousands of others that are also redirected to my host source, why don't I have a connection established with those links then?

I think that the whole immunization just isn't done correctly as it was in previous versions because of the change on how Windows works with DNS.

If I uncomment the local host address then there might be some conflict since its already being handled inside the DNS.

Also, which part do I have to uncomment?



# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

lardboy
2010-08-14, 12:15
I had the same problem you're having and you have to uncomment at least

127.0.0.1 Localhost

but you can also uncomment

::1 Localhost

Nortd
2010-08-14, 17:08
I had the same problem you're having and you have to uncomment at least

127.0.0.1 Localhost

but you can also uncomment

::1 Localhost

Thanks, that should do it.