hosts immunisation. www.007guard.com

[SEOGuy]

Hi all. Thought I'd share my experience / observations.

I'm using Windows 7 32bit Home Edition. My Firefox 4 recently slowed way down. I thought it was my network (I'm the only device on my ADSL2+) but I fired up another 2 machines (MacBook and a Windows 7 notebook) and none of these had any browser difficulties.

So being somewhat computer savvy, I performed a netstat -f and saw a few connections to 007guard.com Not recognising this web address I Googled it, and now I'm aware that I'm infected with some sort of malware / spyware app running on my system somewhere.

I installed spybot and had it modify my hosts file. Then I checked netstat -f again and the 007guard.exe connections were still there (attached to firefox.exe).

I could at this point edit the rules in my Windows firewall to block these outgoing connections, but it's much easier to do it by modifying the hosts file.

I then checked my hosts file (in c:\windows\system32\drivers\etc) and spybot didn't disable the 127.0.0.1 localhost entry. So I tried editing the hosts file. It wouldn't save. So I disabled the read-only setting, saved it, then re-enabled the read-only setting.

Another netsta -f showed no more (reported) connections were being attempted to 007guard.com (note that I didn't reboot my Win7 machine at this point).

Now, this doesn't mean that the 007guard.exe malware has been removed. It just means that whatever process (attached to my firefox.exe app) is trying to access the 007guard.com website is now not being reported because we are "swallowing" the request (the attempted connections are being resolved successfully).

My firefox 4 browser (still open) is still very very slow as I expected (we've not removed the malware, only hidden it's connection reporting).

So I still need to locate what app is responsible for the malware and then determine how to remove it. Given netstat -f was reporting the connections to 007guard.com came from firefox.exe, then I must have a rogue toolbar or plugin or something.

I'll need to comment out the 127.0.0.1 localhost entry in my hosts file so I can see if netstat -f still reports the outgoing connections. If yes, I'll also need to fire up IE9 and Chrome and Safari to see if any of these browsers are also infected.

I used the Windows Resource Monitor to determine where outbound connections to 007guard.exe were coming from ... see attachment JPG. Be sure to watch the connections list for a few minutes to see if any attempts to 007guard.exe appear.

------------------

Ok, my results:

- ff4 still showing outbound connections to 007guard.exe are being attempted (but not succeeding because of our hosts file modified by spybot)

- chrome: nothing

- ie9: yes, attempted connections to 007guard.exe from iexplorer.exe

- safari: yes, attempted connections to 007guard.exe from safari.exe

- weather_tracker.exe shows attempted outbound connections. This is a windows gadget that displays weather info.

- mDNSResponder.exe shows attempted outbound connections.

Now I'm beginning to think that it's not some wayward toolbar or firefox plugin, because multiple apps are being hijacked. Hmmm ... if I shutdown firefox and run the other apps again? Ok, I shut down firefox and started IE9 - yep, sure enough, it tries to make outbound connections to 007guard.com!

So now I have a few leads to go on. I'll report back if I get any further.

Cheers for now.

Mark

Sydney, Australia