Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: hosts immunisation. www.007guard.com

  1. #11
    Junior Member
    Join Date
    May 2011
    Posts
    4

    Default 007guard.exe

    Hi all. Thought I'd share my experience / observations.

    I'm using Windows 7 32bit Home Edition. My Firefox 4 recently slowed way down. I thought it was my network (I'm the only device on my ADSL2+) but I fired up another 2 machines (MacBook and a Windows 7 notebook) and none of these had any browser difficulties.

    So being somewhat computer savvy, I performed a netstat -f and saw a few connections to 007guard.com Not recognising this web address I Googled it, and now I'm aware that I'm infected with some sort of malware / spyware app running on my system somewhere.

    I installed spybot and had it modify my hosts file. Then I checked netstat -f again and the 007guard.exe connections were still there (attached to firefox.exe).

    I could at this point edit the rules in my Windows firewall to block these outgoing connections, but it's much easier to do it by modifying the hosts file.

    I then checked my hosts file (in c:\windows\system32\drivers\etc) and spybot didn't disable the 127.0.0.1 localhost entry. So I tried editing the hosts file. It wouldn't save. So I disabled the read-only setting, saved it, then re-enabled the read-only setting.

    Another netsta -f showed no more (reported) connections were being attempted to 007guard.com (note that I didn't reboot my Win7 machine at this point).

    Now, this doesn't mean that the 007guard.exe malware has been removed. It just means that whatever process (attached to my firefox.exe app) is trying to access the 007guard.com website is now not being reported because we are "swallowing" the request (the attempted connections are being resolved successfully).

    My firefox 4 browser (still open) is still very very slow as I expected (we've not removed the malware, only hidden it's connection reporting).

    So I still need to locate what app is responsible for the malware and then determine how to remove it. Given netstat -f was reporting the connections to 007guard.com came from firefox.exe, then I must have a rogue toolbar or plugin or something.

    I'll need to comment out the 127.0.0.1 localhost entry in my hosts file so I can see if netstat -f still reports the outgoing connections. If yes, I'll also need to fire up IE9 and Chrome and Safari to see if any of these browsers are also infected.

    I used the Windows Resource Monitor to determine where outbound connections to 007guard.exe were coming from ... see attachment JPG. Be sure to watch the connections list for a few minutes to see if any attempts to 007guard.exe appear.

    ------------------

    Ok, my results:

    - ff4 still showing outbound connections to 007guard.exe are being attempted (but not succeeding because of our hosts file modified by spybot)

    - chrome: nothing

    - ie9: yes, attempted connections to 007guard.exe from iexplorer.exe

    - safari: yes, attempted connections to 007guard.exe from safari.exe

    - weather_tracker.exe shows attempted outbound connections. This is a windows gadget that displays weather info.

    - mDNSResponder.exe shows attempted outbound connections.

    Now I'm beginning to think that it's not some wayward toolbar or firefox plugin, because multiple apps are being hijacked. Hmmm ... if I shutdown firefox and run the other apps again? Ok, I shut down firefox and started IE9 - yep, sure enough, it tries to make outbound connections to 007guard.com!

    So now I have a few leads to go on. I'll report back if I get any further.

    Cheers for now.

    Mark

    Sydney, Australia
    Last edited by SEOGuy; 2011-05-18 at 04:38. Reason: spelling

  2. #12
    Junior Member
    Join Date
    May 2011
    Posts
    4

    Default

    Incidentally, I searched my entire hard dirve (C: and all external USB thumbrives and USB hard drives) for "007guard" but found nothing.

    I also searched my registry (via regedit) for "007guard" and found nothing.

    I'll keep trying to work this out ...

  3. #13
    Junior Member
    Join Date
    May 2011
    Posts
    4

    Default 007guard.exe

    Ok, searched my entire drive collection and registry for "2search". Nothing.

    Put Windows into Safe Mode and ran Malwarebyte, Spybot and others. Nothing.

    So I decided to modify my hosts file once again, to see how it is utilised by Windows 7 and it's apps that request name resolution. My thinking was that because 007guard.com appeared 1st in the list (after all the #comment lines) that it might be used to resolve all 127.0.0.1 addresses ... (unreasonable in my mind because that's not how I understand the hosts file works).

    ---------------------------------------
    -- my hosts file after spybot added stuff
    ---------------------------------------

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost

    # Start of entries inserted by Spybot - Search & Destroy
    # This list is Copyright 2000-2008 Safer Networking Limited
    127.0.0.1 007guard.com <--- note this is the 1st effective entry
    127.0.0.1 www.007guard.com
    127.0.0.1 008i.com
    127.0.0.1 008k.com
    127.0.0.1 www.008k.com
    127.0.0.1 00hq.com
    cut ...

    Note: In this configuration, 007guard.com shows up in various netstat -f tests


    ---------------------------------------
    -- my modification
    ---------------------------------------

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    127.0.0.1 mydummydomainname.com <--- note this is now the 1st effective entry

    # Start of entries inserted by Spybot - Search & Destroy
    # This list is Copyright 2000-2008 Safer Networking Limited

    127.0.0.1 007guard.com
    127.0.0.1 www.007guard.com
    127.0.0.1 008i.com
    127.0.0.1 008k.com
    127.0.0.1 www.008k.com
    127.0.0.1 00hq.com
    cut ...

    Note: In this configuration, iexplore.exe showed an outbound connection to mydummydomainname.com !!!! See attached screenshot of Remote Monitor. And I didn't see any outbound connection to 007guard.com (I sat and watched all connections being made while I opened upp Firefox 4, Chrome, IE9 and Safari). When I fired up these other browsers, sure enough, they all wanted to form connections with mydummydomainname.com !!!! So now I am totally baffled because as I stated before, this is not how I understood the hosts file behaved.

    This is my understanding:

    a) when the os wnts to resolve an IPP address, it uses the following services in order:
    - call arp to get the host name (as per RFC 826)
    - arp cache in computer memory

    b) when the os wants to resolve a host name (ie. 007guard.com) it looks in the following places in order:
    - hosts file
    - dns
    - wins
    - local broadcast
    - lmhosts file

    c) NETBIOS names are resolved like so (in order):
    - netbios name cache in memory
    - wins
    - local broadcast
    - lmhosts file
    - hosts file
    - dns

    So therefore any app/process trying to resolve 127.0.0.1 shouldn't be using the hosts file (so why default to the 1st entry in the hosts file?). I'm baffled ...

    Time to do some research ...

    =Mark

  4. #14
    Senior Member
    Join Date
    Oct 2005
    Location
    Germany
    Posts
    5,263

    Default

    Hello,

    Did you read the first site of this 3 year old post?

    Best regards
    Sandra
    Team Spybot

  5. #15
    Junior Member
    Join Date
    May 2011
    Posts
    4

    Default

    @Spybotsandra

    Do you mean the 1st post dated Nov 2007 by Smokeyjoe (and responded to by PepiMK)?

    If you do then the posts were not clear at all. No where has it been discussed if the 007guard.com entries in a netstat -f output (or any other such utility) were caused by an actual malware process still running in the User's system, or if these entries are simply the remnants of a mis-configured HOSTS file (caused by Spybot).

    I set about clarifying the issue for myself with some indepth research and analysis.

    Basically, Spybot does not detect whether the 127.0.0.1 localhost entry exists or not in the hosts file (such an entry *is* required to ensure that "localhost" deoesn't resolve to the 1st entry in the hosts list, namely 007guard.com)

    I hope your next release of Spybot (an otherwise excellent tool) fixes this oversight.

    Cheers,

    Mark

  6. #16
    Senior Member
    Join Date
    Oct 2005
    Location
    Germany
    Posts
    5,263

    Default

    Hello,

    You're not really connected to the site "007guard.com". There must be a problem with Spybots host file which uses a list of malware/adware sites in the form of "007guard.com" to point to the loop back 127.0.0.1 which is your computer. You would never reach the site.
    You can try disabling Spybot's immunization feature. Reboot and see if anything improves.
    You will find more information about this in our forum:
    hosts immunisation. www.007guard.com
    007Guard

    Best regards
    Sandra
    Team Spybot

  7. #17
    Junior Member
    Join Date
    Dec 2011
    Posts
    1

    Default this is my SITREP with 007guard

    I to have fallen victim 2 the 007 guard problem my self here is what I have learned from my experience I got in my home network from a spefic hacker the my online game console I had a dialog with this indivdual hacker not knowing this individual is a hacker then invited 2 facebook by this hacker this hacker tryed 2 pose as a potential online friend only 2 turn out 2 be a hacker and a cyber grifter I discovered I had and still remain hacked by this individual hacker I discovered this individual hacker was in my computer and network through netstats tried every form of anti-virus program and anti-malware program including spybot S&D and every function it has because I new who the hacker is I reported the hacker 2 www.ic3.gov and still await a responce im telling you have 007guard on your computer like me you probably no the hacker who put it there you just didnt relize it was someone you know and met online this program takes hold of any messanger you use or any PC game you play without letting go no matter how many times you terminate connection with it! You can terminate connection with it on your web browser and it will return connection with your browser in only a matter of time and spybot must make an update that will get rid of this maleware because it will not go away no matter what you do and it refuses termination from any messenger you use and any game you play on your PC but believe me if you have 007guard on your PC its also on your home network and any machine you have in your home or place of buissness its in your PC, cellphone,gameconsole,or tablet PC etc. And was put there by someone you met,know, and talk 2 online or better stated someone you thought you knew you need to go through your friends lists on absolutely everything your IM's, your social network pages, and even your gaming console talk 2 all your friends ask them questions check for inconsistancies in there answers think about how you met them what you talk 2 them about and what where the circumstances you met them under and what your friendship is with them figure out what your situation is with them now because make no mistake if you have 007guard on your PC you are being targeted by an individual hacker/cybergrifter who is looking for something to gain from you once you have figuard out who your supposed friend is that is doing this 2 you! Once have done that you should report this individual to www.ic3.gov as soon as possiable and remember you probably only know 50 percent of who your indvidual victimizer really is so try 2 get as much truth about them as possiable but report everything you know about them the truth they told you and the lies they told you it's all important 2 the authoritys go 2 ww.ic3.gov and tell them all you can about the hacker/cybergrifter you can again it will all be important!!! meanwhile I wait pationtly for my responce from www.ic3.gov Spybot S&D please come up with fix for this malware problem because right now neither you or anyone else has a solution for this 007guard malware problem PLEASE!!!

  8. #18
    Member
    Join Date
    Nov 2009
    Posts
    73

    Default

    @cowby22,

    I started to read your post, but without punctuation and paragraphs, I quit after two lines.

  9. #19
    Junior Member
    Join Date
    Mar 2012
    Posts
    1

    Default

    Quote Originally Posted by spybotsandra View Post
    Hello,

    You're not really connected to the site "007guard.com". There must be a problem with Spybots host file which uses a list of malware/adware sites in the form of "007guard.com" to point to the loop back 127.0.0.1 which is your computer. You would never reach the site.
    You can try disabling Spybot's immunization feature. Reboot and see if anything improves.
    You will find more information about this in our forum:
    hosts immunisation. www.007guard.com
    007Guard

    Best regards
    Sandra
    Team Spybot
    In laypersons terms can you tell me if this is a bug or not? If it is should I apply the fix others are suggesting? I am a novice and alarmed about this whole issue and would like my PC to be SECURE. Thanks. PS if it is a bug when will you guys fix it?

  10. #20
    Senior Member
    Join Date
    Oct 2005
    Location
    Germany
    Posts
    5,263

    Default

    It's not a bug.

    Quote Originally Posted by PepiMK View Post
    There is a connection - to 127.0.0.1.

    It is not a connection to 007guard.com though - that's a misinterpretation by netstat, displaying just a "random" (possible last?) 127.0.0.1 entry and not the first from the hosts file.

    Connections to 127.0.0.1 are "to" your local machine - a loop redirection to block access to the actual address of specific bad hosts (like 007guard.com).

    Without the hosts file entry, access to 007guard.com would lead to the real bad server, with this, access will be kept "inside" your machine and will enter the nirvana. Since there are many such sites, programs that use the IP address (127.0.0.1) to later display an associated domain (007guard.com) might show invalid names, since there are many and its impossible to find the correct one. Usually, access to 127.0.0.1 would be legit "local" communication.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •