007guard.com may be the culprit

[guvvy]

after I updated to 1.6 with the latest updates, and re-immunized, I discoverd connections attempts to 007guard.com
from my research, appears to attempt at data mining.
this was definitley pegged to the latest updates w/ 1.6 and reimmunizaton.
make sure all are protected after immunizing

simple check, - start the box, when loaded, don't wait too long, from command line run netstat -b -v.
you will see connect attempts waiting. I also had established connects when running a database instance.

somethings up with this ver,
anyone have any insight??????

[wyrmrider]

007guard.com
has been dealt with on this forum before- search the archives

I'd update and do a full scan with My AV
and then go to the Malware Removal Forum
read the stickies
post there
AND DO NOT ANSWSER YOUR FIRST POST

[wyrmrider]

I've seen this before
do you use firefox?

see
http://forums.majorgeeks.com/showthread.php?p=1182943
for some non malware insight

however 007guard.com is associated with ALEXIA

"it need to be removed from windows host file or changed in this file with address 127.0.0.1
usually this happen when is new version of spybot and destroy installed"

I'd get this sorted out

[wyrmrider]

I've seen this before
do you use firefox?

see
http://forums.majorgeeks.com/showthread.php?p=1182943
for some non malware insight

however 007guard.com is associated with ALEXIA

"it need to be removed from windows host file or changed in this file with address 127.0.0.1
usually this happen when is new version of spybot and destroy installed"

I'd get this sorted out

[PepiMK]

Sounds a lot like there is no

Code:

localhost  127.0.0.1

line in your hosts file at the very beginning, in which case the local name resolution will assume the first immunization name as the name ef your local computer.

[GreenEyedLady]

guvvy -
I am running win98SE, so my syntax for netstat may be a bit different assuming you run XP (I can't use either -b or -v here so not sure what you saw, I had to settle for -a). So try netstat -? to see the available options, and adjust my comments accordingly....

try netstat -n (this gives numeric IP addresses instead of domain names), then compare the port numbers to match up the corresponding connections. Do the ones that used to say 007guard.com now say 127.0.0.1 ? And notice the pairs of port numbers - is there something like port 1025 connecting to port 1026, with the next line being the reverse (connection from port 1026 back to port 1025 - your number pairs will probably differ)? I seem to have two sets of these cross coupled loopbacks.

Not sure exactly what is making these connections but I have heard that some AVs and some FWs set them up like this, also possibly some .NET applications, maybe your database thing is like that?

Assuming everything else seems normal, you might just fix your hosts file, to prevent future panics. It seemed to do the trick for mine, they now read as "localhost" instead.

PepiMK-
I had this also, adding the localhost address line seems to fix it. I do remember looking at hosts ages ago and it had this line then, and Spybot is the only thing I have that changes it, so at some point it must have got overwritten rather than merged? I suspect lots of people will have this situation. At any rate, it seems to merge correctly now, after adding the loopback address.

By the way, there are some quirks to the hosts file handling:
1) the "Lock hosts file" checkbox in IE Tweaks keeps re-checking itself and making hosts readonly no matter how many times I clear the checkbox and reset it in the file properties sheet. (Yes I've made sure to clear the checkboxes in my other programs as well.) The behavior always happens immediately after using either the Immunize panel, or the Hosts panel in the Tools section.

2) The Hosts tool Add Spybot Hosts List button seems to work similar to the Immunize with the Hosts checkbox marked. Not so for comparing Remove Spybot Hosts List button to the Immunize Undo - the Undo is almost instantaneous while the Remove button is horribly slow.... (although it does seem to finally end up working the same) shouldn't these be similar?