Results 1 to 7 of 7

Thread: www.007guard.com connection established?

  1. #1
    Junior Member
    Join Date
    Aug 2010
    Posts
    4

    Default www.007guard.com connection established?

    Hi, anyway I have SpyBot installed on my system, I update, scan and immunize on a regular base and just today I noticed while using the Windows 7 Task Manager's "Resource Monitor" under Networking that every time I open my Firefox a connection is established with the (www)007guard.comwhich is a reported malware site.


    Now, since I immunize every time I update the software, I know how it works. It basically binds the badware site to a loop which is redirected to the host local address.
    Or something like that.

    This is what it says in my host file:


    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost
    # Start of entries inserted by Spybot - Search & Destroy
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com


    Everything fine there?

    Here is a picture of my netstat:



    So why is there a connection established to this site?
    Even after I open firefox every once in a while there are again a couple of bits send to this site.
    So why are bits send to that site all the time? even if its just 1 or 3 bits,sometimes more.

  2. #2
    Senior Member
    Join Date
    May 2009
    Posts
    236

    Default

    See Registry changes and hosts immunisation. www.007guard.com threads. It's not actually connecting. Do a TraceRoute to www.007guard.com and post the result here.

  3. #3
    Junior Member
    Join Date
    Aug 2010
    Posts
    4

    Default

    Quote Originally Posted by Gopher John View Post
    See Registry changes and hosts immunisation. www.007guard.com threads. It's not actually connecting. Do a TraceRoute to www.007guard.com and post the result here.
    Thanks for answering.

    Iv done the TraceRoute and the link is immunized by the SpyBot because it pings my local host address 127.0.0.1 which is all fine and great.

    What I would like to know is why it sends bits to it, like when I open firefox and later on randomly.
    Last edited by Nortd; 2010-08-13 at 16:21.

  4. #4
    Junior Member
    Join Date
    May 2007
    Posts
    11

    Default

    I think you need to uncomment the 127.0.0.1 Localhost line.

    Commenting out that line leads to confusion and feedback from various sources that 127.0.0.1 is www.007guard.com instead of localhost.

    Uncomment that line and everything that is currently reported as a connection to www.007guard.com will be reported as a connection to localhost correctly.
    Last edited by tashi; 2010-08-13 at 21:24. Reason: Disabled all live links to 007guard.com in all posts above ;-)

  5. #5
    Junior Member
    Join Date
    Aug 2010
    Posts
    4

    Default

    Quote Originally Posted by lardboy View Post
    I think you need to uncomment the 127.0.0.1 Localhost line.

    Commenting out that line leads to confusion and feedback from various sources that 127.0.0.1 is www.007guard.com instead of localhost.

    Uncomment that line and everything that is currently reported as a connection to www.007guard.com will be reported as a connection to localhost correctly.
    From what I have read from numerous sources the local host address in Windows 7 is commented for a reason by Windows itself.

    It even says in the description:
    localhost name resolution is handled within DNS itself.

    Does anyone know why I only have problem with this loop?
    What about the thousands of others that are also redirected to my host source, why don't I have a connection established with those links then?

    I think that the whole immunization just isn't done correctly as it was in previous versions because of the change on how Windows works with DNS.

    If I uncomment the local host address then there might be some conflict since its already being handled inside the DNS.

    Also, which part do I have to uncomment?

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost
    Last edited by Nortd; 2010-08-14 at 08:22.

  6. #6
    Junior Member
    Join Date
    May 2007
    Posts
    11

    Default

    I had the same problem you're having and you have to uncomment at least

    127.0.0.1 Localhost

    but you can also uncomment

    ::1 Localhost

  7. #7
    Junior Member
    Join Date
    Aug 2010
    Posts
    4

    Default

    Quote Originally Posted by lardboy View Post
    I had the same problem you're having and you have to uncomment at least

    127.0.0.1 Localhost

    but you can also uncomment

    ::1 Localhost
    Thanks, that should do it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •