Author Topic: multiple connections to www.007.guard.com show up in netstat  (Read 26821 times)

0 Members and 1 Guest are viewing this topic.

Offline normishmael

  • Sr. Member
  • ****
  • Posts: 232
  • That is Not Dead, which can Eternal Lie.
multiple connections to www.007.guard.com show up in netstat
« on: December 01, 2008, 10:55:38 AM »
Guys I know this is not really an Avast! issue,as I don't thank anything is on my machine right now,
But a week or so ago I did a reinstall of Xp after the Exe of my Kerio 2.1.5 firewall suddenly told me it wanted to connect to xxx.007guard.com.
I saw the kerio icon,and before I thought i clicked "allow".
After a few seconds I thought,"wow,why would the exe of a discontinued fire wall need to connect to Any web-site?"
At that point I deleted the rule,and a second latter Kerio popped up the same thing.
I checked netstat,and sure enough i had a sting of connections to www.007guard.com.
At that point after running every scanner I could,I just reinstaled the OS.
Bottom line the connections are back on Netstat.

Any idea what to do,or what is wrong?
Its 03:52 here,and I have fought this thing for two hours,and I need to sleep,but any ideas will be greatly appreciated.
« Last Edit: December 01, 2008, 10:54:57 PM by normishmael »
comp1:Shadow Defender,sandboxie free,router,Kerio 2.1.5 .
comp2:Shadow Defender,Sandboxie free,Router/Kerio 2.1.5

Both XP Sp3

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: multiple connections to www.007.guard.com show up in netstat
« Reply #1 on: December 01, 2008, 11:22:08 AM »
Was that a reformat and reinstall?

What scanners did you try?
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline normishmael

  • Sr. Member
  • ****
  • Posts: 232
  • That is Not Dead, which can Eternal Lie.
Re: multiple connections to www.007.guard.com show up in netstat
« Reply #3 on: December 01, 2008, 11:33:11 AM »
FreewheelinFrank,
Full reinstal.
Avast boottime and through scan,
Malwarebytes antimalware free quick and full
superantispyware free full scan
A-Squared free 4Beta full scan
SpybotSD.

thanks
comp1:Shadow Defender,sandboxie free,router,Kerio 2.1.5 .
comp2:Shadow Defender,Sandboxie free,Router/Kerio 2.1.5

Both XP Sp3

Offline normishmael

  • Sr. Member
  • ****
  • Posts: 232
  • That is Not Dead, which can Eternal Lie.
Re: multiple connections to www.007.guard.com show up in netstat
« Reply #4 on: December 01, 2008, 11:37:49 AM »
sorry i didnt read the bottom post you made,
yes i saw that.
My host file shows the same entry,
I tried to modify it as the poster there did,at first ibrecieved invalid path,then I opened
properties of host file,unchecked "read only",tried again to save,it worked,but i still had six entries to WWW.007.com after reboot.
comp1:Shadow Defender,sandboxie free,router,Kerio 2.1.5 .
comp2:Shadow Defender,Sandboxie free,Router/Kerio 2.1.5

Both XP Sp3

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8788
Re: multiple connections to www.007.guard.com show up in netstat
« Reply #5 on: December 01, 2008, 02:33:59 PM »
It sounds like the system is infected with malware.

I like VStat to show the applications
Quote
VStat is a small GUI tool that produces similar output to the traditional command line tool netstat.

In addition to showing the various states of network activity on your computer it shows the associated application name and process ID. VStat allows you to close any existing established TCP connection and will give you the ability to terminate the owning application associated with any entry, provided you have the relevant permissions to do so.
http://keir.net/vstat.html

I would download MBAM then update it then run a Quick scan and let it remove what it detects and a reboot may be required to remove locked files:
http://www.malwarebytes.org/mbam.php
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline normishmael

  • Sr. Member
  • ****
  • Posts: 232
  • That is Not Dead, which can Eternal Lie.
Re: multiple connections to www.007.guard.com show up in netstat
« Reply #6 on: December 01, 2008, 09:07:43 PM »
thanks Kenny and frank.
Malwarebytes,a-squared,superantispyware,spybotSd and Avast! boot time and full scan all
come back squeaky clean.
Deleted the SpyBot SD host file,and connections went away. Reenabled it and they returned.
See below:
With SpybotSd host file:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\norman ishmael>netstat

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    slamco-37c1ef9b:1767   007guard.com:1768      ESTABLISHED
  TCP    slamco-37c1ef9b:1768   007guard.com:1767      ESTABLISHED
  TCP    slamco-37c1ef9b:1769   007guard.com:1770      ESTABLISHED
  TCP    slamco-37c1ef9b:1770   007guard.com:1769      ESTABLISHED
  TCP    slamco-37c1ef9b:1873   007guard.com:12080     ESTABLISHED
  TCP    slamco-37c1ef9b:1969   007guard.com:12080     ESTABLISHED
  TCP    slamco-37c1ef9b:2012   007guard.com:12080     ESTABLISHED
  TCP    slamco-37c1ef9b:2023   007guard.com:12080     ESTABLISHED
  TCP    slamco-37c1ef9b:12080  007guard.com:1873      ESTABLISHED
  TCP    slamco-37c1ef9b:12080  007guard.com:1969      ESTABLISHED
  TCP    slamco-37c1ef9b:12080  007guard.com:2012      ESTABLISHED
  TCP    slamco-37c1ef9b:12080  007guard.com:2023      ESTABLISHED
  TCP    slamco-37c1ef9b:1880   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:1883   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:1890   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:1891   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:1892   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:1893   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:1895   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:1898   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:1903   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:1904   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:1905   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:1906   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:1907   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:1908   63.219.176.130:http    LAST_ACK
  TCP    slamco-37c1ef9b:2011   ag-in-f127.google.com:http  CLOSE_WAIT
  TCP    slamco-37c1ef9b:2013   yw-in-f166.google.com:http  CLOSE_WAIT
  TCP    slamco-37c1ef9b:2014   207.211.21.15:http     CLOSE_WAIT
  TCP    slamco-37c1ef9b:2024   207.211.65.24:http     CLOSE_WAIT

C:\Documents and Settings\norman ishmael>

Without SpybotSD host file:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\norman ishmael>netstat

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    slamco-37c1ef9b:1767   slamco-37c1ef9b:1768   ESTABLISHED
  TCP    slamco-37c1ef9b:1768   slamco-37c1ef9b:1767   ESTABLISHED
  TCP    slamco-37c1ef9b:1769   slamco-37c1ef9b:1770   ESTABLISHED
  TCP    slamco-37c1ef9b:1770   slamco-37c1ef9b:1769   ESTABLISHED

C:\Documents and Settings\norman ishmael>

So,I have Found something,I just am not swift enough to know what.
If i delete individual sites from the top of the host file while enabled,the netstat
will show connections to the next site on the list(below the deleted entry)
comp1:Shadow Defender,sandboxie free,router,Kerio 2.1.5 .
comp2:Shadow Defender,Sandboxie free,Router/Kerio 2.1.5

Both XP Sp3

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline normishmael

  • Sr. Member
  • ****
  • Posts: 232
  • That is Not Dead, which can Eternal Lie.
Re: multiple connections to www.007.guard.com show up in netstat
« Reply #8 on: December 01, 2008, 09:46:49 PM »
OK,Thanks FreeWheelinFrank!
adding the "local host" text to the host file did the trick.
Maybe SpyBotSd viewed their host file entry as an
add on to a already established list that would start with the right protocol,so they didn't view it as a stand alone file.
Or maybe its just time to put the old warrior,(SpyBot) out to pasture.
Anyway its fixed.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\norman ishmael>netstat
thanks norm
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    slamco-37c1ef9b:2424   localhost:2425         ESTABLISHED
  TCP    slamco-37c1ef9b:2425   localhost:2424         ESTABLISHED
  TCP    slamco-37c1ef9b:2426   localhost:2427         ESTABLISHED
  TCP    slamco-37c1ef9b:2427   localhost:2426         ESTABLISHED
  TCP    slamco-37c1ef9b:2429   localhost:12080        ESTABLISHED
  TCP    slamco-37c1ef9b:2431   localhost:12080        ESTABLISHED
  TCP    slamco-37c1ef9b:2433   localhost:12080        ESTABLISHED
  TCP    slamco-37c1ef9b:2435   localhost:12080        ESTABLISHED
  TCP    slamco-37c1ef9b:12080  localhost:2429         ESTABLISHED
  TCP    slamco-37c1ef9b:12080  localhost:2431         ESTABLISHED
  TCP    slamco-37c1ef9b:12080  localhost:2433         ESTABLISHED
  TCP    slamco-37c1ef9b:12080  localhost:2435         ESTABLISHED
  TCP    slamco-37c1ef9b:2430   yx-in-f99.google.com:http  CLOSE_WAIT
  TCP    slamco-37c1ef9b:2432   static-fxfeeds.nslb-15k.sj.mozilla.com:http  EST
ABLISHED
  TCP    slamco-37c1ef9b:2434   static-fxfeeds.nslb-15k.sj.mozilla.com:http  EST
ABLISHED
  TCP    slamco-37c1ef9b:2436   newslb12.thdo.bbc.co.uk:http  CLOSE_WAIT

C:\Documents and Settings\norman ishmael>
comp1:Shadow Defender,sandboxie free,router,Kerio 2.1.5 .
comp2:Shadow Defender,Sandboxie free,Router/Kerio 2.1.5

Both XP Sp3

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 81803
  • No support PMs thanks
Re: multiple connections to www.007.guard.com show up in netstat
« Reply #9 on: December 01, 2008, 11:35:06 PM »
Some other people don't like 007guard.com either, WOT (Web Of Trust)
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8788
Re: multiple connections to www.007.guard.com show up in netstat
« Reply #10 on: December 02, 2008, 05:20:31 AM »
Spybot S&D HOSTS file does not go through the extensive checking as hpHost and MVPS HOSTS files do so it has obsolete entries that take up space.

I use hpHosts and MVPS HOSTS files:
http://www.mvps.org/winhelp2002/hosts.htm <== has a good description of the HOSTS file and its use

I manage them with HostsMan and I use its HostsServer proxy to speed up browsing:
http://www.abelhadigital.com

The HOSTS file works for all browsers.
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline normishmael

  • Sr. Member
  • ****
  • Posts: 232
  • That is Not Dead, which can Eternal Lie.
Re: multiple connections to www.007.guard.com show up in netstat
« Reply #11 on: December 04, 2008, 12:21:23 PM »
YoKenny
I have taken your advise and installed MVPS HOSTS File.
Regarding the below text in the readme file:

[Important Notice - 2K/XP/Vista Users]
In most cases a large HOSTS file (over 135 kb) tends to slow down the machine. This only occurs
in W2000 and XP. Windows 98 and Windows ME are not affected.

To resolve this issue (manually) open the "Services Editor"

Start | Run (type) "services.msc" (no quotes)
Scroll down to "DNS Client", Right-click and select: Properties
Click the drop-down arrow for "Startup type"
Select: Manual, click Apply/Ok and restart.

Does the flush DNS cache option in the HostMan utility
replace the function lost when DNC Client is disabled,or rather set to manual?
thanks norman ishmael
comp1:Shadow Defender,sandboxie free,router,Kerio 2.1.5 .
comp2:Shadow Defender,Sandboxie free,Router/Kerio 2.1.5

Both XP Sp3

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8788
Re: multiple connections to www.007.guard.com show up in netstat
« Reply #12 on: December 04, 2008, 02:23:49 PM »
The flush DNS cache option is meaningless as there is nothing to flush and I do not have it set in HostsMan's Options .

Go to start then Run then enter cmd to open up a command window then enter the ipconfig /flushdns command and you will see that the command fails.
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline foxylady337

  • Newbie
  • *
  • Posts: 1
Re: multiple connections to www.007.guard.com show up in netstat
« Reply #13 on: January 16, 2009, 08:05:41 AM »
I found this thread using a Google search after I had found multiple connections to wwwDOT007guardDOTcom using netstat, and spent a great deal of time worrying unnecessarily about malware.

I eventually realised that Spybot had inserted a large number of lines in my "hosts" file like this:

...
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1   www.007guard.com
127.0.0.1   007guard.com
127.0.0.1   008i.com
127.0.0.1   www.008k.com
127.0.0.1   008k.com
127.0.0.1   www.00hq.com
127.0.0.1   00hq.com
127.0.0.1   010402.com
...

and that this file is where netstat looks when it is putting a name to an IP address.

When netstat looks for 127.0.0.1, the first entry it finds is 007guard's one, and it reports accordingly.

The solution is to insert a line like this:

...
127.0.0.1   localhost
# Start of entries inserted by Spybot - Search & Destroy
...

and you can then stop worrying about perfectly innocent programs which are connecting directly with localhost.

The downside of this approach is that you won't know that a program is trying to connect to one of the malware sites that Spybot is protecting you from, but if you're protected it doesn't really matter!

foxylady337

Offline philleto31

  • Newbie
  • *
  • Posts: 2
Re: multiple connections to www.007.guard.com show up in netstat
« Reply #14 on: March 22, 2012, 08:30:30 AM »
not true if you have 007guard in your pc its a host file parasite and its highly likely someone you talk to put it there withit they can see everything you do online and and on your pc and there is no program I know of that can stop it!!!!!!!!!!!!!!!!! Im at the point I will pay anbody to help successfully defeat it!!!!!!!!!!!!!!!!!!!!!!!!!!