Hosts file fixed

By General Mills on May 25, 2009

Well I just realized why I was getting connections to www.007guard.com whenever I opened a web browser.  It actually is quite simple really, that is why it was overlooked.

The hosts file is a file that maps out ip-addresses to hosts names in a computer.  When a computer starts up, it loads the hosts file into memory first before it queries any DNS servers.    So what had happened was that Spybot Search and Destroy and added the following entries into my hosts file in Windows 7:

# Start of entries inserted by Spybot – Search & Destroy
127.0.0.1   www.007guard.com
127.0.0.1   007guard.com
127.0.0.1   008i.com
127.0.0.1   www.008k.com
127.0.0.1   008k.com
127.0.0.1   www.00hq.com
127.0.0.1   00hq.com
127.0.0.1   010402.com

As you can see the first entry was “127.0.0.1     www.oo7guard.com”.  This means that whenever a program tries to connect to www.007guard.com, they will be redirected to 127.0.0.1 which we all know to be “localhost” or your own comptuer.  This will effectively block any connections to www.007guard.com.

Anyway, the problem turned out to be a missing entry in the hosts file:

127.0.0.1  localhost

Apparently what was happening is that whenever a connection to localhost was established, Windows first consulted with my hosts file which told it that 127.0.0.1  mapped to www.007guard.com.  This resulted in the following netstat -f output:

netstat -f

The connections are actually legitimate and are nothing to worry about.  To fix this issue, just add the following into you hosts file on the first line.

127.0.0.1  localhost

After adding that into your host file, netstat -f should look like this:

007guard fix

And that’s all too it!  I am so glad that I finally fixed this annoying problem that was been plaguing me for a couple weeks.  Looks like some patience and good research on google paid off! If you are interested in learning more about using the host file to block malware, I would go to http://www.mvps.org/winhelp2002/hosts.htm they have good information on the host file and a pre-made list of sites to block for you.  Remember these techniques will work in every OS (windows, linux, mac) since they all use a host file!

References:
http://forum.avast.com/index.php?PHPSESSID=93034020fb53cd58398b96893f9df3bb&topic=40574.msg340233#msg340233

http://forum.avast.com/index.php?topic=41225.0

http://www.mvps.org/winhelp2002/hosts.htm

Share

Posted in , , , Tagged , , , , , , , , , 4 Comments

007guard.com Malware/Spyware

By General Mills on May 11, 2009

007guard.com is Spyware!

007guard.com is Spyware!

Well it appears that the 007guard.com spyware somehow got onto my Windows 7 RC system.  I have no clue how it got on at this point since I am really careful about downloading and browsing the web in general.  I never use Internet Explorer (or exploder he he ), I use firefox 3.0 with the no-script add on and adblock plus as well.  I also checked a virtual machine of windows 7 just to make sure that my media wasn’t compromised or tampered with, and sure enough it didn’t have any connections to 007guard.com in the netstat output.

Here is a sample output of what I see when I run the netstat -f command in the terminal:

As you can see there are a ton of connections going to 007guard.com on various ports.  The local address is 127.0.0.1 which is localhost for those who didn’t know.

netstat -f

One way to block 007guard.com from connecting to it’s “Mothership” or master is to edit the hosts file in windows to localhost.  That way when the malware tries to open a connection to its remote location on the web, it will be redirected to 127.0.0.1 which will go no where and stay locally on the machine. You can do the same thing in linux and other operating systems as well.

The Windows hosts file is located in “C:\Windows\System32\drivers\etc\hosts” (use notepad to edit it)

So at this point it’s still in my machine somewhere, and spybot, adaware, avg, avast and pretty much all the scanners cant get rid of it.  I may have to wipe and reload my machine just to make sure it’s gone for good this time, which is really annoying since it takes a ton of time to re-install Windows plus get everything back to the way it was before this crap happened.

Here are some references for more information on 007guard.com spyware/malware:

http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/b2e7ce83-4445-40d2-8b9e-19ea412eef4d

http://www.sevenforums.com/system-security/3262-007guard-how-remove.html

Share

Posted in , Tagged , , , 1 Comment