Since some time, I've been running Spybot S&D and AVG AntiVirus, both completely updated to the latest versions. During a regular check of my system, I found a huge amount of connection attempts to 007guard.com, and neither Spybot nor AVG is reporting anything about it. Yes, I've ran the full scans and the rootkit scan. On my 8TB disk this is not a fun job to do..
What I did notice, is that there is a record in my hosts file, sending 007guard.com to 127.0.0.1.
After searching Google, I found exactly 0 information on this process, other then 1 sentence saying "it's a beta, re-format". When checking with some tools from the SysInternals suite, I find that my open browsers (FireFox and Chrome) are attempting to connect to www.007guard.com:1337 and www.007guard.com:1338.
My question: Can anyone provide me with information about this 007guard?
- What is it?
- Is it dangerous?
- How to remove it?
Answer
I'm pretty sure I know what's going on, and it's Spybot that did it to you (sort of).
Spybot put entries in your Hosts file, but removed the usual default localhost entry (or it is missing for some other reason).
"007guard.com" happens to be alphabetically first, so it was inserted at the top of the list.
When a process does a reverse lookup for the 127.0.0.1 loopback's name (which happens frequently for many different, benign reasons), it will return the first matching record for 127.0.0.1 found in the Hosts file.
Normally it would get localhost back as the name, because by default it's the first entry in the Hosts file, but it's not in yours, 007guard.com is.
0007guard.com, whatever malicious thing it was, is long gone but Spybot still ads the entry to Hosts, and you're just seeing references to the blocked domain because your loopback address' (127.0.0.1) name is resolving incorrectly.
So opening your Hosts file and adding 127.0.0.1 localhost above all other entries should fix the trouble you're having.
No comments:
Post a Comment