Guys I know this is not really an Avast! issue,as I don’t thank anything is on my machine right now,
But a week or so ago I did a reinstall of Xp after the Exe of my Kerio 2.1.5 firewall suddenly told me it wanted to connect to xxx.007guard.com.
I saw the kerio icon,and before I thought i clicked “allow”.
After a few seconds I thought,“wow,why would the exe of a discontinued fire wall need to connect to Any web-site?”
At that point I deleted the rule,and a second latter Kerio popped up the same thing.
I checked netstat,and sure enough i had a sting of connections to www.007guard.com.
At that point after running every scanner I could,I just reinstaled the OS.
Bottom line the connections are back on Netstat.

Any idea what to do,or what is wrong?
Its 03:52 here,and I have fought this thing for two hours,and I need to sleep,but any ideas will be greatly appreciated.

Was that a reformat and reinstall?

What scanners did you try?

Check your hosts file:

http://forums.majorgeeks.com/showthread.php?t=164241

FreewheelinFrank,
Full reinstal.
Avast boottime and through scan,
Malwarebytes antimalware free quick and full
superantispyware free full scan
A-Squared free 4Beta full scan
SpybotSD.

thanks

sorry i didnt read the bottom post you made,
yes i saw that.
My host file shows the same entry,
I tried to modify it as the poster there did,at first ibrecieved invalid path,then I opened
properties of host file,unchecked “read only”,tried again to save,it worked,but i still had six entries to WWW.007.com after reboot.

It sounds like the system is infected with malware.

I like VStat to show the applications

VStat is a small GUI tool that produces similar output to the traditional command line tool netstat.

In addition to showing the various states of network activity on your computer it shows the associated application name and process ID. VStat allows you to close any existing established TCP connection and will give you the ability to terminate the owning application associated with any entry, provided you have the relevant permissions to do so.

I would download MBAM then update it then run a Quick scan and let it remove what it detects and a reboot may be required to remove locked files:
http://www.malwarebytes.org/mbam.php

thanks Kenny and frank.
Malwarebytes,a-squared,superantispyware,spybotSd and Avast! boot time and full scan all
come back squeaky clean.
Deleted the SpyBot SD host file,and connections went away. Reenabled it and they returned.
See below:
With SpybotSd host file:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\norman ishmael>netstat

Active Connections

Proto Local Address Foreign Address State
TCP slamco-37c1ef9b:1767 007guard.com:1768 ESTABLISHED
TCP slamco-37c1ef9b:1768 007guard.com:1767 ESTABLISHED
TCP slamco-37c1ef9b:1769 007guard.com:1770 ESTABLISHED
TCP slamco-37c1ef9b:1770 007guard.com:1769 ESTABLISHED
TCP slamco-37c1ef9b:1873 007guard.com:12080 ESTABLISHED
TCP slamco-37c1ef9b:1969 007guard.com:12080 ESTABLISHED
TCP slamco-37c1ef9b:2012 007guard.com:12080 ESTABLISHED
TCP slamco-37c1ef9b:2023 007guard.com:12080 ESTABLISHED
TCP slamco-37c1ef9b:12080 007guard.com:1873 ESTABLISHED
TCP slamco-37c1ef9b:12080 007guard.com:1969 ESTABLISHED
TCP slamco-37c1ef9b:12080 007guard.com:2012 ESTABLISHED
TCP slamco-37c1ef9b:12080 007guard.com:2023 ESTABLISHED
TCP slamco-37c1ef9b:1880 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:1883 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:1890 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:1891 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:1892 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:1893 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:1895 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:1898 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:1903 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:1904 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:1905 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:1906 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:1907 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:1908 63.219.176.130:http LAST_ACK
TCP slamco-37c1ef9b:2011 ag-in-f127.google.com:http CLOSE_WAIT
TCP slamco-37c1ef9b:2013 yw-in-f166.google.com:http CLOSE_WAIT
TCP slamco-37c1ef9b:2014 207.211.21.15:http CLOSE_WAIT
TCP slamco-37c1ef9b:2024 207.211.65.24:http CLOSE_WAIT

C:\Documents and Settings\norman ishmael>

Without SpybotSD host file:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\norman ishmael>netstat

Active Connections

Proto Local Address Foreign Address State
TCP slamco-37c1ef9b:1767 slamco-37c1ef9b:1768 ESTABLISHED
TCP slamco-37c1ef9b:1768 slamco-37c1ef9b:1767 ESTABLISHED
TCP slamco-37c1ef9b:1769 slamco-37c1ef9b:1770 ESTABLISHED
TCP slamco-37c1ef9b:1770 slamco-37c1ef9b:1769 ESTABLISHED

C:\Documents and Settings\norman ishmael>

So,I have Found something,I just am not swift enough to know what.
If i delete individual sites from the top of the host file while enabled,the netstat
will show connections to the next site on the list(below the deleted entry)

Similar problem here:

http://forums.spybot.info/showthread.php?t=20443

OK,Thanks FreeWheelinFrank!
adding the “local host” text to the host file did the trick.
Maybe SpyBotSd viewed their host file entry as an
add on to a already established list that would start with the right protocol,so they didn’t view it as a stand alone file.
Or maybe its just time to put the old warrior,(SpyBot) out to pasture.
Anyway its fixed.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\norman ishmael>netstat
thanks norm
Active Connections

Proto Local Address Foreign Address State
TCP slamco-37c1ef9b:2424 localhost:2425 ESTABLISHED
TCP slamco-37c1ef9b:2425 localhost:2424 ESTABLISHED
TCP slamco-37c1ef9b:2426 localhost:2427 ESTABLISHED
TCP slamco-37c1ef9b:2427 localhost:2426 ESTABLISHED
TCP slamco-37c1ef9b:2429 localhost:12080 ESTABLISHED
TCP slamco-37c1ef9b:2431 localhost:12080 ESTABLISHED
TCP slamco-37c1ef9b:2433 localhost:12080 ESTABLISHED
TCP slamco-37c1ef9b:2435 localhost:12080 ESTABLISHED
TCP slamco-37c1ef9b:12080 localhost:2429 ESTABLISHED
TCP slamco-37c1ef9b:12080 localhost:2431 ESTABLISHED
TCP slamco-37c1ef9b:12080 localhost:2433 ESTABLISHED
TCP slamco-37c1ef9b:12080 localhost:2435 ESTABLISHED
TCP slamco-37c1ef9b:2430 yx-in-f99.google.com:http CLOSE_WAIT
TCP slamco-37c1ef9b:2432 static-fxfeeds.nslb-15k.sj.mozilla.com:http EST
ABLISHED
TCP slamco-37c1ef9b:2434 static-fxfeeds.nslb-15k.sj.mozilla.com:http EST
ABLISHED
TCP slamco-37c1ef9b:2436 newslb12.thdo.bbc.co.uk:http CLOSE_WAIT

C:\Documents and Settings\norman ishmael>

Some other people don’t like 007guard.com either, WOT (Web Of Trust)

Spybot S&D HOSTS file does not go through the extensive checking as hpHost and MVPS HOSTS files do so it has obsolete entries that take up space.

I use hpHosts and MVPS HOSTS files:
http://www.mvps.org/winhelp2002/hosts.htm <== has a good description of the HOSTS file and its use

I manage them with HostsMan and I use its HostsServer proxy to speed up browsing:
http://www.abelhadigital.com

The HOSTS file works for all browsers.

YoKenny
I have taken your advise and installed MVPS HOSTS File.
Regarding the below text in the readme file:

[Important Notice - 2K/XP/Vista Users]
In most cases a large HOSTS file (over 135 kb) tends to slow down the machine. This only occurs
in W2000 and XP. Windows 98 and Windows ME are not affected.

To resolve this issue (manually) open the “Services Editor”

Start | Run (type) “services.msc” (no quotes)
Scroll down to “DNS Client”, Right-click and select: Properties
Click the drop-down arrow for “Startup type”
Select: Manual, click Apply/Ok and restart.

Does the flush DNS cache option in the HostMan utility
replace the function lost when DNC Client is disabled,or rather set to manual?
thanks norman ishmael

The flush DNS cache option is meaningless as there is nothing to flush and I do not have it set in HostsMan’s Options .

Go to start then Run then enter cmd to open up a command window then enter the ipconfig /flushdns command and you will see that the command fails.

I found this thread using a Google search after I had found multiple connections to wwwDOT007guardDOTcom using netstat, and spent a great deal of time worrying unnecessarily about malware.

I eventually realised that Spybot had inserted a large number of lines in my “hosts” file like this:

…

Start of entries inserted by Spybot - Search & Destroy

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
…

and that this file is where netstat looks when it is putting a name to an IP address.

When netstat looks for 127.0.0.1, the first entry it finds is 007guard’s one, and it reports accordingly.

The solution is to insert a line like this:

…
127.0.0.1 localhost

Start of entries inserted by Spybot - Search & Destroy

…

and you can then stop worrying about perfectly innocent programs which are connecting directly with localhost.

The downside of this approach is that you won’t know that a program is trying to connect to one of the malware sites that Spybot is protecting you from, but if you’re protected it doesn’t really matter!

foxylady337

not true if you have 007guard in your pc its a host file parasite and its highly likely someone you talk to put it there withit they can see everything you do online and and on your pc and there is no program I know of that can stop it!!! Im at the point I will pay anbody to help successfully defeat it!!!

007gaurd.com came from Spybot Search and destroy, you need to rebuild your windows host file.
I had the same issue as you when I got rid of SB S&D.

Odd. I have SpyBot Search & Destroy and I have no problem. The lines below are added by SpyBot Search & Destroy
www.007guard.com 127.0.0.1
007guard.com are 127.0.0.1
which block access to those sites. Most hosts files that are recommended in the forums include these lines.