Does a netstat connection to 007guard.com mean malware?

I just want to check before i spend 3 days doing all the generic scans.

I ran a netstat and noticed 4 ESTABLISHED TCP connections to www.007guard.com with a PID of 2676. TCPView does not show any connections to www.007guard.com. I've noticed no symptoms of the 2search adware (but I don't use IE), and following multiple sites' scanning and removal instructions for 2search/007guard has yielded no detection (I've only run HJT, Symantec, Ad-Aware, and Superantispyware scans so far). Are these connections an indication of malware, or are they something else, like a spyware program blocking the site? I know spybot inserted lines like this:

127.0.0.1 www.the.007guard.com
127.0.0.1 the.007guard.com

in my hosts file, but I don't really know what the netstat information means.

I'm not asking for help removing any malware, I'm just trying to save myself the 2 days it usually takes to do all your recommended scans if this netstat does not imply anything wrong (it's my only indication that something may be wrong). I just noticed lines that I've never seen before in a netstat and wanted to check, since I know nothing about netstat, and only ran it to check an IP. Thanks.

 

Ok, thanks:

Before firefox is open:

Code:

C:\>netstat

Active Connections

  Proto  Local Address          Foreign Address        State

Immediately after firefox is open:

Code:

C:\>netstat

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    cpuname:4028              www.007guard.com:4029  ESTABLISHED
  TCP    cpuname:4029              www.007guard.com:4028  ESTABLISHED
  TCP    cpuname:4030              www.007guard.com:4031  ESTABLISHED
  TCP    cpuname:4031              www.007guard.com:4030  ESTABLISHED
  TCP    cpuname:4032              py-in-f104.google.com:http  ESTABLISHED
  TCP    cpuname:4033              py-in-f104.google.com:http  ESTABLISHED

A few seconds later:

Code:

C:\>netstat

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    cpuname:4028              www.007guard.com:4029  ESTABLISHED
  TCP    cpuname:4029              www.007guard.com:4028  ESTABLISHED
  TCP    cpuname:4030              www.007guard.com:4031  ESTABLISHED
  TCP    cpuname:4031              www.007guard.com:4030  ESTABLISHED

These connections remain established until a few seconds after I close all firefox windows.

Like I said, I did a few full scans of my C drive, and found no 2search instances, and have noticed no odd activity besides these connections appearing in a netstat command. I have not done the full procedure since noticing this, as I was waiting for someone to confirm whether this netstat suggests I have malware or not. Thanks.

 

Hmmm... I was checking out my hosts file and noticed the first two lines were:

Code:

# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1	www.007guard.com

So I added:

Code:

127.0.0.1       localhost

As the first non-comment line, as some website said that should be the case.

Now my netstat after I open firefox is:

Code:

C:\>netstat

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    cpuname:4600              localhost:4601         ESTABLISHED
  TCP    cpuname:4601              localhost:4600         ESTABLISHED
  TCP    cpuname:4602              localhost:4603         ESTABLISHED
  TCP    cpuname:4603              localhost:4602         ESTABLISHED

Does that look more like a normal netstat with firefox open? If so, it seems the last time I ran Spybot it screwed up my hosts file (instead of adding to it, it just overwrote). If it's still not right, or if I shouldn't have changed the hosts file, let me know. And if it did solve the problem, thanks for your help.