ooccag.exe/ooccctrl.exe

[seekermeister]

Both of the files in the title belong to O&O Clever Cache, which I have installed. The thing that I just noticed is that these are shown in my firewall's Network Activity monitor as being active with remote ports listed, and a remote address of www.007guard.com.

Googling these, I have not found anything that leads me to believe to believe that these are considered risky or malware, and in one return is described processes as being used to communicate via LAN or the internet. I fail to understand why a program simply designed for the function of this program needs to communicate in either.

I'm probably going to uninstall the program, but before I do, I wanted to see if anyone might have an insight that would be useful in deciding?

 

[Jacee]

Do you have Spybot s&d and/or SpywareBlaster installed and running?

From your computer, navigate to C:\Windows\system32\drivers\etc <--Open folder...keep open

Open notepad, then drag the HOSTS file (no extension) into the open notepad window.
Copy and paste the results here ...close notepad

 

[seekermeister]

I use SpyBot S&D plus Malwarebytes, and neither have complained about them, but then they don't necessarily conform to what I object to. I tend to dislike anything that calls home, even updaters. However, I doubt that these are updaters, because it doesn't require two updaters for the same program. As you can see if you click the link in my OP, the url gets a 401 error, meaning that it is not accessible via a browser, which increases my suspicions.

 

[seekermeister]

Jacee,

From your computer, navigate to C:\Windows\system32\drivers\etc <--Open folder...keep open

Open notepad, then drag the HOSTS file (no extension) into the open notepad window.
Copy and paste the results here ...close notepad

And then what? There doesn't appear to be anything listed there relevant to O&O, the only uncommented addresses appear to be local. Not being in the hosts file doesn't mean that they can't communicate, because nothing appears there for any other updater or the like.

From what I read earlier, I got the impression that these files record keystrokes, etc. I may have been reading about a malware file, instead of the O&O file, but if these do do this, there is no good reason for them to do so.

 

[Jacee]

Right .... see how PepiMK (developer of Spybot s&d) explains 007guard.com
hosts immunisation. www.007guard.com - Safer-Networking Forums

 

[seekermeister]

Thanks, but I still don't fully understand this:

There is a connection - to 127.0.0.1.

It is not a connection to 007guard.com though - that's a misinterpretation by netstat, displaying just a "random" (possible last?) 127.0.0.1 entry and not the first from the hosts file.

Connections to 127.0.0.1 are "to" your local machine - a loop redirection to block access to the actual address of specific bad hosts (like 007guard.com).

Without the hosts file entry, access to 007guard.com would lead to the real bad server, with this, access will be kept "inside" your machine and will enter the nirvana. Since there are many such sites, programs that use the IP address (127.0.0.1) to later display an associated domain (007guard.com) might show invalid names, since there are many and its impossible to find the correct one. Usually, access to 127.0.0.1 would be legit "local" communication.

If I understand, 007guard.com is a place to avoid, and SpyBot has blocked that. If this is the case, then CleverCache is designed to communicate with it...right? If that is the case, I may uninstall the program regardless of whether it is blocked or not.

 

[Jacee]

You are being protected. I've used O&O Defrag before and never had a problem.

It's up to you.

 

[seekermeister]

The files do not come from O&O Defrag, they come from O&O CleverCache, which was a free program in a bundle, when I purchased the latest version of the defragger. The only reason that I have it is because it was free, which also tends to make me suspicious... I'm still thinking on it.

EDIT:
Another factor that bothers me, is that my firewall shows that these files have active open ports listed as "trusted". If SpyBot were blocking them, it seems that this wouldn't be so.