I did not read in detail the links you provided, so this may not directly answer your question, but it may help you understand what is happening here.
When you tell your internet browser to go to www.google.com one of the first things that has to happen is that your computer has to turn that nice address for google.com into an IP address. An IP address looks like this: 74.125.XX.XX (which is one choice for google).
So how does your computer translate www.google.com to a number? It uses DNS (Domain Name Service) to lookup the IP address, much like you would lookup a phone number in a phone book. You type google and your computer 'lookups' the number for google (and google is big enough that it has more than one 'number' that might be found--but that issue isn't relevant here
). DNS servers for most home users are usually provided by your ISP, and anymore the whole process is really quite transparent to the end user.
Thats the simple version of the explaination. Now to expand on that without getting really to technical, for the sake of speed and minimizing network traffic your comuter has a variety of places it may 'look first' for the number before consulting the DNS server.
- First off a check in a local address cache, this is a place that holds recently 'looked up' IPs. If we just looked up google recently and we need it again now, its faster if we can find it on our own internal 'scratchpad' than asking the DNS server for it.
- Next the computer will check the HOSTS file. The HOSTS file isn't actually used in practice much anymore. But it's still there, and still checked as part of the process. If a domain name is listed with and address here, the computer will use that address to contact the domain.
- What happens next is dependent on your configuration, but in most home user cases is a query to the DNS server provided by your ISP.
So in your case what has happened is that a piece of malware has modified your HOSTS file to include entries for 'tc.symantec.com' and 'om.symantec.com'. I don't know what those specific sub-domains are for but if I had to guess I would bet they are related to liveupdate and/or virus definitions. Whats happening here is that when liveupdate runs instead of your computer being properly routed to valid symantec servers, it gets re-directed to talk to the 'wrong number'. The computer that answers at the 'wrong number' tho can lie and say hello i'm symantec and then download false or empty virus definitions, and or more malware.
The prompt by NIS telling you it wants to remove these entries from HOSTS is a tamper protection. NIS says 'hey i'm about to update, let me check and make sure I think I'm going to get to the correct server to get my update' So it performs some tests and says 'oops, there is something in the HOSTS file thats going to prevent me from getting to the correct server'. So NIS then asks your permission to remove these entries before it updates.
[mod note: Broke IP address (even tho it is google and most likely alwasy will be).]
- �1995 - 2013 Symantec Corporation Legal Notice License Agreement Privacy Policy Cookies Site Map RSS
