Looking at Comcast Norton 360 logs and then Crash!

8498i56AADD2CC2357E80As the subject states, yesterday evening I was merely looking at my logs to see when last scan was run and other details when Norton was forced to close. I did take a jpg before closing as requested and then (not specified to do so) I shut down the computer via the start button. I restarted the computer and Norton appears to be running. I can find no mention in Norton logs of any problem.  Problem Reports in Windows Vista gives the following details:

Problem Event Name: APPCRASH
Application Name: ccSvcHst.exe
Application Version: 109.0.3.4
Application Timestamp: 4b86e0bf
Fault Module Name: MSVCR90.dll
Fault Module Version: 9.0.30729.4148
Fault Module Timestamp: 4a594c79
Exception Code: c0000005
Exception Offset: 0002463e
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033
Additional Information 1: 04bd
Additional Information 2: 31602df2387d60f3794c205e3b7c22cf
Additional Information 3: 458e
Additional Information 4: f45b35686d8cbbff5875496ac6828553

Extra information about the problem
Bucket ID: 1798871171

 I hope it is ok to post a snap of the pop up that appeared. The version is :Product Name: Norton Security Suite,

Version: 4.2.0.12. I have seen no problem since the rebooting, but I am mistified as to why Norton crashed. I posted originally at Comcast's help forum and USAF_E8_RET suggested that I post here in hopes that an employee  would see my post. Running Norton, I found only cookie trackers, which are no big deal.

 

Thanks for any replies.

Calamity Susan

 

It is a Microsoft issue affecting Norton, more than something wrong with Norton.  Something happened somewhere in the machine involving the MSVCR90.dll  that caused a shut down of Norton

 

I'm not sure if this explanation helps, but I will give you the link to the website that has a good explanation, so you can see if you can make sense of it.  I'm struggling. 

 

"So, what is an access violation, a C0000005? This is the translated #GP code the fault handler raises, which the operating system displays as an 'Access Violation', whos numerical form is c thousand 5. Its the operating system telling you that a program has malfunctioned and tried to reference no mans land. It has nothing specific to do with any particular program, or a brand of software, this is straight from the CPU and kernel of the operating system."

 

http://www.windowsbbs.com/windows-2000/40538-what-causes-exception-code-c0000005-access_violation.html

 


delphinium wrote:

It is a Microsoft issue affecting Norton, more than something wrong with Norton.  Something happened somewhere in the machine involving the MSVCR90.dll  that caused a shut down of Norton

 

I'm not sure if this explanation helps, but I will give you the link to the website that has a good explanation, so you can see if you can make sense of it.  I'm struggling. 

 

"So, what is an access violation, a C0000005? This is the translated #GP code the fault handler raises, which the operating system displays as an 'Access Violation', whos numerical form is c thousand 5. Its the operating system telling you that a program has malfunctioned and tried to reference no mans land. It has nothing specific to do with any particular program, or a brand of software, this is straight from the CPU and kernel of the operating system."

 

http://www.windowsbbs.com/windows-2000/40538-what-causes-exception-code-c0000005-access_violation.html

 


Very good information, but I don't really know what to do with it. I am struggling to understand which of the three situations best fits mine and why one of the three is the best fit. Should I be checking my event viewer for more information? I have seen "events" that suggest corruption on the disk and or unauthorized access, but other than posting them,  I'm not sure what I could tell you. Originally back up done of programs on D:,expert switch it to jpgs and other files backed up to D:. With installation of Norton, back up is done by Norton on D:. There are hash errors and I am not sure if this is important. I also have Dell Data Online which backs up obviously online!

 

I have McAfee Site Advisor (disabled) and I think I should remove it, but whether it is affecting Norton.... SpyBot Search and Destroy was uninstalled prior to installing Norton (by an expert which I am not....), but I forgot to mention to him that the 3 miscellaneous locks(IE Tweaks) had been used at one time  with Avast 4.8, but SpyBot had been uninstalled before uninstalling Avast 4.8 and installing of Avast 5 (last antivirus used before Norton was installed) . Then SpyBot was reinstalled after last version of Avast used but only host file was locked at that time. I am scared that this may be part of my problem. I do not use more than one antivirus at one time, but I have switched quite a few times from paid Trend Micro, to Comcast McAfee, from that to  Avast 4.8 Home Edition, from Avast 4.8 Home Edition  to Avast 5 Home Edition,from Avast 5 to Comcast Norton.

 

Thanks for your reply and for future replies thanks to everyone who replies!

Calamity Susan

Lordy, lordy!  Did you run the removal tools to properly clean off McAfee Comcast, Trend Micro, and Avast, before installing Norton?  It may be very difficult to get your machine clean enough that anything runs perfectly.

You are best to have one major security program with one or two on demand scanners for a cross-check.  Spybot S & D has a Teatimer component whcih is also a real time scanner.  It can be used if Teatimer is disabled.

 

Switching out antivirus programs, which are notoriously sticky and difficult to entirely clean out of a machine, is apt to cause the occasional glitch.

 

Here are links to removal tools if you haven't done the housekeeping.

 

http://uninstallers.blogspot.com/

 

 


delphinium wrote:

Lordy, lordy!  Did you run the removal tools to properly clean off McAfee Comcast, Trend Micro, and Avast, before installing Norton?  It may be very difficult to get your machine clean enough that anything runs perfectly.

You are best to have one major security program with one or two on demand scanners for a cross-check.  Spybot S & D has a Teatimer component whcih is also a real time scanner.  It can be used if Teatimer is disabled.

 

Switching out antivirus programs, which are notoriously sticky and difficult to entirely clean out of a machine, is apt to cause the occasional glitch.

 

Here are links to removal tools if you haven't done the housekeeping.

 

http://uninstallers.blogspot.com/

 

 


Sorry that I have been too busy to reply. When I went from the paid Trend Micro to the Comcast McAfee, a computer professional did the installation. I am almost certain he would have done the removal properly. I assume that the other installation he did at a later time, the Avast 5 removal with Norton installed afterwards, that he would have done that efficiently, unless Avast isn't well known among computer professionals. My removal of McAfee did involve usage of the McAfee removal tool; I did have some problems with that. So unless, I did not get McAfee fully removed before Avast 4.8 was installed by me, the only McAfee would be McAfee Site Advisor. I am not sure Norton likes that Site Advisor as an internet explorer plug in. The SpyBot miscellaneous lock removal problem is my fault if I should have mentioned to my computer professional that the host lock was checked.

 

Norton seems to be reacting ok, although when I look at the logs one after the other, after looking at more than two different logs(Firewall activity, recent history, etc.), Norton seems to get sluggish and won't show anything.

Does this tell you anything about the state of my Norton?

Calamity Susan

 

I run Spybot TeaTimer along with Malwarebytes Antimalware (paid) with Comcast Norton Security Suite and have no problems.  Maybe you should download the Mcafee removal tool and run that.

It wouldn't hurt to check with your techie to see if the proper removal tools were used.  Sometimes it depends on their area of expertise, although if the programs all worked well after the different installs were done, it is probably all right.

 

I think I would run the tools again for both McAfee and Avast to try and get rid of any leftovers if Comcast is sluggish.  If it was just the framework error that hopefully isn't repeated, it might not be necessary.  It kind of depends on how much tedious time consuming housekeeping you want to do, compared to how well or poorly the machine is running.

 

If you decided to clean everything out and start over, you should also run the Norton removal tool and start with a fresh install of that.  You would need to backup your logins beforehand.

 

If you haven't cleared the data out of the logs once in a while, it will get slower and slower because there is so much more to load.  If that is the only issue, you might be well ahead of the game.  You could wait to see what turns up.  At least you will have an idea of where to begin.

 

 


ffwfire wrote:

I run Spybot TeaTimer along with Malwarebytes Antimalware (paid) with Comcast Norton Security Suite and have no problems.  Maybe you should download the Mcafee removal tool and run that.


ffwire, do you also use SpyBot immunization as well as SpyBot TeaTimer? I had with Avast Home Edition (first 4.8 and then 5) with SpyBot, but mostly used the immunization feature and rarely used Tea-Timer which I did not understand how it worked nor what notifications would pop up. With the MBAM, do you have real-time protection on, too? I run MBAM on-demand, but do not have real-time protection(not using paid version). When MBAM is scanning files on-demand, should Norton be on, too. I don't think I have ever turned Norton off as I am afraid not to have the Norton firewall on at all times.

 

If i were to uninstall McAfee Site Advisor, would I somehow have Norton firewall on and the rest of Norton off? McAfee Site Advisor is disabled in Internet Explorer 8 and Foxfire.

 

I looked and could not find quickly the entry that I wanted that seemed to show McAfee Site Advisor "targeting" Norton.

Best post this before I lose it.

Calamity Susan


delphinium wrote:

It wouldn't hurt to check with your techie to see if the proper removal tools were used.  Sometimes it depends on their area of expertise, although if the programs all worked well after the different installs were done, it is probably all right.

 

I think I would run the tools again for both McAfee and Avast to try and get rid of any leftovers if Comcast is sluggish.  If it was just the framework error that hopefully isn't repeated, it might not be necessary.  It kind of depends on how much tedious time consuming housekeeping you want to do, compared to how well or poorly the machine is running.

 

If you decided to clean everything out and start over, you should also run the Norton removal tool and start with a fresh install of that.  You would need to backup your logins beforehand.

 

If you haven't cleared the data out of the logs once in a while, it will get slower and slower because there is so much more to load.  If that is the only issue, you might be well ahead of the game.  You could wait to see what turns up.  At least you will have an idea of where to begin.

 

 


If I started over, I would have to do something about the Norton backups on D:(not an online backup---I already have Dell Data Online).  I kept all the logs since the beginning and have not cleared any entries.

 

Thanks for all the replies. I hesitate to call or email my techie as he's been doing this all for free.  I'm still waiting for the other person who replied to my post to answer my questions if he/she can. This is why there are two new posts by me today....

CalamitySusan

 

In response to the other post, I would like to say that I have seen more infected machines that are running two real time products than I could ever begin to list.  I am seeing the same thing on Bleeping Computer and some of the other forums.  The programs may appear to be running well together, but the fact is that many of the conflicts can be hidden.  They can interfere with each other in the removal of malware, and Spybot can actually prevent malware from being removed.

 

Don't be fooled by more is better.  It doesn't work for four baseball players trying to catch the same ball, and it doesn't work for antivirus programs either.

Yes, I run it all and have no problems with Norton Security Suite.  I am on Windows Vista 64-bit too.  We have three computers in this house and they all have NSS on them.  Two are Vista 64-bit and one is XP 32-bit.  The two 64-bit have Malwarebytes (paid) and the 32-bit version of XP just runs Norton Security Suite without any antispyware (my brothers computer).  I also have SuperAntispyware (just the free version) installed.


delphinium wrote:

It wouldn't hurt to check with your techie to see if the proper removal tools were used.  Sometimes it depends on their area of expertise, although if the programs all worked well after the different installs were done, it is probably all right.

 

I think I would run the tools again for both McAfee and Avast to try and get rid of any leftovers if Comcast is sluggish.  If it was just the framework error that hopefully isn't repeated, it might not be necessary.  It kind of depends on how much tedious time consuming housekeeping you want to do, compared to how well or poorly the machine is running.

 

If you decided to clean everything out and start over, you should also run the Norton removal tool and start with a fresh install of that.  You would need to backup your logins beforehand.

 

If you haven't cleared the data out of the logs once in a while, it will get slower and slower because there is so much more to load.  If that is the only issue, you might be well ahead of the game.  You could wait to see what turns up.  At least you will have an idea of where to begin.

 

 


delphinium,I was considering clearing the logs and waiting to see what would happen. I have wanted certain information before I do clear them out. I was looking at some of the logs including Norton Tamper Protection and found things that might be relevant. However, I am uncertain if posting the full information might be violating some forum rule and wanted to ask you about it.C\windows\system32\REGSVR32.EXE was one of the actors and information such as PID were listed in the information.lt involved something that ocurred on the set up date of Norton and the action was blocked(Set registry value).

I have information about c:Windows\System32\SERVICES.EXE targeting Norton on September 7. Please advise as to whether posing full information would be violating some rule. It is easier to find the stuff in my photos and I have some jpgs with Norton entry pictures. Really frustrated with how logs can be used---what can be exported etc.

CalamitySusan

 

P.S.-  Thanks for any reply

 

Hi CS:

 

I hope you don't mind the initials. :smileyhappy:

 

There is no problem in posting any of the logs, although you want to be careful to block out your IP address for privacy reasons.  The Tamper Protection logs aren't particularly relevant, however, as almost all of the programs and applications have to access Norton at some point in order to get access to do their jobs.  Norton allows them to do whatever they have to do to get the job done EXCEPT access too deeply into Norton itself.  When it says blocked, it only means that Norton stopped it from doing anything to Norton files.

 

The ones that are most informative are Intrusion Prevention, Resolved and unresolved Threats, and Quarantine.  I usually have a quick look at scans to see if eveything appears to be working as expected, and at Firewall activities. 

8772iEAFDE30C74B49BF9
delphinium wrote:

Hi CS:

 

I hope you don't mind the initials. :smileyhappy:

 

There is no problem in posting any of the logs, although you want to be careful to block out your IP address for privacy reasons.  The Tamper Protection logs aren't particularly relevant, however, as almost all of the programs and applications have to access Norton at some point in order to get access to do their jobs.  Norton allows them to do whatever they have to do to get the job done EXCEPT access too deeply into Norton itself.  When it says blocked, it only means that Norton stopped it from doing anything to Norton files.

 

The ones that are most informative are Intrusion Prevention, Resolved and unresolved Threats, and Quarantine.  I usually have a quick look at scans to see if eveything appears to be working as expected, and at Firewall activities. 


Ok, D (and i hope you don't mind the initial), here is a jpg of an early entry in one of the logs. Any comments on this one?

CS

 

 

 

8774iA4184ADCE7A39590
delphinium wrote:

Hi CS:

 

I hope you don't mind the initials. :smileyhappy:

 

There is no problem in posting any of the logs, although you want to be careful to block out your IP address for privacy reasons.  The Tamper Protection logs aren't particularly relevant, however, as almost all of the programs and applications have to access Norton at some point in order to get access to do their jobs.  Norton allows them to do whatever they have to do to get the job done EXCEPT access too deeply into Norton itself.  When it says blocked, it only means that Norton stopped it from doing anything to Norton files.

 

The ones that are most informative are Intrusion Prevention, Resolved and unresolved Threats, and Quarantine.  I usually have a quick look at scans to see if eveything appears to be working as expected, and at Firewall activities. 


Here is the September 7th entry: Any comments on this one?

CS

 

delphinium, I have spent hours looking at logs and got terribly confused over the terminology. Is an  "Unauthorized Access Blocked(Terminate Process)"  entry important? "C:\Program Files\McAfee Site Advisor" had a process terminated on November 1 at 7:45 p. m. I thought McAfee Site Advisor was disabled in Foxfire but once while using Norton Safe Search and Foxfire, a McAfee Site Advisor pop up "popped up".Similarily there are entries for SVCHOST.EXE with "Unauthorized Access Blocked(Terminate Process)" notation.

 

There appears to be nothing of interest in "Resolved Security Risks" at time of this crash and the second crash which occurred on the morning of October 31.

 

On October 1, I was just reading my usual stuff online and was not trying to download any  program files or updates. I got a wierd message about my security settings. I did not know if it had to do with Norton or Internet Explorer 8 settings. I usually block pop ups, but not always.

 

Looking at Norton's Security History, and then the full history "aspect" of this history; {entry 1} unused port blocking has blocked communication [Inbound TCP connection from xxx.xxx.xxx.xx, local service port (8085)] at 9:49 A. M. on October 1(status is detected) ; and {entry 2} the next entry is IPS Statistical Submission which is submitted at 10:02 A. M.(status submitted). Immediately following those two entries, {entry 3}Norton community Watch feedback has "waiting" status at 10:02 A. M. An instance of "C:\Windows\System32\mspaint.exe" is preparing to access the internet at 10:03 A.M.; this is the next entry {entry 4}. Finally, immediately after entry 4 is the entry on October 1 at 10:04 A. M. :an instance of "C:\Program Files\Internet Explorer\iexplorer.exe" is preparing to access the internet. My question is : where will I find the entry corresponding to the message that was in my browser at the time of the blockage? The message was: "Your current security settings do not allow this file to be downloaded". Looking at the Norton security history and then resolved security risks, I do not find any listing matching the october 1 blocked download.

 

I have also tried to look at Event viewer and I had a strange "crash" with that. I simply could not  close all dialog boxes before closing computer management. This was the morning of October 28. The event viewer described additional problems:(1)"

Audit events have been dropped by the transport.  The real time backup file was corrupt due to improper shutdown". (2)

Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005. This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {d5aeabc1-6e71-4e2.

I have run one of the tools you asked for and am unsure that I did the procedure correctly. I  ran  TDSS Fix Tool 2.00 directly from the thread you referred me to (in your private message) and did not put it on my desktop. I was in normal mode while reading your p. m. and the computer restarted in normal mode. I did not turn off system restore nor did I turn off Comcast Norton while running it. I don't know where restore points are and what the effect of having Norton do backups on D:.

Questions: (1)Was this supposed to run in normal mode?

                    (2) Do you turn off Comcast Norton to get correct results? If so, is the Norton Firewall supposed to be on?

                   (3) What about system restore?

The results were: Nothing found.

I may think of other things to mention, but want to post this before I loose the stuff I have written already. Sorry for the delay.

CS

 

Unauthorized access blocked messages are nothing more than normal programs accessing Norton in order to perform their tasks.  Norton logs that access and prevents any changes to its files.  If it terminates something, the other program has not backed off gracefully.

 

Having nothing in unresolved threats is a good thing.

 

The security settings may be in Tools>Internet Options>Advanced>check for server certificate revocation.  It sounds as though it is a system popup rather than a Norton one.

 

The history entries all look perfectly normal.

 

I don't see anything that leads me to think that there is any infection on your machine.  You may be afflicted with some Windows errors, or add-ons that are conflicting with Comcast, or Smart Screen filter turned on in IE8.

Is Comcast updating reglarly, getting pulse updates, liveupdates, etc. 

 

If you ran the cleaner that is part of the utilities, did you do a backup of the changes?


delphinium wrote:

Unauthorized access blocked messages are nothing more than normal programs accessing Norton in order to perform their tasks.  Norton logs that access and prevents any changes to its files.  If it terminates something, the other program has not backed off gracefully.

 

Having nothing in unresolved threats is a good thing.

 

The security settings may be in Tools>Internet Options>Advanced>check for server certificate revocation.  It sounds as though it is a system popup rather than a Norton one.

 

The history entries all look perfectly normal.

 

I don't see anything that leads me to think that there is any infection on your machine.  You may be afflicted with some Windows errors, or add-ons that are conflicting with Comcast, or Smart Screen filter turned on in IE8.

Is Comcast updating reglarly, getting pulse updates, liveupdates, etc. 

 

If you ran the cleaner that is part of the utilities, did you do a backup of the changes?


Delphinium, I just looked in IE 8 for check for server certificate revocation: it is checked. Is it supposed to be ? Smart Screen filter is on. Pop up blocker is off as I write this.

 

My current version of Comcast Norton is Version: 4.3.0.5 and  the definitions update was 5 minutes ago. It seems to be updating frequently. How do I check for the different types you mentioned "liveupdates" and "pulse updates"?

 

You did not comment on my previous post's mention of how I ran that tool. Did I do it correctly? Should hidden files have been "unhidden"?

CS

 

 

CS - sorry to jump in here, but perhaps if you click on Help and Support, click on Index, type in Pulse Updates and read the subtopic , it may answer your question about "liveupdates" and  "pulse updates".  There is a link to Live Updates at the bottom of the Help page.


yank wrote:

CS - sorry to jump in here, but perhaps if you click on Help and Support, click on Index, type in Pulse Updates and read the subtopic , it may answer your question about "liveupdates" and  "pulse updates".  There is a link to Live Updates at the bottom of the Help page.


Yank, I did that and both liveupdate and pulseupdate are listed as on.

CS