Do any Symantec employees ever help out on these discussions?  If so, I have 3 other posts going with only one VERY HELPFUL user trying to help me. 

 

Today, when I signed on my system, I received the message "SPMgr.exe has stopped working".  I tried to investigate.  It appears that SPMgr is a function of the Vaio PowerManagement.  It could also be some sort of malware or spyware.  I was notified that Vaio care had updates yesterday and I let them install.  I tried to look in the history.  There is a MS .net update and a Windows Defender update.  Both were sucessfully installed. 

 

I went into the NIS History file and found these errors appearing every few minutes.  (I tried for hours to look into the Norton forum and sony support and all that got me IS MORE FRUSTRATED...ESPECIALLY WITH NORTON).

CAN'T THEY INCLUDE GENERIC MESSAGE HELP?????

 

THE MESSAGES ARE AS FOLLOWS:

UNAUTHORIZED ACCESS BLOCKED (OPEN PROCESS TOKEN)   BLOCKED

Actor = C:\program files\ sony\ vaio care\COLLSVC.EXE

 

The files it is trying to access changes from minute to minute : 

Target= C:\program files\ Norton Internet Security\Engine\16.2.0.7\

     the program listed as target most frequently is ccSVCHst.exe but there are multiple cases of

     WSCStub.exe

     MCU132.exe

     FOIEnum

 

There is also many, many messages of

UNAUTHORIZED ACCESS LOGGED

Actor = C:\program files\ sony\ vaio care\COLLSVC.EXE 

 

Target Norton file ccSVCHst

 

Actor = windows\system32\services.exe

 

Target Norton file ccSVCHst

 

If anyone can help me with these problems, that would be wonderful.  I've missed the 1st 3 quarters of the Super Bowl already!!!

 

Please be patient. These guys have weekend as well

I TOTALLY understan that they have weekends!!!  These posts have been there since last week!!!  In the meantime, I have this problem that has escalated into a threat!!!

Please understand that this is a peer-to-peer discussion forum. Symantec employees do post here when they can, but if you have an urgent issue, or need one on one assistance,  please contact support directly. 

 

 

Hi sako100

 

Sorry to read that you are having problems. The info that you list in your first post is from the Norton Tamper Protection component of  NIS 2009.

 

(THE MESSAGES ARE AS FOLLOWS:

UNAUTHORIZED ACCESS BLOCKED (OPEN PROCESS TOKEN)   BLOCKED

Actor = C:\program files\ sony\ vaio care\COLLSVC.EXE

 

The files it is trying to access changes from minute to minute : 

Target= C:\program files\ Norton Internet Security\Engine\16.2.0.7\)

 

 

This entry indicates that Tamper Protection is stopping Collsvc.ex from accessing a Norton file. It is not stopping the process so it is probably not the cause of the problem.

 

It also appears that you were successfully able to install NIS 2009 (In your previous post you mention Norton 2008.). Is that correct? Is your problem now that you cannot install NSW?

 

Also, if you were able to install NIS, are the Definitions up to date? Check the main screen to the right of Definition Updates: If it indicates that it is older then 15 minutes, then run LiveUpdate. Once you have the latest definitions, run a full system scan..

 

Let me know what happens. If the scan detects a threat, please include the exact name of the virus.

 

Thanks,

RichC

Sr. Product Support Engineer

 

Rich,

 

Thank you so much for your replies.  Sorry I didn’t reply quickly and I TRULY APPRECIATE your help.  I’ve been frantic.  Found the trojan.brisv… virus on the desktop.  If I may, I’d like some help understanding.  I’ve had pc’s using DOS and taught Windows classes.  This is the first virus I found.  I’d like to think it was my diligence but it’s probably a bit of luck, too.

 

First off, I misspoke I have NIS 2009.  It has been installed about 3 months ago.  I am always checking my security systems.  A tech at ONE CLICK SUPPORT suggested I check it too often.  That is why I wrote the posts asking about this and the other messages.   Automatic updates are on, as is Silent Mode.  In addition, I have been running full system scans a few times a week since I put the network together.   Approximately 2 weeks ago, Norton blocked a high-risk attempt by …surfaccuracy… on the desktop.  A week later the same attempt was made to get at the laptop.    

 

My daughter needed the Happy Birthday composition for piano for her science project.  Three weeks ago, she found it on LimeWire and downloaded (this will NEVER happen again!!!).  On Tuesday night she was playing on Pogo when the “Norton is running background tasks…” box came up in the corner.  I told my family to let me know whenever this box appeared.  This is when I found the Trojan.  To make a very long story short, the recommended steps did not take all of the virus occurrences away.   The files were opened only once, weeks ago.  They were not ‘synced’ to her mp3 player.  The updates were up to date and full system manual scans were run at least 2 times a week in addition to using NIS defaults for scans.

 Is there anything else I can do so this won’t happen again?  I understand that no software can be fool proof.  I want to know what else I can do.  I purchased an additional spyware program.  I have another problem open requesting help about port numbers.  Would it be possible to send that in a private email?  

 

This brings me to the subject of this posting.  I still have these messages in Norton History, under the “Low Risk” category.  In addition, under the “Medium Risks” there are 2 messages.  These messages occur a few times a minute.  They state ‘Unauthorized Access Blocked - Open Process Token’.  The actors are the new spyware program and a Vaio program.  When I contacted One Click Support I was passed up the chain without an answer.  I asked if it could be a virus or the firewall.  The next day, Norton found the virus but the messages are still there.  I’ve run full system scans THREE times a day just to be sure. 

 

The only other option I can think of is the firewalls.  I reinstalled Norton twice.  The first time I kept the settings and reinstalled.  The second time I totally deleted.  The messages still show up.  There are a few other items that may shed some light.  When I ran the Sony system check up for the first time there were more than 7,500 disk cleaner errors (I can’t tell you specifics, they are not listed anywhere).  The system is only a month old.  When the first tech at Symantec cleared out the temp files the number of attempts to “Access” seemed to decrease. 

 

In your posting you stated this is Norton Tamper Protection.  Is this a firewall app?  I appreciate your time in this and the other matters.  I will post the NSW when I try to reinstall.  At this point, I’m not sure I want to.  Thank you again.

_______

In your posting you stated this is Norton Tamper Protection.  Is this a firewall app?

________

 

Norton Tamper Protection is a feature that protects your Norton product from an attack or modification by unknown, suspicious, or malicious applications. This is not a Firewall application, instead it is a feature in the product.

 

By the way, what was the additional Spyware program that you purchased. 

 

Thanks,

TomV

Norton Forums Moderator

Symantec Corporation

This is the 3rd time I am writing this same post.  When I hit the ‘Post’ button, I get the message that authentication failed.  I lost the whole post again!!!  This happened so many times last week; I ended up creating the document in Word and cut/pasting it into the Symantec editor.   THIS IS JUST SO FRUSTRATING!!!!! 

 

I am using the StopZilla anti-spyware program.  This isn’t the cause of the problem because these messages were appearing from another program before I added the spyware protection. At times, there is 8-10 ‘MEDIUM’ risk entries into Norton Security History EVERY MINUTE. 

 

I was on the phone with ONE CLICK SUPPORT this week again.   We added firewall exceptions for the 2 program calls.  This DID NOT alleviate the problem.  Someone at Symantec said it was Norton Tamper Protection putting out these messages (check my posts).  It can’t be a good thing that all these entries are created.  At the VERY least, the security history file has a TON of entries in it.  Please let me know what to do next.  I seem to go from one support person to the next and nothing eliminates the problem!!!

 

THIS IS A COPY OF THE MESSAGE I GET WHEN I TRY TO POST A REPLY!!!!

LUCKILY, I USED WORD TO SAVE MY RESPONSE!!!

The link you clicked is requesting an operation that requires authentication, but the authentication failed. There are five main reasons why this may happen: 1) The link you clicked on was not generated for you, but was intended only for someone else's use to perform an action on their account. If the other person pasted such a link into a message body or you were re-directed to such a link from another link you clicked on, the authentication will fail and you will arrive here instead. 2) The link was valid for you, but your authentication ticket has expired. If this is the case, hit the back button in your browser and refresh the page containing the link. You will then get a fresh ticket and when you click on the link again it will work. 3) Your browser session may have expired. If so, hit the back button in your browser, then refresh the page containing the link you clicked on. You will get a fresh ticket and if you click on the link again it will work. 4) Your browser may be set to not accept session cookies (or the cookie may have been deleted, or you may have been prompted and refused the cookie), in this case you should modify your browser settings to accept session cookies, and/or accept the session cookie if you are prompted, in order to use this site. 5) Your browser arrived at this location from someplace other than this site (an external link or site), or your browser or security software may be set to not send referrer information, in this case you should use the links on this site itself or verify that your browser or security software settings allow sending referrer information, in order to use this site.

Unfortunately that happens if you run past the time out in the forums … As you found out if you need a lot of time compose it off line in WordPad or in a word processor that does not use its own private coding for formating.

Thank you.  You don't have any ideas on the other problem, do you?

A lot of programs have to make contact with Norton in order to request access to the internet, or in the case of other scanning software, they attempt to scan Norton.  If you check the menu bar in your history screen, you will be able to see what each program is that is triggering an open process token.

 

Another message you might see is a firewall rule which might be blocked or allowed depending on your program rules.  I find that my internet gateway needs to contact my computer, God knows why, Telus doesn't, about every 20 seconds.  Norton just lists all of these contacts with the computer in history.  

 

The real menu item of interest in the menu bar is "Unresolved Security Risks."  This you should check time to time as kids (like mine) don't always tell you when they have invited a guest into the computer.

 

When you click on any history item and then click the more details button on the right, it will tell you what the program or file is.  The more you look into these items, and google the ones you don't recognize, the more comfortable you will be with the whole process.  Most of what you are seeing is the normal computer operation that wasn't visible in the same way.

 

Above all, remain calm.

The others here -- and you have several Symantec Staffers (names in red) -- are much more competent than I am on what might be going on.

 

I can only think of the following:

 

Remove all other "security" software than the Norton (it doesn't matter if the same thing happened with different software, we are troubleshooting) and see what happens.

 

I presume you have a Sony laptop so check with Sony for your specific model for updates to power management and other files specific for your model.

 

If you can locate the file Collsvc.exe that you mention in Windows Explorer right mouse click on it and check Properties / Details for information about the file and its origin -- SONY, INTEL ..... ?

 

Post the information here.

 

And if you did not, please confirm which version (Help/ About nn.nn.nn.nn ) of which Norton product you are using and which version of Windows including Service Packs and whether 32 bit or 64 bit.

 

Then all the background is together.

Thank you for your response  I have been in contact with Symantec support.  At first, I was passed from tech to tech. The original program reporting the risk was not a scanning program, it was from Sony.  I talked to Sony and they explained the file was a necessary part of the system.  There are no Unresolved security risks displaying.  Let me explain why I say “displaying”.  I started trying to get an answer weeks ago.  About a week after my initial contact, I found a Trojan virus on my other machine.  Full System Scans were run on both machines everyday prior to contracting the virus.  The Trojan still got through.  This is one reason I am worried.  That is the reason I added the 2nd spyware program.  The spyware program now causes more medium risk  records to be written to the history file. 

 

I am concerned because this uses a lot of system resources.  Just the fact that a record is written to the history file every second for a full minute at a time, means that a book is written every other day.  Now there is a second program creating these entries, too.  The first time I ran a disk check on the computer there was over 7,000 entries.  I only had the laptop for a month.  I really haven’t added much software until I can get these questions answered. 

 I have been checking the details to these files, they always involve the same two valid executable programs.  I thought I could just add the firewall exceptions and that would be the end of it. 

Thank you for your response.  In regards to removing the other security products, the problems existed before this was added, so this could not be the cause.  I thought it was a firewall problem but the Symantec tech helped me (After being passed from one tech to another I finally got an EXCELLENT tech).  Adding the new rules did not do the trick.  Another strange thing, I cannot move the rules we added.  Any ideas?Sorry about the system details, they were in another problem I opened.  Here they are    

 

Desktop (host) runs Win XP    

Laptop runs Vista (this is where all the headaches come from) sp 1, 32 bit   

A wireless router (linksys)    

A Dell AIO printer.    

Norton Internet Security 2009, auto updates are on.

Hi Sako:

 

The Norton Tamper Protection will not be changed because of a firewall rule.  It is just Norton's way of saying "don't touch me" to other programs.  When other programs access the net, or update themselves, they may try to make changes to the antivirus to accommodate them.  Norton won't allow any changes.  Most programs gracefully withdraw when Norton refuses.  This is what is happening with the Sony utility.

 

An open process token is a complicated communication which translates simply to "asking permission."  You only have a problem when the program doesn't withdraw from Norton and causes a program glitch.

 

In my system, I have several entries for Adaware during an update or scan, my gateway, Firefox for updates.  It really isn't a problem.  It does give you the means of tracking a software conflict sometimes.

Thanks for your patience with things you have dealt with many many times already but I did not want to miss something.

 

<< Norton Internet Security 2009, auto updates are on. >>

 

Please check Help / Aboout and give the version ID nn.nn.nn.nn there to confirm this.

 

Did you check the properties and thus the source of that file that was bothering you to see who "owned" it?

 

Do note what Delphinium is saying since that is more specific than I can be.

Both of these programs start these calls before I even get to the internet.  I’ve been trying to figure out what if anything makes this occur more often.   

 

I have already turned off all unnecessary add ins,  did full system scans that came up clean, changed firewall settings, programs properties are for all users (one for Sony Vaio, the other for the 2nd security software),  deleted all temp files, reset all Internet Explorer Security settings, uninstalled

 

Norton with a total uninstall and a partial uninstall.  I am not a guru  but I was a programmer until a few years ago.  I just don't know what else I can do but there should be some kind of workaround here.  Norton version is 16.2.0.7.  Thank you.

<< Both of these programs start these calls before I even get to the internet. I’ve been trying to figure out what if anything makes this occur more often >>

 

I have to say that I'm lost here since I have read through this thread and I don't see what is bothering you apart from losing your initial long post which keeps on coming up and does not help us follow.

 

You refer to some history reports (my wording) and threats and books being filled up but I really do not understand what this means -- and in this message Delphinium says that there is nothing to worry about regarding these.

 

Just what are you referring to when you say <<  but there should be some kind of workaround here.  >>

 

Maybe someone else can help you but I've gone as far as I can, I'm sorry to say.

Sako100:

 

If you are on highspeed these programs do not require you to be on the internet.  They access it all on their own, which is why I blocked access for all of my programs that do this except the ones I choose.  Your Sony software accesses the internet for updates, Corel will access the net for updates.  The worst offender is Adobe updater.  That one tries to spend more time on the net than I do.  Your gateway makes contact to ensure the connection is still working, and your service provider maintains some form of contact as well.

 

Nearly all modern software now has its own self-care, self-update component as does Microsoft (I don't let it download whatever it wants either).  Because Norton's firewall attends to outgoing traffic as well as incoming, all programs must access Norton for permission.  If allowed, they then must make a request of their home server.  These are open process tokens.  You will see this activity, even when it is blocked.

 

Programs will still make their requests as far as Norton, which will log the request.  You are not the only user of your computer.  Even if you disconnect from the internet, the programs will still acess Norton for permission to access the net.

 

You have the ability to clear all of the screens except history and recent history.  I don't think Norton is storing all of the advisories.  You should check them to see who or what is attempting access, but short of rewriting their programs, you can't stop it. There is nothing to work around.