BleepingComputer.com: Unauthorized access blocked (Open Process Token) every 5 seconds

Hello,

I am getting Unauthorized access blocked (Open Process Token) every 5 seconds on my computer. This is showing up through Norton Security Suite as a medium threat but no action needed on my part. The actor is c:\windows\system32\taskeng.exe. It is targetting C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe.

What happen I was hit with a Trojan along with a rootkit if that is even possible. I got on the screen a message that some AV Software, that I don't have, has detected all these malware items on my machine. I closed my browser and tried to launch Malwarebyte's Anti-Malware but it said that the exe was infected and could not start. I had SuperAntiSpyware running on the systray so I ran a scan with that and it found 1 rogue, 3 fake AV items. Removed them and rebooted. After reboot ran Malwarebytes and it found 3 other rogues, removed them and rebooted. Came back up and noticed my proxy settings were changed so I ran tdskiller. It found one item and rebooted. Then the computer would not boot up, it ran file scan and then wouldn't boot saying a file was damaged. Selected boot from last good and the machine came up and everything is running good but that one thing in Nortons.

Has anyone else heard of this? Is this even an infection of malware? I have done a search on the site on Unauthorized access blocked (Open Process Token) but didn't see a fix for this. So before I dig myself a hole I cannot get out of without reformatting the whole computer I thought I should ask the experts.

Thank you for your time.

This post has been edited by Orange Blossom: 20 June 2010 - 10:54 PM
Reason for edit: Move to AII as no logs posted and prep. guide not followed. ~ OB

The unauthorized access notification is caused by other programs and applications accessing Norton's files. Norton Tamper Prevention logs each access but since most things do access Norton to some extent it is quite normal and nothing to worry about.

You are very welcome to vist the Norton forums for any questions you might have about how your product works.

http://community.norton.com/

In my opinion, if any computer with Norton Internet Security is logging the fact that the door is being shut on some process several times a minute may mean that Norton is successfully protecting the computer but does not mean there isn't anything to worry about.

Take my case: a sub account got infected with a key logger and then these messages kept appearing whenever it was logged in. The cause was something that was running from [HKCU\Software\Microsoft\Windows\Run]. The entries in there were of random names and you couldn't delete them because they would reappear. You couldn't delete the DLLs or EXEs they pointed to either (in AppData\Local) , even when the account was not logged in and an administrator was doing it. The solution was to use safemode logged in as an administrator and delete the programs being access from the run key. Now everything is back to normal with none of these messages coming up. Another way would be to delete the account, all the user's folders and start again. This is another classic reason for never surfing from an administrator account.

So when Symantec representives on their forums say there is nothing to worry about, when clearly there is something wrong that their product is not properly dealing with, makes me wonder if some of their staff need training.

I suspect that you may be confusing tamper protection with intrusion prevention. Anything showing as blocked in intrusion prevention should be looked at ASAP. Tamper protection, as I say, merely logs pokes at Norton files.