How to manually uninstall the Symantec Endpoint Protection Small Business Edition 12 client

Article:TECH93532  |  Created: 2009-01-20  |  Updated: 2012-02-21  |  Article URL http://www.symantec.com/docs/TECH93532
Article Type
Technical Solution


Issue



This document describes how to remove Symantec Endpoint Protection client manually.

 


Error




Environment




Cause




Solution




Warning: These removal steps can disable other Symantec products that are installed on the computer. It is recommended that all Symantec products be uninstalled by using the Windows Add or Remove Programs before starting this process.


Log on as Administrator
Manual removal of Symantec Endpoint Protection must be done from the Administrator account. To enable the Administrator account, read the following document from the Microsoft Knowledge Base: Enable and Disable the Built-in Administrator Account.

When the Administrator account is enabled, log on to that account.

Stop Symantec Endpoint Protection

To stop Symantec Endpoint Protection if you are running a version of Windows other than Windows 2000

  1. Click Start > Run, type msconfig, and click OK.
  2. On the Startup tab:
    If you are running Windows Vista or Windows 2008 Server, uncheck Symantec Security Technologies.
    If you are running another version of Windows, uncheck ccApp.
  3. In the Services tab, uncheck the following:
    • Symantec Event Manager
    • Symantec Settings Manager
    • LiveUpdate
    • Symantec Management Client
    • Symantec Network Access Control
    • Symantec Endpoint Protection
  4. Click OK, and then restart the computer.
  5. After the computer starts, an alert appears. Check the box, and then click OK.


To stop Symantec Endpoint Protection if you are running Windows 2000

  1. Click Start > Run, type regedit, and click OK.
  2. Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  3. Delete the value ccApp.
  4. Navigate to following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
  5. Delete the following keys with all their subkeys:
    • ccEvtMgr
    • ccSetMgr
    • LiveUpdate
    • SmcService
    • SNAC
    • Symantec AntiVirus
  6. Restart the computer.


Remove the Teefer2 driver
If you are running Windows Vista or Windows 2008 Server, you need to remove the Teefer2 driver. Note that this cannot be done remotely, because removing the driver temporarily disables network connectivity.

To remove the Teefer2 driver

  1. Click Start > Run, type cmd, and then press Enter.
  2. Type the following to list the Symantec drivers in the driver store: pnputil -e
  3. Type to remove Symantec drivers from the driver store, where <n> is a number corresponding to one of the Symantec drivers listed in the previous step: pnputil -f -d oem<n>.inf
  4. Type exit to close the command prompt.
  5. Click Start > Run, type regedit, and then click OK.
  6. Navigate to the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}
  7. Search for any keys that have the value ComponentId set to "symc_teefer2mp". In each key that you find with that value, double-click the Characteristics value and set it to "9".
  8. Navigate to the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
  9. Remove the key Teefer2.
  10. Restart the computer.
    The computer will not connect to the network after the computer starts.
  11. On the Windows desktop, right-click My Computer, and click Properties.
  12. On the Hardware tab, click Device Manager.
  13. Under Network Adapters, delete all network adapters that contain the string teefer.
  14. Right-click Network Adapters, and click Scan for hardware changes.
    Windows reinstalls the network adapter drivers. This step restores network connectivity.


Remove Symantec Endpoint Protection from the registry

  1. Run the Windows Installer Cleanup Utility to remove Symantec Endpoint Protection.
    The Windows Installer Cleanup Utility can be found at the following URL: http://support.microsoft.com/default.aspx?scid=kb;en-us;290301
  2. Click Start > Run, type regedit, and then click OK.
  3. In the Windows registry editor, in the left pane, delete the following keys if they are present. If one is not present, proceed to the next one.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\LDVPMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.liveupdate
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E14D5EB5-438A-4362-BD0A-C3DFC150FF24}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevinst
    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgrHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antvirus
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EECTRL
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ERASERUTILDRVI7
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ERASERUTILREBOOTDRV
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NAVENG
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NAVEX15
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRTSP
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRTSPX
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYMEVENT
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPS
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPSHELPER
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\SYMC_TEEFER2MP
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccEvtMgr
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccSetMgr
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eeCtrl
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EraserUtilRebootDrv
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\ccSvcHst
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\LiveUpdate
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\SescLU
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Symantec AntiVirus
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\SRTSP
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\SRTSPL
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LiveUpdate
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NAVENG
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NAVEX15
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SmcService
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNAC
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SnacNp
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SRTSP
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SRTSPL
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SRTSPX
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Symantec AntiVirus
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEvent
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Teefer2
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPS
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpsHelper
    • HKEY_LOCAL_MACHINE\SYSTEM\SYMANTEC
  4. In the following keys, remove any values with "Symantec" in the path:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls
  5. Navigate to the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP
  6. Search for value names ending with Backup. For each value you find, delete the original value and rename the backup value to match original name.
    For example, if you find ConfigUiPathBackup, delete the value ConfigUiPath and rename ConfigUiPathBackup to ConfigUiPath.
  7. Remove the subkey that has the FriendlyName set to Symantec NAC Transparent Mode.
  8. Navigate to the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}
  9. Delete any subkeys that have a name containing SYMC_TEEFER2MP.
  10. Navigate to the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{cac88424-7515-4c03-82e6-71a87abac361}
    Delete any sub keys that have a name containing SYMC_TEEFER2MP.
  11. If you are running a 64-bit operating system, remove the following keys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\*\ShellEx\ContextMenuHandlers\LDVPMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\.liveupdate
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers\LDVPMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\.liveupdate
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\ccApp.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\LUALL.EXE
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Controls Folder\Display\shellex\PropertySheetHandlers\LDVP Shell Extensions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec
  12. Restart the computer.



Remove Symantec Endpoint Security files and folders

  1. Restart the computer into Safe Mode.
    To enter Safe Mode on Windows Vista, read the Microsoft article Start your computer in safe mode.
  2. In Safe Mode, log on as the Administrator account.
  3. Delete the following files and folders. If a file or folder is not present, proceed to the next one.
    • C:\Program Files\Symantec
    • C:\Program Files\Common Files\Symantec Shared
    • C:\WINDOWS\system32\drivers\srtsp.cat
    • C:\WINDOWS\system32\drivers\srtsp.inf
    • C:\WINDOWS\system32\drivers\srtsp.sys
    • C:\WINDOWS\system32\drivers\srtspl.cat
    • C:\WINDOWS\system32\drivers\srtspl.inf
    • C:\WINDOWS\system32\drivers\srtspl.sys
    • C:\WINDOWS\system32\drivers\srtspx.cat
    • C:\WINDOWS\system32\drivers\srtspx.inf
    • C:\WINDOWS\system32\drivers\srtspx.sys
    • C:\WINDOWS\system32\drivers\symdns.sys
    • C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    • C:\WINDOWS\system32\drivers\SYMEVENT.INF
    • C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    • C:\WINDOWS\system32\drivers\symfw.sys
    • C:\WINDOWS\system32\drivers\symids.sys
    • C:\WINDOWS\system32\drivers\symndis.sys
    • C:\WINDOWS\system32\drivers\symndisv.sys
    • C:\WINDOWS\system32\drivers\SymRedir.cat
    • C:\WINDOWS\system32\drivers\SymRedir.inf
    • C:\WINDOWS\system32\drivers\symredrv.sys
    • C:\WINDOWS\system32\drivers\symtdi.sys
    • C:\WINDOWS\system32\drivers\SysPlant.sys
    • C:\WINDOWS\system32\drivers\teefer2.sys
    • C:\WINDOWS\system32\drivers\WGX.SYS
    • C:\WINDOWS\system32\drivers\WPSDRVnt.sys
    • C:\WINDOWS\system32\drivers\WpsHelper.sys
    • C:\WINDOWS\system32\BugslayerUtil.dll
    • C:\WINDOWS\system32\cba.dll
    • C:\WINDOWS\system32\FwsVpn.dll
    • C:\WINDOWS\system32\loc32vc0.dll
    • C:\WINDOWS\system32\msgsys.dll
    • C:\WINDOWS\system32\nts.dll
    • C:\WINDOWS\system32\pds.dll
    • C:\WINDOWS\system32\sysfer.dll
    • C:\WINDOWS\system32\SymVPN.dll
  4. Search for and delete any files containing the string Symantec.
  5. If you are running a 64-bit operating system, remove the following folders:
    • C:\Program Files (x86)\Symantec
    • C:\Program Files (x86)\Common Files\Symantec Shared
  6. If you are running Windows 2000, Windows XP or Windows 2003, remove the following folder:
    C:\Documents and Settings\All Users\Application Data\Symantec
  7. If you are running Windows Vista or Windows 2008 Server, remove the following folder:
    C:\ProgramData\Symantec
  8. If you see an Access Denied error, take ownership of the folder and give yourself Full Access permission before you delete it.
  9. Go to C:\Windows\Installer.
  10. For each file in the "C:\Windows\Installer folder", right-click the file and select Properties.
  11. On the Summary tab, check to see whether the file was created by Symantec. If it was, delete the file. Repeat this for each file in the folder.




References
"Enable and Disable the Built-in Administrator Account" at:

http://technet2.microsoft.com/WindowsVista/en/library/9fe3a3eb-01ec-47d4-abac-227bd6d8490f1033.mspx

"Start your computer in Safe Mode" at:
http://windowshelp.microsoft.com/Windows/en-US/Help/323ef48f-7b93-4079-a48a-5c58eec904a11033.mspx


 


Supplemental Materials

Description


Legacy ID



2009042014162748


Article URL http://www.symantec.com/docs/TECH93532


Terms of use for this information are found in Legal Notices