Video Screencast Help

Registry key to delete

Created: 06 May 2013 • Updated: 07 May 2013 | 8 comments
This issue has been solved. See solution.

Hello Team ,

There is a specific key which store root kits or key loggers in registry due to which SEP install rolls back every time , can someone please share that key .

 

Thanks in advance

 

Operating Systems:

Comments 8 CommentsJump to latest comment

_Brian's picture

There could be many keys which rootkits like to add/alter, not one specific one. Also, the purpose of a rootkit is to hide itself so you may have a tougher time accomplishing this.

You can post the SEP_INST.log file located in %temp% which will show why it is rolling back.

If you think you're infected than try the Power Eraser tool or perhaps some other third party scanner.

Swapnil khare's picture

There is a specific key i am looking for .

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

SebastianZ's picture

Depending of the type of rootkit/keylogger the reg location may be completely different. I believe there is not a single one specific location that would be "generally known" for all of them. Have a look at some documentation:

 

https://www-secure.symantec.com/connect/articles/r...

https://www-secure.symantec.com/connect/forums/wha...

https://www-secure.symantec.com/connect/articles/i...

SebastianZ's picture

You don't mean this one, do you?:

Installation fails with the message "Pending system changes that require a reboot have been detected"

Article:TECH103109  |  Created: 2007-01-16  |  Updated: 2013-01-11  |  Article URL http://www.symantec.com/docs/TECH103109

 

Swapnil khare's picture

i am sorry , i forgot to mention it is not for pending system changes

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

K33's picture

Hi Swapnil,

Solution

In the registry,

Find

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
value=%APPDATA%

and change it to

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
value=%USERPROFILE%\AppData\Roaming

Install SEP client again.
 

Check this artical

The installation of Symantec Endpoint Protection (SEP) client fails and rolls back around the point of registering with LiveUpdate

 

Article:TECH94596  |  Created: 2009-01-15  |  Updated: 2009-01-31  |  Article URL http://www.symantec.com/docs/TECH94596

https://www-secure.symantec.com/connect/forums/rollback-issue-fix-works-windows-7-sep-1105

Swapnil khare's picture

thanks all for your help i had to get machine re-imaged.

 

thank you

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

SOLUTION