Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Registry key to delete

Created: 06 May 2013 • Updated: 07 May 2013 | 8 comments
This issue has been solved. See solution.

Hello Team ,

There is a specific key which store root kits or key loggers in registry due to which SEP install rolls back every time , can someone please share that key .

Thanks in advance

Operating Systems:

Comments 8 CommentsJump to latest comment

.Brian's picture

There could be many keys which rootkits like to add/alter, not one specific one. Also, the purpose of a rootkit is to hide itself so you may have a tougher time accomplishing this.

You can post the SEP_INST.log file located in %temp% which will show why it is rolling back.

If you think you're infected than try the Power Eraser tool or perhaps some other third party scanner.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Swapnil khare's picture

There is a specific key i am looking for .

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SebastianZ's picture

Depending of the type of rootkit/keylogger the reg location may be completely different. I believe there is not a single one specific location that would be "generally known" for all of them. Have a look at some documentation:

https://www-secure.symantec.com/connect/articles/r...

https://www-secure.symantec.com/connect/forums/wha...

https://www-secure.symantec.com/connect/articles/i...

SebastianZ's picture

You don't mean this one, do you?:

Installation fails with the message "Pending system changes that require a reboot have been detected"

Article:TECH103109  |  Created: 2007-01-16  |  Updated: 2013-01-11  |  Article URL http://www.symantec.com/docs/TECH103109
Swapnil khare's picture

i am sorry , i forgot to mention it is not for pending system changes

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

K33's picture

Hi Swapnil,

Solution

In the registry,

Find

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
value=%APPDATA%

and change it to

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
value=%USERPROFILE%\AppData\Roaming

Install SEP client again.
 

Check this artical

The installation of Symantec Endpoint Protection (SEP) client fails and rolls back around the point of registering with LiveUpdate

Article:TECH94596  |  Created: 2009-01-15  |  Updated: 2009-01-31  |  Article URL http://www.symantec.com/docs/TECH94596

https://www-secure.symantec.com/connect/forums/rollback-issue-fix-works-windows-7-sep-1105

Swapnil khare's picture

thanks all for your help i had to get machine re-imaged.

thank you

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION