Completely uninstalling Symantec Endpoint Protection the manual way!

What a nightmare this was!
Even worse considering I had to do this to my PRODUCTION EXCHANGE SERVER!

If you ever need to know How to manually uninstall Symantec Endpoint Protection client from Windows Vista, Windows 7, and Windows 2008 32-bit, this seems to have done it for me.

A lot of tedious key removal in one of the sections, so this little script saved me some carpel-tunnel syndrome!

Just for the sake of “longevity”, I paste a copy of the article below. I’m not sure if I should thank the authors considering it’s their software that I had to remove to begin with. 🙂

How to manually uninstall Symantec Endpoint Protection client from Windows Vista, Windows 7, and Windows 2008 32-bit
Article ID: TECH102286 | Created: 2007-01-02 | Updated: 2011-02-11
Technical Solution for Endpoint Protection Small Business Edition 11.0, Endpoint Protection 11.0

Problem

This document describes how to remove Symantec Endpoint Protection client from 32-bit versions of Windows Vista, Windows 7, and Windows 2008 manually.

Solution

Warning: These removal steps can disable other Symantec products that are installed on the computer. It is recommended that all Symantec products be uninstalled by using Add or Remove Programs before starting this process.

Log on as Administrator
Manual removal of Symantec Endpoint Protection must be done from the Administrator account. To enable the Administrator account, read the following document from the Microsoft Knowledge Base: Enable and Disable the Built-in Administrator Account.

When the Administrator account is enabled, log on to that account.

Stop Symantec Endpoint Protection

Click Start > Run.
Type msconfig
Click OK.
On the Startup tab, uncheck Symantec Security Technologies.
In the Services tab, uncheck the following (not all may be present):
Symantec Event Manager
Symantec Settings Manager
LiveUpdate
Symantec Management Client
Symantec Network Access Control
Symantec Endpoint Protection
Click OK, and then restart the computer.
After the computer starts up, an alert appears. Check the box and click OK.

Remove the Teefer2 driver

Click Start > Settings > Control Panel > Network Connections.
Click a connection.
In the dialog, click Properties.
Select Teefer2 Driver and click Uninstall.
You will need to repeat these steps for each Network Connection.
Restart the computer.

Remove Symantec Endpoint Protection from the registry

Run the Windows Installer Cleanup Utility to remove Symantec Endpoint Protection 11.0.
The Windows Installer Cleanup Utility can be found at the following URL: http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

Notes:
After removing Symantec endpoint Protection with the Windows Installer Cleanup Utility:
Symantec Endpoint Protection does not appear in Add/Remove Programs.
Symantec Endpoint Protection services are still present.
Symantec Endpoint Protection may still be operational.
Click Start > Run.
Type regedit and Click OK.
In the Windows registry editor, in the left pane, delete the following keys if they are present. If one is not present, proceed to the next one.
HKEY_CLASSES_ROOT*ShellexContextMenuHandlersLDVPMenu
HKEY_CURRENT_USERSoftwareSymantecSymantec Endpoint Protection
HKEY_LOCAL_MACHINESOFTWARESygate Technologies, Inc.
HKEY_LOCAL_MACHINESOFTWARESymantecInstalledApps, SAVCE value only
HKEY_LOCAL_MACHINESOFTWARESymantecSymantec Endpoint Protection
HKEY_LOCAL_MACHINESOFTWAREWhole Security
HKEY_LOCAL_MACHINESOFTWAREIntelLANDesk
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallLiveUpdate
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallSevInst
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlVirtualDeviceDrivers
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesccEvtMgr
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesccSetMgr
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceseeCtrl
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEraserUtilRebootDrv
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLiveUpdate
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNAVENG
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNAVEX15
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSmcService
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSNAC
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSnacNp
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSPBBCDrv
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSRTSP
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSRTSPL
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSRTSPX
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSymantec AntiVirus
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSymEvent
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSYMREDRV
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSYMTDI
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTeefer2
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWps
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWpsHelper
HKEY_LOCAL_MACHINESYSTEMSymantec
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogApplicationccSvcHst
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogApplicationLiveUpdate
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogApplicationSescLU
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogApplicationSymantec AntiVirus
Navigate to the following key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall
Select Uninstall.
Select Edit
Click Find.
Type symantec
Click Find Next.
A value appears in the right pane that includes the word Symantec, in a key that is still in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall.
If the key that is selected is still in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall, delete the key (in the left pane), and then repeat the search.
If the key that is selected is not in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall, continue to the next step.
Remove any values with “Symantec” in the path from the following key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDlls
Search for the following strings, and delete any registry keys that contain them:
331D64B67B1D6024FAD99FA7FAAE8F3
Vpshell2
VpShellEx
Navigate to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInstallerUserDataS-1-5-18Components.
Under the following registry keys, delete the registry key 12AD9A2D657B7654F96A2EA43F3166B3:
0E3118066B3FEE6C0AF18C3B9B1A1EE8
2A31EAB9FA7E3C6D0AF18C3B9B1A1EE8
6EC3DF47D8A2C9E00AF18C3B9B1A1EE8
7ABFE44842C12B390AF18C3B9B1A1EE8
C9AE13788D0B61F80AF18C3B9B1A1EE8
DA42BC89BF25F5BD0AF18C3B9B1A1EE8

Remove Symantec Endpoint Security files and folders

Restart the computer into Safe Mode. To enter Safe Mode on Windows Vista and Windows 7, read the Microsoft article Start your computer in safe mode.
In Safe Mode, log on as the Administrator account.
Delete the following files and folders. If a file or folder is not present, proceed to the next one.
C:Program FilesSymantecSymantec Endpoint Protection (Or the appropriate directory if you installed in a different one)
C:Program FilesSymantecLiveUpdate (Or the appropriate directory if you installed in a different one)
C:Program FilesSymantec (Or the appropriate directory if you installed in a different one)
C:Program FilesCommon FilesSymantec Shared
C:UsersAll UsersMicrosoftWindowsStart MenuProgramsSymantec Endpoint Protection
C:ProgramDataSymantec
Delete the following driver files in C:WindowsSystem32drivers. In all cases delete the files with the extensions .sys, .cat, and .inf with the following prefixes:
Coh_Mon
SrtSp
SrtSp64
SrtSpl
SrtSpl64
SrtSpx
SrtSpx64
SymDns
SymDns64
SymEvent
SymEvent64x86
SymFw
SymIds
SymNdis
SymNdisv
SymRedir
SymRedrv
SymTdi
SysPlant
Teefer2
Wgx
WpsDrvnt
WpsHelper
Delete the following driver files in both C:WindowsSystem32 and C:WindowsSysWOW64:
BugslayerUtil.dll
Cba.dll
FwsVpn.dll
Loc32Vc0.dll
MsgSys.dll
Nts.dll
Pds.dll
SysFer.dll
SymVPN.dll
Go to C:WindowsInstaller.
For each file in C:WindowsInstaller, right-click the file and select Properties.
On the Summary tab, check to see whether the file was created by Symantec. If it was, delete the file.
Repeat steps 6-9 for every file in the folder.

Remove the Teefer driver

Click Start > Search, type cmd, and press Ctrl Shift Enter to start a command prompt with Administrator privileges.
Type pnputil -e to list the Symantec drivers in the driver store.
Type pnputil -f -d oem.inf to remove Symantec drivers from driver store, where is a number corresponding to one of the Symantec drivers listed in the previous step.
Type exit to close the command prompt.
In the Windows registry editor, navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass{4D36E972-E325-11CE-BFC1-08002bE10318}.
Delete any keys that have a value of ComponentId that is set to symc_teefer2mp.
Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceClasses{ad498944-762f-11d0-8dcb-00c04fc3358c}.
Delete any sub keys that have a name containing SYMC_TEEFER2MP.
Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceClasses{cac88424-7515-4c03-82e6-71a87abac361}.
Delete any sub keys that have a name containing SYMC_TEEFER2MP.
Close the Windows Registry Editor.
In the Device Manager (devmgmt.msc), go to Network Adapters, and delete all entries with “teefer” in them.
Delete any network adapters to which teefer was attached.
This causes the adapters to be reinstalled. This step must be done in order for there to be network connectivity after you restart the computer.
Restart the computer into normal mode.

References
“Enable and Disable the Built-in Administrator Account” at:

http://technet2.microsoft.com/WindowsVista/en/library/9fe3a3eb-01ec-47d4-abac-227bd6d8490f1033.mspx

“Start your computer in Safe Mode” at:
http://windowshelp.microsoft.com/Windows/en-US/Help/323ef48f-7b93-4079-a48a-5c58eec904a11033.mspx

____________________________________
This document is available in the following languages:

Brazilian-Portuguese: http://www.symantec.com/business/support/index?page=content&id=TECH102286&locale=pt_BR
French: http://www.symantec.com/business/support/index?page=content&id=TECH102286&locale=fr_FR
German: http://www.symantec.com/business/support/index?page=content&id=TECH102286&locale=de_DE
Italian: http://www.symantec.com/business/support/index?page=content&id=TECH102286&locale=it_IT
Spanish: http://www.symantec.com/business/support/index?page=content&id=TECH102286&locale=es_ES

Legacy ID

2007080209280848

Article URL http://www.symantec.com/docs/TECH102286

 

Comments are closed.