wondering about norton rootkit

[koolj96825]

I bought a laptop last summer and it comes with norton antivirus trial
version installed. I uninstalled it, but I wonder if that uninstalls
the "rootkit" they were using. Is there anyway to find out?

If it is still there, how would I go about getting rid of it? I've
been to their website and I just can't find anything useful there.

Thanks in advance!

 

[R. McCarty]

The "RootKit" is the hiding of the Norton Recycle Bin from XP.
Once uninstalled, there should be no remnants of the Norton Bin.
For testing your machine, I would recommend you download &
run both SysInternals "RootKit Revealer" and F-Secure's
"Backlight"scanner to test you machine:
Backlight - http://www.f-secure.com/blacklight/try.shtml
RKitRevealer - http://www.sysinternals.com/Utilities/RootkitRevealer.html

 

[ColTom2]

Try this: Removing your Norton program using SymNRT

 

[Brian A.]

Try this: Removing your Norton program using SymNRT

Note that the utility you mention can only be used on Symantec products
dated 2004 and newer. If for some odd purpose an older version was
installed it will not work. Another thing to note is that SymNRT will
remove any and all Symantec products installed, not just any specific one
application any user wants to uninstall.


--

Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375

 

[Brian A.]

Aside from R. McCarty's suggestion, Symantec buries keys deep in the
registry and even after using any of their uninstall utilities, many keys
will remain. After using the utilities suggested the only way to really
get down to the nitty-gritty of complete removal is to search the registry
and carefully delete any remaining hives/keys. Be 100% proof positive
before deleting any hives/keys from the registry or major problems will
develop possibly disabling any use of the machine.

--

Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375

 

[ColTom2]

Symamtec apparently has fixed their "rootkit" problem with Norton
Anti-Virus, as outlined in January 11, 2006 article:
http://www.eweek.com/article2/0,1895,1910077,00.asp

But if you uninstalled Norton prior to their fix update who knows what is
still on your computer. And to do this you will have to manually edit your
Registry, as Brian A. indicates, and remove all "Symantec" and also "Norton"
files. I just did this on a computer recently and there are a lot of files
to delete in the Registry. Be careful as Brian states and also backup your
Registry prior to running "regedit" etc.

 

[Brian A.]

Symamtec apparently has fixed their "rootkit" problem with Norton
Anti-Virus, as outlined in January 11, 2006 article:
http://www.eweek.com/article2/0,1895,1910077,00.asp

But if you uninstalled Norton prior to their fix update who knows what
is still on your computer.

That "fix" is a joke. It doesn't remove anything, all it does is make
the hidden Dir visible. They have no intention of removing it as proven by
their statements, otherwise they would have corrected it in a proper
manner.
<quote>
A spokesman for Symantec referenced the Sony flap in a statement sent to
eWEEK, but downplayed the risk to consumers. "In light of current
techniques used by today's malicious attackers, Symantec re-evaluated the
value of hiding the [previously cloaked] directory. Though the chance of an
attacker using [it] as a possible attack vector is extremely slim,
Symantec's update further protects computers by displaying the directory,"
the spokesman said.
</quote>

Now I'm not sure where they think it furthers protection by making it
visible, but if their thoughts are on when a consumer gets whacked the
consumer can now see it, that's downright incompetence. Sheesh, what
companies will do to copy protect a product these days, and to top it off a
Security related company providing unsecure products.

And to do this you will have to manually edit your

Registry, as Brian A. indicates, and remove all "Symantec" and also
"Norton" files. I just did this on a computer recently and there are a
lot of files to delete in the Registry.

Oh such fun! The last time I ran a reg compare on a NIS install it
placed over 1500 keys in the registry, that's scary and definitely bloat.
The even scarier part is the many files it sets to share, remove one and
you whack another app or even the OS.

Be careful as Brian states and also backup your

Registry prior to running "regedit" etc.

Thanks for stating backup, something I normally do but it slithered past
this time.

--

Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375

 

[George Hester]

I believe Norton also installs "stuff" in the boot sector of the harddrive.
The only way to get that out is a reformatting of the harddrive since this
area is not viewable at all.