Laptop running win2000 had Norton AV on it, the wife uninstalled it and replace it with another AV software now at startup we always get this prompt

"Norton Antivirus Realtime Protection failed to load"

I looked at the startup and looked into every item there, only thing I could find which can be associated with an AV program is a file called CAVRID.EXE, I unchecked this and still same problem, I still don't understand the purpose of that file and I am still looking into it but since diabling that from startup does not work I am guessing that I have to go the Registry now, I have never done anything from within the Registry so I would appreciate any help I can get before doing something stupid.

ok, the main problem I am seeing here is that i don't see anything with the name Norton in the Registry or maybe I am not looking in the right place? How do you guys think I should proceed with this please? Thanks.

Ah, the long tenticles of Norton.
Before digging in the registry, search Symantec site for the NAV uninstaller. I recall a specific download that you can use to cleanly remove all traces.

That used to be a common problem and the only way to re-install a broken version was to run the uninstaller to completely rid yourself of it prior to doing the re-install.

great will look into it but for the knowledge, how do you locate a file in the registry? Like the norton, how do I know where to find that or any particular file in the registry?

I have a copy of that pgm from Symantec if you want it. Or you can google symNRT if that's more comfortable.

Otherwise, the registry, removing all Norton and Symantec entries. Took me about an hour on a friends machine.

great will look into it but for the knowledge, how do you locate a file in the registry? Like the norton, how do I know where to find that or any particular file in the registry?

When in the Registry Editor (Start > Run > regedit.exe), you can press F3 on your keyboard to open Search, although unless you know the exact names of the registry keys you are looking for, this may be of little use to you. Hope it helps!

Appreciate the offer and may take you up on it but first I would like to know how locating a file in the registry is done just by manually searching for it? I don't want to believe that that I have to look thorugh every file in the registry until I find the one I'm looking for?

oh sorry, looks like we both posted at the same time, I will try your option and get back to you, thanks.

When in the Registry Editor (Start > Run > regedit.exe), you can press F3 on your keyboard to open Search, although unless you know the exact names of the registry keys you are looking for, this may be of little use to you. Hope it helps!

This helps a LOT, thank you!

Since I found a norton file in the Registry, why shouldn't I simply delete it instead of downloading the NAV uninstaller?

Just something to keep in mind: if you have System Restore enabled, make a new restore point before making changes to the registry to back up system state.

... ...

When searching the registry, I recommend searching Symantec first. I believe the main keys are as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec
HKEY_CURRENT_USER\SOFTWARE\Symantec

You can navigate to these manually and then delete them, but I suggest you search Symantec and Norton to check for any other entries.

If you still have problems after you remove these keys, or if you would prefer to try this first, use the NAV uninstaller as suggested by Doug, available here (http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001092114452606?OpenDocument&ExpandSection=1#_Section1). Again, best of luck in solving this.

Then also HKEY.................. Norton. It will be there. And there is a ton of it.

The tool just goes and gets it all for you.

You will find a TON of Symantec keys because it attaches itself all over the place. Doing a manual search through 30,000 reg keys will take forever.

There is a Symantec process for Live Update and then NAV itself.

You can run JV16, use the software uninstaller, and then run a reg cleanup.

Best to use the NAV uninstaller because it was designed to clean up all the crumbs Norton leaves behind.

If I try using the uninstaller guys I will never learn to work with the registry and as some of you may know, the registry is one on the 3 things on my list, I wish to confront it now head-on and get this over with.

Sorry I forgot to mention maybe some important info in all of my chaos, the wife "tried" uninstalling Norton from the Add/remove programs but it does not uninstall, I tried searching for an exe file but could not find one. In the registry I searched for "norton" and only 1 entry shows:

Name TYPE DATA
ab [default] Reg_SZ C:\Program Files\Common files...

When I search for "symantec" I get also 1 entry in the window on the right:

ab Threading model Reg_SZ Apartment

Any ideas how to proceed from here?

Oh sorry Doug, looks like we both posted at the same time.

Sorry I forgot to mention maybe some important info in all of my chaos, the wife "tried" uninstalling Norton from the Add/remove programs but it does not uninstall, I tried searching for an exe file but could not find one.
Mike, note a situation in which you should use the NAV uninstaller:
You tried to remove Norton AntiVirus 2003/2002/2001/2000/5.0 by using Add/Remove Programs, but that process failed.
The solution would be to use the uninstaller. I recommend you download it (here (ftp://ftp.symantec.com/misc/consumer/Rnav2003.exe)) and run that; you can tackle the registry later :cool:

Yeah I was planning to after reading Doug's last post which was posted at the same time as mine, will do so tomorow and get back to you guys, one thing though, earlier today I went to the symantec site and it said that I should not use nav3uninstaller for the "corporate" edition which is what is on the laptop?

...earlier today I went to the symantec site and it said that I should not use nav3uninstaller for the "corporate" edition which is what is on the laptop?
Do you have a link? I don't know why there would be a problem...If you're hesitant about using the uninstaller, this (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2004040815592148?Open&src=bar_sch_nam&docid=2002031914291648&nsf=ent-security.nsf&view=529c2f9adcf33a1088256e22005026f1) article may be more helpful to you (what version do you have?).

As a side note, make sure these folders are not there/removed:

(from Start > Run utility)

%programfiles%\Symantec
%programfiles%\Norton or %programfiles%\Symantec AntiVirus
and
%programfiles%\Common Files\Symantec Shared

Ensure anything Symantec/Norton-related is removed from the Program Files and Common Files folders.

Do you have a link? I don't know why there would be a problem....

http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001092114452606

Second box from the top says

"Do not use Rnav2003.exe to uninstall these programs.
Locate the removal instructions document for your Enterprise program in the document Manual uninstallation documents for Symantec Client Security products."

I got to sign off now but will start working on this tomorow, since there 3 options to uninstall [from your link] I will be choosing the option to uninstall from the Registry so I may get my wish afterall depending on your reply to this post.

The problem here too is I don't the exact version of Norton since it is not installed and I can't locate the exe file.

You can do it manually. It just takes a little time. And the entries make sense.

I got to sign off now but will start working on this tomorow, since there 3 options to uninstall [from your link] I will be choosing the option to uninstall from the Registry so I may get my wish afterall depending on your reply to this post.

Sounds like a plan.

It IS a PITA! That's one of the many reasons so many of us are anti Norton.
I recall going through this way back when with NAV.
Because it has so many low level system hooks, and because it has two portions of the program, NAV and Symantec Live Update, it spreads itself like poison ivy all through the registry and startup functions.

Uninstall from the Windows uninstaller menu has never been clean. You often can't re-install or repair install over top of it because, as long as some of the reg keys remain, the installer won't install.
Manual removal and purge are almost impossible.
The only way to completely clean it is by using their uninstaller and following their directions explicitly.

And, I still found traces of it long after a successful uninstall that had to be purged with JV16.

Guess they figure if they make it hard enough, you will remain a NAV user for life rather than fight to switch!

It IS a PITA! That's one of the many reasons so many of us are anti Norton. ...it spreads itself like poison ivy all through the registry and startup functions.
:clap2: Well said, my friend; well said.

Alright guys, I am ready, from the article is say's this:

"Situation:
This document describes how to uninstall Symantec AntiVirus Corporate Edition 9.x client from Windows NT/2000/XP or Windows Server 2003 (32-bit) manually."

My question before I proceed to the registry is, since I don't know which version of the Corporate edtion is on the laptop should I proceed or should I try to first reinstall what is on there just to know which version is it?

I would not reinstall. Do you have the installation CD? because if so, that information will most likely be on it.

No I don't have the cd because I got the laptop with this Norton preinstalled.

I have used a registry type cleaner after that to get rid of the "Left overs". Seemed to work just fine.

No I don't have the cd because I got the laptop with this Norton preinstalled.
You had said Add/Remove Programs had failed to uninstall NAV. Is it still listed in Add/Remove Progs, as you may be able to find the version of NAV there? If not, do you have any idea of how long ago you purchased Norton (i.e., the latest version?)

Add/Remove won't get it. It will still look for the NAV junk when it boots. That's OEM stuff.

Add/Remove won't get it.
Just to avoid any confusion, I was referring to Add/Remove Programs for the purpose of finding the version of NAV installed, if it is still listed there. I realize it will not successfully remove "NAVR BUY" :lol:

... ...

If you cannot find the version there, Mike, let me know if you have any idea of when you purchased NAV or the last time you updated it. If you cannot, it's probably okay for you to refer to that article (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2004040815592148?Open&src=bar_sch_nam&docid=2002031914291648&nsf=ent-security.nsf&view=529c2f9adcf33a1088256e22005026f1) anyway when removing it.

You've taught me another new thing in this process, yes, I clicked on "Support information" in Add/remove and there it is, the Corporate version is 7.6.0.0000, I had had always thought that the support info was a direct link to Norton's support info. Alright making progress, let me go look at the article again or on the site for intructions for this particular version.

You've taught me another new thing in this process
Great! You'll want this article:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2000120111571948?Open&docid=2002031914291648&nsf=ent-security.nsf&view=docid

Before looking at that article I wish to know "how" you found it? I tried different search engines using the words "uninstall norton 7.6.0.0000" but come up empty, on Symantec's site I tried the search for this version but also nothing. I don't mean to be a pain but I need to know how to find these things in case I am on my own one day and no one around is there to help at that time so please bear with me.

it's ok, I found it, simple trick, I typed "uninstall norton 7.6" and this brought me to that very same article, so it seems that leaving out the .0.0000 is what did the trick, how in the blazes was I supposed to know that? Search engines:mad:

I don't mean to be a pain but I need to know how to find these things in case I am on my own one day and no one around is there to help at that time so please bear with me.
No problem! This is all I did:

1. Went to www.symantec.com
2. Searched "manual uninstallation documents" (sometimes being general yields better results)
3. Opened the first result

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002031914291648

4. Scrolled down to Norton AntiVirus Corporate Edition 7.x
5. Chose How to uninstall the Norton AntiVirus Corporate Edition 7.5 and 7.6 for Windows NT/2000/XP client manually

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2000120111571948?Open&docid=2002031914291648&nsf=ent-security.nsf&view=docid

There's been a lot of posting at the same time going on around here! Glad you figured it out.

Ray

(sometimes being general yields better results)



This is very true and I will try adopting this method in the future, I have always tried being as detailed as possible in my searches hoping to be led "directly" to what I am looking for but it hardly ever works. Back to the task at hand, I have begun following the intructions and just to be clear, when it says "delete entries", does it mean to delete "all" the entries in the window on the right? For example it says in the article:

"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es

Delete the following entries:
Defwatch
NAVAP
NAVAPEL
NAVENG
NAVEX15
Norton AntiVirus Client
Norton AntiVirus Server (This entry is not normal for a client install, when found, be sure to delete.) "

When I navigate to that folder on the left and highlight the "Defwatch" folder, 6 entries appear in the window on the right, does this mean I have to right click and choose delete for all 6 entries?

Back to the task at hand, I have begun following the intructions and just to be clear, when it says "delete entries", does it mean to delete "all" the entries in the window on the right?
First, you backed up the registry (restore point), correct?

Next, before proceeding, check these (from Start > Run):

%programfiles%\Symantec
%programfiles%\Norton or %programfiles%\Symantec AntiVirus
and
%programfiles%\Common Files\Symantec Shared
Anything Symantec/Norton-related in Program Files and Common Files folders

Make sure the above are removed if present.

Next, move on to the registry. When it says "delete the following entries" delete exactly as instructed. For example, when instructed to remove "Defwatch" delete that entire folder (unless specific instructions were given to remove only certain keys in that folder, which is not the case). So otherwise, remove the entire folder.

When I navigate to that folder on the left and highlight the "Defwatch" folder, 6 entries appear in the window on the right, does this mean I have to right click and choose delete for all 6 entries?
Simply right-click on the "Defwatch" folder and select "Delete" and the folder and its contents will be deleted.

I followed the article to the letter, first I exported [backed up I guess] the registry file to the C drive. Now I am proceeding to delte the entries but did not delete the folder but will start doing so now. I looked for the files using RUN but got nothing, I then decided to try using the Search and found 2 norton folders in C:\Documents and settings, deleted them, I then searched for Symantec and found 1 folder in C:\Program files\common files, when I look in that folder a see 3 folders "Virusdefs, SSC and SevInst", it only allowed me to delete the SevInst folder, when I try deleting the Virusdefs folder, it says

"Cannot delete NAVENG32.DLL:Acess denied, the source file may be in use.

And when I try deleting the SSC folder, I get

"Cannot delete vpshell2.DLL:Acess denied, the source file may be in use.

Next?

I followed the article to the letter, first I exported [backed up I guess] the registry file to the C drive.
Just as a general rule of thumb, you should not export the whole registry; only export individual keys. The best way to go, in my opinion, would be to make a new restore point.
...it only allowed me to delete the SevInst folder, when I try deleting the Virusdefs folder, it says

"Cannot delete NAVENG32.DLL:Acess denied, the source file may be in use.

And when I try deleting the SSC folder, I get

"Cannot delete vpshell2.DLL:Acess denied, the source file may be in use.

Next?
I am not sure what is causing this problemou , although there may be a Symantec process running. Could you go to,

Start > Run > taskmgr > Processes tab > take a screenshot of the running processes > post back ?

Again, there may be a Symantec process you have to terminate before removing those folders.

Start > Run > taskmgr > Processes tab > take a screenshot of the running processes > post back ?

Again, there may be a Symantec process you have to terminate before removing those folders.

This very old pc does not have Paint or other graphics program as far as I can tell so I don't know how/where to save the printscreen from the clipboard?

I don't know how/where to save the printscreen from the clipboard?
Do you have Microsoft Word or a similar word processor you could paste the image in?

NAVENG32.DLL:Acess denied

Probably a reg key still loading that file and it is in use.
Use UNLOCKER program to gain access.
Look for any kind of NAV process in Task Manager.

You can EXPORT the entire registry but you won't be able to IMPORT the whole thing later as there are certain 'protected' keys that can't be altered and the import will stop when it hits one.

A RESTORE POINT and an IMAGE FILE are the preferred backups here.

If you are going to modify a BRANCH in the registry, backup or EXPORT only that key set section where you are making changes. That key, and its' values will IMPORT if you want to bring them back.

Nothing at all, BTW, just so you know I decided to do the registry work on an old pc so if I should do any damage then I can throw it away and nothing lost, this laptop is so old I do not know it's age, it's an IBM and may have been one of the very first laptop pc's commercially produced? I do have it on the Network so I can access the file and pull it over to any of the other pc's on the network but how/where else can I paste it since this pc has no word processors?

Don't see anything with the letters NAV in Processes Doug and I will tackle both Restore point and Image file as soon as I am done with this AV thing.

Don't see anything with the letters NAV in Processes
There still may be a Symantec process running which is why you should post a list of running processes here. If you don't have a word processor, your only option may be to type the processes out. I know you can redirect the output of some commands from Command Prompt to a text file by using,

command > file.txt

although I don't think that's possible with taskmgr>process:confused:

will deal with this later too so I'll type out a list of all the processes here:

system idle process
system
SMSS.EXE
CSRSS.EXE
WINLOGON.EXE
SERVICES.EXE
LSASS.EXE
explorer.exe
svchost.exe
svchost.exe
spoolsv.exe
NETDDE.EXE
iSafe.exe
defwatch.exe
rtvscan.exe
ycommon.exe
mstask.exe
regsvc.exe
VetMsg.exe
ybrwicon.exe
WinMgmt.exe
svchost.exe
MSGSYS.EXE
YPager.exe
CAVTray.exe
WLANSTA.EXE
yop.exe
CAVRid.exe
ymetray.exe
TASKMGR.EXE
clipsrv.exe

Please end the following processes:

defwatch.exe
rtvscan.exe

Then try removing the folders again.

will deal with this later too so I'll type out a list of all the processes here:

iSafe.exe
defwatch.exe
rtvscan.exe
ycommon.exe
VetMsg.exe
ybrwicon.exe
MSGSYS.EXE
YPager.exe
CAVTray.exe
yop.exe
CAVRid.exe
ymetray.exe


Identify the above with PROCESS EXPLORER or search for each .exe. RIGHT click on it and click PEOPERTIES
You should find information there on the COMPANY, ie:
Microsoft, Symantec, etc. and some description.

Figure out what each of these belongs to and what it does.

Y stuff sounds like Yahoo
Defwatch is likely your Norton
Identify a Symantec or Norton branded .exe and stop that process allowing you to delete it.
That does NOT remove the reg keys that tell it to load.

Install the Mike Lin Startup control where these should show up and you can turn them off.
Or, check them in MSconfig.
Also check all your folder STARTUP folders for things loading from there.

Again, it is important to know what processes are running and what they belong to.
As you have found with Norton, uninstalling a program does not always mean that an associated STARTUP portion and with leftover reg keys and .dll or .exe files, it may still load a component of that removed program as a process.
It is important to track these down and remove them as they can cause conflicts later on as the remainder of the program they refer to are no longer there.
Not to mention, they suck resrouces.

There is a registry branch (and brain fart is preventing me from remembering where it lives) where all the startup loading is stored. This includes items that do NOT show up in the STARTUP control panel, ie: a .dll or driver that is loading at startup that may no longer have a program to go with it.

Please end the following processes:
defwatch.exe
rtvscan.exe
Then try removing the folders again.

"Cannot terminate, access denied". I'll try to identify every entry in there as I had done with the entries in Startup, will get back to you guys later, thanks.

There is a registry branch (and brain fart is preventing me from remembering where it lives) where all the startup loading is stored.
I can relate :wacko: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig ---> startupfolder and startupreg

"Cannot terminate, access denied"
Mike, try downloading this (http://www.dynawell.com/reskit/microsoft/win2000/kill.zip) from the Win2000 resource kit (kill.exe). Then, go to Start > Run > type %systemroot%\system32 > click OK > drag Kill.exe into this folder, and then from the Command Prompt, type as follows:

kill defwatch.exe
kill rtvscan.exe

and let us know if this works.

Of course, another problem, don't have an unzipping utility on this old pc.

Any "freeware" unzipping utility anywhere?

IZArc is a great free unziping utility, available here (http://www.izarc.org/download/IZArc35.exe).

Got a pretty good freeware called "justzipit" here

http://thefreesite.com/Free_Software/Unzipping_compression_freeware/

kill ended defwatch.exe but not rtvscan.exe, those two folders still cannot delete

Interesting. I'd make a restore point and start work with the registry; worry about those folders later.

I am going through all of the processes to see if any of those has any link to Norton or symantec, if I find that none of those processes do then should I continue with the article?

Yes. Based on the processes you posted, the only Symantec/Norton-related ones were the two mentioned. If you have Mike Lin's Startup Control, check for any Symantec/Norton entries (search them here (http://www.sysinfo.org/startuplist.php)) and disable them, then reboot, check startup entries again, and then check running processes again as well (try killing those processes again if they are running).

Tried the mikelin but nothing so I am following the article right now, when I deleted the "virusprotect6" the 2nd time, the prompt I am trying to get rid of suddenly appeared and now it doesn't close and stays on the screen, I am proceeding with the rest of the instructions.

...when I deleted the "virusprotect6" the 2nd time, the prompt I am trying to get rid of suddenly appeared
I have a feeling that everything I am about to type will do nothing for you, but it may be worth a try, just to see where you're at.

Make sure you already removed HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Symevent

and then restart the computer and check for the error message (after rebooting). Then go back to the "virusprotect6" key and see if you get the error message again. If you don't get any alerts, continue following instructions from the article.

If you do, reboot and try going to Start > Run > services.msc > right-click on any Symantec/Norton services and select Properties > Disable (from the drop-down box). Then, using Start > Search utility, first search Symantec and then search Norton (use advanced options; ensure system folders, hidden files/folders, and subfolders are checked) and delete results, try killing NAV processes using Kill.exe, and try removing the key again.

If none of the above yields any results, just continue on with the article as you have been doing.

So sorry you had to write all that Ray but SUCCESS!! Finished the article at 6.30 and so far no more prompts and Norton does not show in Add/remove. I have been at this all day and thanks to the relentless help from you guys, I now feel very confident to tackle anything in the registry, finally!! Whew, what a load off my back.

So now I wish to tackle the "proper" Registry backup and Image file as Doug had recommended earlier but I will start a new thread for that becuase this one is already at 6 pages or so, thanks a million for helping me get over this very big hurdle guys, really appreciate it!:)

Mike
Have you tried starting in safe mode?

Elliott

Sorry Elliot, don't understand your question as the problem is solved therefore no need to start in Safe Mode?

WEW! Victory over NORTON!
That is an accomplishment in itself!