Video Screencast Help

Trojan disabled Teefer2 driver

Created: 19 Oct 2010 | 4 comments

After identifying and removing a Trojan from a workstation which Endpoint didn't catch, it's support tool still shows that the Teefer2 driver is not functional. It looks like the trojan disabled/broke the Teefer2 driver so it can communciate back to it's C&C site. The Teefer2 is not listed within Device Manager. Here are the steps that I tried so far.

* From the Add/Remove Programs, I ran Endpoint's repair.

* I uninstalled Endpoint. I also removed the folder C:\Documents and Settings\All Users\Application Data\Symantec

Is there a dedicated support tool just for the removal of the Teefer2 driver?

Comments 4 CommentsJump to latest comment

pete_4u2002's picture

yes, for that you need to conatct Symantec Technical Support team.

else you may follow the manual uninstallation procedure

AravindKM's picture

Install SEP one again and try.Remember that this driver will get installed if you included NTP in the feature list only.....

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Rafeeq's picture

You can open a case with symantec to get the cleanwipe tool this will remove all the instances or follow this step to remove teefer

Remove the Teefer driver

  1. Click Start > Search, type cmd, and press Ctrl+Shift+Enter to start a command prompt with Administrator privileges.
  2. Type pnputil -e to list the Symantec drivers in the driver store.
  3. Type pnputil -f -d oem<n>.inf to remove Symantec drivers from driver store, where <n> is a number corresponding to one of the Symantec drivers listed in the previous step.
  4. Type exit to close the command prompt.
  5. In the Windows registry editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}.
  6. Delete any keys that have a value of ComponentId that is set to symc_teefer2mp.
  7. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}.
  8. Delete any sub keys that have a name containing SYMC_TEEFER2MP.
  9. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{cac88424-7515-4c03-82e6-71a87abac361}.
  10. Delete any sub keys that have a name containing SYMC_TEEFER2MP.
  11. Close the Windows Registry Editor.
  12. In the Device Manager (devmgmt.msc), go to Network Adapters, and delete all entries with "teefer" in them.
  13. Delete any network adapters to which teefer was attached.
    This causes the adapters to be reinstalled. This step must be done in order for there to be network connectivity after you restart the computer.
  14. Restart the computer into normal mode.
P_K_'s picture

 Following steps need to be   followed to confirm teefer is not present

a.Search  for  teefer  in the registry.

b. Checke the Device Manager

c. Query for teefer on the cmd present ( sc queryex teefer2 ):  It should return “The specified service does not exist as an installed service.”

MCT MCSE-2012 Symantec Technical Specialist (SCTS)