Manually Uninstalling the OfficeScan Agent

Perform manual uninstallation only if you encounter problems uninstalling the OfficeScan agent from the web console or after running the uninstallation program.

  1. Log on to the agent endpoint using an account with Administrator privileges.
  2. Right-click the OfficeScan agent icon on the system tray and select Unload OfficeScan. If prompted for a password, specify the unload password then click OK.
    Note:
    • For Windows 8, 8.1, 10, Windows Server 2012, and Windows Server 2016, switch to desktop mode to unload the OfficeScan agent.

    • Disable the password on computers where the OfficeScan agent will be unloaded.

      For more information, see Configuring Agent Privileges and Other Settings.

  3. If the unload password was not specified, stop the following services from Microsoft Management Console:
    • OfficeScan NT Listener

    • OfficeScan NT Proxy Service (for Windows Server 2008)

    • OfficeScan NT RealTime Scan

    • Trend Micro Common Client Solution Framework

  4. Remove the OfficeScan agent shortcut from the Start menu.
    • On Windows 8, 8.1, 10, Windows Server 2012, and Windows Server 2016:

      1. Switch to desktop mode.

      2. Move the mouse cursor to the bottom right corner of the screen and click Start from the menu that appears.

        The Home screen appears.

      3. Right-click Trend Micro OfficeScan.

      4. Click Unpin from Start.

    • On all other Windows platforms:

      Click Start > Programs, right-click Trend Micro OfficeScan Agent, and click Delete.

  5. Open Registry Editor (regedit.exe).
    Warning:

    The next steps require you to delete registry keys. Making incorrect changes to the registry can cause serious system problems. Always make a backup copy before making any registry changes. For more information, refer to the Registry Editor Help.

  6. Delete the following registry keys:
    • If there are no other Trend Micro products installed on the endpoint:

      • For 32-bit systems:

        HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro

      • For 64-bit systems:

        HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro

        HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Trend Micro

    • If there are other Trend Micro products installed on the endpoint, delete the following keys only:

      • HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC

      • HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\OfcWatchDog

        For 32-bit systems:

        HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Trend Micro\OfcWatchDog

      • HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp

        For 64-bit systems:

        HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Trend Micro\PC-cillinNTCorp

  7. Delete the following registry keys/values:
    • For 32-bit systems:

      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OfficeScanNT

      • OfficeScanNT Monitor (REG_SZ) under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    • For 64-bit systems:

      • HKEY_LOCAL_MACHINE\SOFTWARE\ Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OfficeScanNT

      • OfficeScanNT Monitor (REG_SZ) under HKEY_LOCAL_MACHINE\SOFTWARE\ Wow6432Node\Microsoft\Windows\CurrentVersion\Run

  8. Delete all instances of the following registry keys in the following locations:
    • Locations:

      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services

      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services

      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services

    • Keys:

      • NTRtScan

      • tmccsf

      • TmFilter

      • TmListen

      • TmPreFilter

      • TmProxy

        Note:

        TmProxy does not exist on Windows 7/8/8.1/10 or Windows Server 2008 R2/2012/2012 R2/2016 platforms.

      • tmtdi

        Note:

        tmtdi does not exist on Windows 7/8/8.1/10 or Windows Server 2008 R2/2012/2012 R2/2016 platforms.

      • VSApiNt

      • tmlwf (for Windows Server 2008/7/8/8.1/10/Server 2012/2016 computers)

      • tmwfp (for Windows Server 2008/7/8/8.1/10/Server 2012/2016 computers)

      • tmevtmgr

      • tmeevw (for Windows 7/8/8.1/10/Server 2008 R2/Server 2012/2012 R2/2016 computers)

      • tmusa (for Windows 7/8/8.1/10/Server 2008 R2/Server 2012/2012 R2/2016 computers)

  9. Close Registry Editor.
  10. Manually delete Trend Micro drivers and services using a command line editor (Windows 8/8.1/10/Server 2012 only) using the following commands:
    • sc delete tmeevw

      For Windows 7/8/8.1/10 and Windows Server 2008 R2/2012/2012 R2/2016

    • sc delete tmusa

      For Windows 7/8/8.1/10 and Windows Server 2008 R2/2012/2012 R2/2016

    • sc delete tmccsf

    • sc delete tmproxy

      For Windows Server 2008

    • sc delete tmtdi

      For Windows Server 2008

    Note:

    Run the command line editor using administrator privileges (for example, right-click cmd.exe and click Run as administrator) to ensure the commands execute successfully.

  11. Restart the agent endpoint.
  12. If there are no other Trend Micro products installed on the endpoint, delete the Trend Micro installation folder (typically, C:\Program Files\Trend Micro). For 64-bit computers, the installation folder can be found under C:\Program Files (x86)\Trend Micro.
  13. If there are other Trend Micro products installed, delete the following folders:
    • <Agent installation folder>

    • The BM folder under the Trend Micro installation folder (typically, C:\Program Files\Trend Micro\BM for 32-bit systems and C:\Program Files (x86)\Trend Micro\BM for 64-bit systems)

  14. Remove system drivers from the %system% folder.

    System

    Drivers

    All

    Folder: %system%\system32\drivers

    • tmactmon.sys

    • tmcomm.sys

    • tmeevw.sys

    • tmel.sys

    • tmevtmgr.sys

    • tmlwf.sys

    • tmnciesc.sys

    • TMUMH.sys

    • tmusa.sys

    • tmwfp.sys

    All (Data Protection installed)

    Folder: %system%\system32\drivers

    • dlpnetfltr.sys

    • sakcd.sys

    • sakfile.sys

    • saknet.sys

    Folder: %system%\system32\

    • dgagent

     

    64-bit

    Folder: %systemroot%\sysWOW64\

    • tmumh

     

    Folder: %systemroot%\system32\drivers\

    • TMEBC64.sys

     

    Folder: %systemroot%\system32\

    • tmumh

     

    64-bit (Data Protection installed)

    Folder: %systemroot%\system32\

    • ApiHookStub.x64.dll

    • dlpexaddin.x64.dll

    • dlphook.x64.dll

    • dsa.lic

    • RemoveWorkingDirectory.exe

    • ShowMsg.exe

    • ShowMsg.xml

    Folder: %systemroot%\sysWOW64\

    • ApiHookStub.x86.dll

    • dlpexaddin.x86.dll

    • dlphook.x86.dll

    • NMEM.dll

    • ShowMix.dll

    • ShowMix.xml

    32-bit

    Folder: %systemroot%\system32\

    • tmumh

     

    Folder: %systemroot%\system32\drivers\

    • TMEBC32.sys

     

    32-bit (Data Protection installed)

    Folder: %systemroot%\system32\

    • ApiHookStub.x86.dll

    • dlpexaddin.x86.dll

    • dlphook.x86.dll

    • dsa.lic

    • RemoveWorkingDirectory.exe

    • NMEM.dll

    • ShowMsg.exe

    • ShowMsg.xml

    • ShowMix.dll

    • ShowMix.xml