Manually Uninstalling the OfficeScan Agent

Perform manual uninstallation only if you encounter problems uninstalling the OfficeScan agent from the web console or after running the uninstallation program.

  1. Log on to the agent endpoint using an account with Administrator privileges.
  2. Right-click the OfficeScan agent icon on the system tray and select Unload OfficeScan. If prompted for a password, specify the unload password then click OK.
    Note:

    • For Windows 8, 8.1, 10, Windows Server 2012, and Windows Server 2016, switch to desktop mode to unload the OfficeScan agent.

    • Disable the password on computers where the OfficeScan agent will be unloaded. For details, see Configuring Agent Privileges and Other Settings.

  3. If the unload password was not specified, stop the following services from Microsoft Management Console:

    • OfficeScan NT Listener

    • OfficeScan NT Firewall

    • OfficeScan NT RealTime Scan

    • OfficeScan NT Proxy Service

      Note:

      The OfficeScan NT Proxy Service does not exist on Windows 7, 8, 8.1, 10, or Windows Server 2008R2, 2012, 2016 platforms.

    • Trend Micro Unauthorized Change Prevention Service

    • Trend Micro Common Client Solution Framework

  4. Remove the OfficeScan agent shortcut from the Start menu.

    • On Windows 8, 8.1, 10, Windows Server 2012, and Windows Server 2016:

      1. Switch to desktop mode.

      2. Move the mouse cursor to the bottom right corner of the screen and click Start from the menu that appears.

        The Home screen appears.

      3. Right-click Trend Micro OfficeScan.

      4. Click Unpin from Start.

    • On all other Windows platforms:

      Click Start > Programs, right-click Trend Micro OfficeScan Agent, and click Delete.

  5. Open Registry Editor (regedit.exe).
    Warning:

    The next steps require you to delete registry keys. Making incorrect changes to the registry can cause serious system problems. Always make a backup copy before making any registry changes. For more information, refer to the Registry Editor Help.

  6. Delete the following registry keys:

    • If there are no other Trend Micro products installed on the endpoint:

      • For 32-bit computers:

        HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro

      • For 64-bit computers:

        HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro

        HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Trend Micro

    • If there are other Trend Micro products installed on the endpoint, delete the following keys only:

      • HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC

      • HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\OfcWatchDog

        For 64-bit computers:

        HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Trend Micro\OfcWatchDog

      • HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp

        For 64-bit computers:

        HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Trend Micro\PC-cillinNTCorp

  7. Delete the following registry keys/values:

    • For 32-bit systems:

      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OfficeScanNT

      • OfficeScanNT Monitor (REG_SZ) under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    • For 64-bit systems:

      • HKEY_LOCAL_MACHINE\SOFTWARE\ Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OfficeScanNT

      • OfficeScanNT Monitor (REG_SZ) under HKEY_LOCAL_MACHINE\SOFTWARE\ Wow6432Node\Microsoft\Windows\CurrentVersion\Run

  8. Delete all instances of the following registry keys in the following locations:

    • Locations:

      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services

      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services

      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services

    • Keys:

      • NTRtScan

      • tmccsf

      • tmcfw

      • tmcomm

      • TmFilter

      • TmListen

      • tmpfw

      • TmPreFilter

      • TmProxy

        Note:

        TmProxy does not exist on Windows 7/8/8.1/10 or Windows Server 2008 R2/2012/2016 platforms.

      • tmtdi

        Note:

        tmtdi does not exist on Windows 7/8/8.1/10 or Windows Server 2012/2016 platforms.

      • VSApiNt

      • tmlwf (for Windows Vista/Server 2008/7/8/8.1/10/Server 2012/2016 computers)

      • tmwfp (for Windows Vista/Server 2008/7/8/8.1/10/Server 2012/2016 computers)

      • tmactmon

      • TMBMServer

      • TMebc

      • tmevtmgr

      • tmeevw (for Windows 7/8/8.1/10/Server 2008 R2/Server 2012 computers)

      • tmusa (for Windows 7/8/8.1/10/Server 2008 R2/Server 2012/2016 computers)

      • tmnciesc

      • tmeext (for Windows XP/2003)

      • tmel (for Windows 8/8.1/10/Server 2012/2016 computers)

      • tmumh

  9. Close Registry Editor.
  10. Click Start > Settings > Control Panel and double-click System.
    Note:

    For Windows 8/8.1/10, Windows Server 2012, and Windows Server 2016 systems, skip this step.

  11. Click the Hardware tab and then click Device Manager.
    Note:

    For Windows 8/8.1/10, Windows Server 2012, and Windows Server 2016 systems, skip this step.

  12. Click View > Show hidden devices.
    Note:

    For Windows 8/8.1/10, Windows Server 2012, and Windows Server 2016 systems, skip this step.

  13. Expand Non-Plug and Play Drivers and then uninstall the following devices (for Windows XP/Vista/7/Server 2003/Server 2008):

    • tmactmon

    • tmcomm

    • TMEBC

    • tmevtmgr

    • TMUMH

    • Trend Micro Filter

    • Trend Micro PreFilter

    • Trend Micro TDI Driver

    • Trend Micro VSAPI NT

    • Trend Micro Unauthorized Change Prevention Service

    • Trend Micro WFP Callout Driver (For Windows Vista/Server 2008/7 computers)

  14. Manually delete Trend Micro drivers using a command line editor (Windows 8/8.1/10/Server 2012 only) using the following commands:

    • sc delete tmcomm

    • sc delete tmactmon

    • sc delete tmevtmgr

    • sc delete tmfilter

    • sc delete tmprefilter

    • sc delete tmwfp

    • sc delete vsapint

    • sc delete tmeevw

    • sc delete tmusa

    • sc delete tmebc

    • sc delete tmumh

    • sc delete tmccsf

    • sc delete Tmnciesc

    • sc delete tmlwf

    Note:

    Run the command line editor using administrator privileges (for example, right-click cmd.exe and click Run as administrator) to ensure the commands execute successfully.

  15. Uninstall the Common Firewall Driver.
    1. Right-click My Network Places and click Properties.
    2. Right-click Local Area Connection and click Properties.
    3. On the General tab, select Trend Micro Common Firewall Driver and click Uninstall.
      Note:

      The following steps only apply to Windows Vista/Server 2008/7/8/8.1/10/Server 2012 operating systems. Agents using all other operating systems skip to step 15.

    4. Right-click Network and click Properties.
    5. Click Manage network connections.
    6. Right-click Local Area Connection and click Properties.
    7. On the Networking tab, select Trend Micro NDIS 6.0 Filter Driver and click Uninstall.
  16. Restart the agent endpoint.
  17. If there are no other Trend Micro products installed on the endpoint, delete the Trend Micro installation folder (typically, C:\Program Files\Trend Micro). For 64-bit computers, the installation folder can be found under C:\Program Files (x86)\Trend Micro.
  18. If there are other Trend Micro products installed, delete the following folders:

    • <Agent installation folder>

    • The BM folder under the Trend Micro installation folder (typically, C:\Program Files\Trend Micro\BM for 32-bit systems and C:\Program Files (x86)\Trend Micro\BM for 64-bit systems)

  19. Remove system drivers from the %system% folder.

    System

    Drivers

    All

    Folder: %system%\system32\drivers

    • tmactmon.sys

    • tmcomm.sys

    • tmeevw.sys

    • tmel.sys

    • tmevtmgr.sys

    • tmlwf.sys

    • tmnciesc.sys

    • TMUMH.sys

    • tmusa.sys

    • tmwfp.sys

    All (Data Protection installed)

    Folder: %system%\system32\drivers

    • dlpnetfltr.sys

    • sakcd.sys

    • sakfile.sys

    • saknet.sys

    Folder: %system%\system32\

    • dgagent

    		  

    64-bit

    Folder: %systemroot%\sysWOW64\

    • tmumh

    		  

    Folder: %systemroot%\system32\drivers\

    • TMEBC64.sys

    		  

    Folder: %systemroot%\system32\

    • tmumh

    		  

    64-bit (Data Protection installed)

    Folder: %systemroot%\system32\

    • ApiHookStub.x64.dll

    • dlpexaddin.x64.dll

    • dlphook.x64.dll

    • dsa.lic

    • RemoveWorkingDirectory.exe

    • ShowMsg.exe

    • ShowMsg.xml

    Folder: %systemroot%\sysWOW64\

    • ApiHookStub.x86.dll

    • dlpexaddin.x86.dll

    • dlphook.x86.dll

    • NMEM.dll

    • ShowMix.dll

    • ShowMix.xml

    32-bit

    Folder: %systemroot%\system32\

    • tmumh

    		  

    Folder: %systemroot%\system32\drivers\

    • TMEBC32.sys

    		  

    32-bit (Data Protection installed)

    Folder: %systemroot%\system32\

    • ApiHookStub.x86.dll

    • dlpexaddin.x86.dll

    • dlphook.x86.dll

    • dsa.lic

    • RemoveWorkingDirectory.exe

    • NMEM.dll

    • ShowMsg.exe

    • ShowMsg.xml

    • ShowMix.dll

    • ShowMix.xml
Parent topic: OfficeScan Agent Uninstallation