Monday, May 03, 2010

Trend Micro Officescan 10 Removal Script

The folks at Trend Micro make a pretty nice Anti-virus tool, but like other Anti-virus vendors, they do not provide a good means of uninstalling the client.

On multiple occasions I have had clients which end up with a half-installed version of Officescan. The result is that you cannot install the client because it's all ready there. And you can't remove it, because it's not installed.

Trend Micro has an article in their knowledge base which tells you what needs done to manually uninstall the client ... but it's a lot of steps and it's no fun to repeat this across multiple workstations/servers. For that reason - I have created a batch script which performs all of the steps for you. It takes only a few seconds to run and it works like a champ! Honestly, I don't know why they don't just package this into an exe for their users and save them some brain cells.

To use my script (for Windows XP and 2003 ONLY):

1) Copy and paste the contents below into a file named "trendmicroremoval.bat".

@echo off

echo Trend Micro OfficeScan 10 client removal script!
echo by Steve Ballantyne 4/30/2010
echo Based upon: http://esupport.trendmicro.com/Pages/Uninstalling-the-OfficeScan-10-client.aspx#P140_2883
echo.
echo This script assumes that you have all ready uninstalled
echo the TrendMicro OfficeScan client from add/remove programs
echo and it did a sloppy job. If not, go in and add/remove it
echo first and then only run this if you need to!
echo.
echo This only works for OfficeScan 10, and only for XP/2003.
echo Other operating systems won't run 'devcon.exe' for the
echo device removal portion of this script. See the referenced
echo URL for the full instructions.
echo.

echo SERVICE REMOVAL
echo.

REM Stop all services
net stop "tmlisten"
net stop "tmproxy"
net stop "ntrtscan"
net stop "TMBMServer"

REM Remove the services.
sc delete "tmlisten"
sc delete "tmproxy"
sc delete "ntrtscan"
sc delete "TMBMServer"

echo.
echo PROGRAM FILES DIR REMOVAL
echo.

REM Program Files Directory.
DEL /S /F /Q "C:\Program Files\Trend Micro\"

echo.
echo REGISTRY KEYS REMOVAL
echo.

REM Registry keys GALORE.
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OfficeScanNT" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeScanNT Monitor" /F

REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ntrtscan" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcomm" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tmlisten" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmpfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmPreFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmProxy" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmtdi" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSApiNt" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmlwf " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmwfp " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TMBMServer" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmevtmgr" /VA /F

REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ntrtscan" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmcfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmcomm" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TmFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tmlisten" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmpfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TmPreFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TmProxy" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmtdi" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSApiNt" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmlwf " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmwfp " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TMBMServer" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmevtmgr" /VA /F

REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ntrtscan" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmcfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmcomm" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TmFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tmlisten" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmpfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TmPreFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TmProxy" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmtdi" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\VSApiNt" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmlwf " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmwfp " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TMBMServer" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmevtmgr" /VA /F

REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ntrtscan" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmcfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmcomm" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TmFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tmlisten" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmpfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TmPreFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TmProxy" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmtdi" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\VSApiNt" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmlwf " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmwfp " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TMBMServer" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmevtmgr" /VA /F

echo.
echo HIDDEN DEVICE REMOVAL
echo.

REM tmcomm
devcon /r remove "ROOT\LEGACY_TMCOMM\0000"
REM tmactmon
devcon /r remove "ROOT\LEGACY_TMACTMON\0000"
REM tmevtmgr
devcon /r remove "ROOT\LEGACY_TMEVTMGR\0000"
REM Trend Micro Filter ?? (not verified)
devcon /r remove "ROOT\LEGACY_TMFILTER\0000"
REM Trend Micro PreFilter ?? (not verified)
devcon /r remove "ROOT\LEGACY_TMPREFILTER\0000"
REM Trend Micro TDI Driver
devcon /r remove "ROOT\LEGACY_TMTDI\0000"
REM Trend Micro VSAPI NT ?? (not verified)
devcon /r remove "ROOT\LEGACY_VSAPINT\0000"
REM Trend Micro Unauthorized Change Prevention Service ?? (not verified)
devcon /r remove "ROOT\LEGACY_TMBMSRV\0000"
REM Trend Micro WFP Callout Driver ?? (not verified)
devcon /r remove "ROOT\LEGACY_TMWFP\0000"

echo.
echo DONE - Now try to reinstall!
echo.
PAUSE


2) Grab a copy of DEVCON from this Microsoft download page. Place the devcon.exe file next to the trendmicroremoval.bat file. This will allow the batch script to remove some hidden devices.

3) Run the batch file, and watch in awe.

4) Now you can reinstall the client (assuming that was your goal to begin with).

Did this help you? Drop me a comment!

NOTE: Devcon is what limits this script to XP/2003 only. If you are running Windows 2008, Vista, Windows 7, etc. you can still run the batch file, just not the devcon part. You would have to follow manual instructions for device removal according to the Trend Micro KB.