Recently we switched our anti-virus software from TrendMicro OfficeScan to Symantec Endpoint Protection. Although the basic removal of OfficeScan worked fine, the uninstaller did not removed the NDIS driver from the network stack and this caused a lot of problems (delayed startup, completely stalled computers just to name a few).
Of course, you can simply deselect the drivers by using the properties of the network connections, but we couldn’t do this on the 4000+ computers that had this issue. Therefore I searched for a solution to completely remove this NDIS driver.
First, start Regedit.exe with administrative privileges and search for the name of the NDIS driver you want to remove. In my case, I simply searched for “TrendMicro” because it was already removed, just this driver was left over.
And indeed I found the NDIS driver inside the ControlSet\Control\Network hive:
The important value is InfPath, it contains the name of the INF file; in this case “oem21.inf”. Go to C:\WINDOWS\INF and copy this file to a network folder. Rename it to give it a somewhat better name, I called it “Tmlwf.inf”.
Now download NDIS Miniport Driver Installer (mindinst) by Anders Lövgren/Uppsala Universitet. This little tool will allow you to add or remove NDIS drivers using the command line. Copy mindinst.exe from the archive to the folder where you already put the INF file.
Finally, create a batch file that will copy the INF file locally (because the network might break down when you remove an NDIS driver), execute mindinst and remove the INF file again. Name it REMOVE.BAT:
echo Remove TrendMicro NDIS filter...
copy "%~dp0Tmlwf.inf" "C:\Tmlwf.inf" /Y
"%~dp0mindinst.exe" C:\Tmlwf.inf -u
del "C:\Tmlwf.inf" /Q
Your folder should finally contain minidinst.exe (the tool), the INF file of the driver you want to remove and REMOVE.BAT that will execute it. Execute REMOVE.BAT and the NDIS driver in question will be gone.
Throw it in the deployment tool of your choice and you are done.