0

I've been given a friend's PC to fix because he thinks it has a virus. However the virus appears to be the software that's telling him that Windows has got a virus. This piece of malware called 'Windows Instant Scanner' has evaded all my attempts to remove it. It won't let me start task manager, it blocks process explorer, I can't open windows defender and booting into safe mode won't bypass it.

I've seen numerous guides on the web which all look they were posted by the same person, on the same day. Out of desperation I tried this one but it didn't work for me.

Does anyone know of a reliable way to remove it?

Ganesh R.
  • 5,179
  • 1
  • 27
  • 28
Ian Oakes
  • 396
  • 1
  • 2
  • 12
  • Can you get into services? – Dave Oct 24 '12 at 11:47
  • 2
    What tools have you used up to this point? `Malwarebytes` should be able to remove this spyware. – Ramhound Oct 24 '12 at 11:53
  • 1
    +1 for Malwarebytes but if Malwarebytes doesn't work (and I assume it doesn't) then try the tutorial here in the video: http://www.2-viruses.com/remove-windows-instant-scanner - it uses SpyHunter (although there is a cost but it does show it removes the issue you have) – Dave Oct 24 '12 at 11:54
  • 1
    look at the canonical faq on removing malware and viruses [How do I get rid of malicious spyware, malware, viruses or rootkits from my PC?](http://superuser.com/q/100360) – Sathyajith Bhat Oct 24 '12 at 12:20

1 Answers1

1

Assuming the tools you've used have not helped, you can edit the registry direct. Please note, if you've not done this before, don't do it until you understand what the registry does and what affects of getting the below (which is untested) wrong could mean!

Windows Instant Scanner manual remover:

Delete Windows Instant Scanner files:  
Protector-[rnd].exe in %AppData% folder  
Delete Windows Instant Scanner registry entries:  
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe

Source

Dave
  • 25,297
  • 10
  • 57
  • 69