How can I get rid of 'Windows Instant Scanner'

0

I've been given a friend's PC to fix because he thinks it has a virus. However the virus appears to be the software that's telling him that Windows has got a virus. This piece of malware called 'Windows Instant Scanner' has evaded all my attempts to remove it. It won't let me start task manager, it blocks process explorer, I can't open windows defender and booting into safe mode won't bypass it.

I've seen numerous guides on the web which all look they were posted by the same person, on the same day. Out of desperation I tried this one but it didn't work for me.

Does anyone know of a reliable way to remove it?

Ian Oakes

Posted 2012-10-24T11:36:51.457

Reputation: 396

Can you get into services? – Dave – 2012-10-24T11:47:58.563

2What tools have you used up to this point? Malwarebytes should be able to remove this spyware. – Ramhound – 2012-10-24T11:53:51.133

1

+1 for Malwarebytes but if Malwarebytes doesn't work (and I assume it doesn't) then try the tutorial here in the video: http://www.2-viruses.com/remove-windows-instant-scanner - it uses SpyHunter (although there is a cost but it does show it removes the issue you have)

– Dave – 2012-10-24T11:54:33.220

1

look at the canonical faq on removing malware and viruses How do I get rid of malicious spyware, malware, viruses or rootkits from my PC?

– Sathyajith Bhat – 2012-10-24T12:20:12.357

Answers

1

Assuming the tools you've used have not helped, you can edit the registry direct. Please note, if you've not done this before, don't do it until you understand what the registry does and what affects of getting the below (which is untested) wrong could mean!

Windows Instant Scanner manual remover:

Delete Windows Instant Scanner files:  
Protector-[rnd].exe in %AppData% folder  
Delete Windows Instant Scanner registry entries:  
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe

Source

Dave

Posted 2012-10-24T11:36:51.457

Reputation: 24 199

Asked: 2012-10-24T11:36:51.457

Viewed: 89 times

Active: 2012-10-24T12:54:48.793