0

I've been given a friend's PC to fix because he thinks it has a virus. However the virus appears to be the software that's telling him that Windows has got a virus. This piece of malware called 'Windows Instant Scanner' has evaded all my attempts to remove it. It won't let me start task manager, it blocks process explorer, I can't open windows defender and booting into safe mode won't bypass it.

I've seen numerous guides on the web which all look they were posted by the same person, on the same day. Out of desperation I tried this one but it didn't work for me.

Does anyone know of a reliable way to remove it?

Ganesh R.
  • 5,259
Ian Oakes
  • 396

1 Answers1

1

Assuming the tools you've used have not helped, you can edit the registry direct. Please note, if you've not done this before, don't do it until you understand what the registry does and what affects of getting the below (which is untested) wrong could mean!

Windows Instant Scanner manual remover:

Delete Windows Instant Scanner files:  
Protector-[rnd].exe in %AppData% folder  
Delete Windows Instant Scanner registry entries:  
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\  
Debugger = svchost.exe  
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe

Source

Dave
  • 25,513