Spymaxx Spyware/Trojan/Virus/Whatever Encounter

I just had a run-in with the Spymaxx Windows spyware program. My friend downloaded some (possibly illegal) software, installed the package, and got this nasty bug instead. It changes your background, disables the task manager, and pops up fake Windows alerts with text like like "Your machine is running slowly due to a virus". All of its messages link you to a webpage where you can buy software to fix the problem. NYARRRR!

Anyways, I tangled with it for a couple of hours at least, here's what to do if you've got this crappy thing installed.

spywareremove.com, spyware-techie, and 2-viruses.com have information about the virus. Spyware techie appears to be a legitimate blog about removing this kind of crap from your computer. The other two sites allow you to download their own spyware, programs that scan your computer for viruses but make you pay to actually take any action. Anyways, I read over those sites, as they have some good information.

Steps to take

Boot into safe mode. This usually means repeatedly pressing F8 until Windows asks you what kind of boot you'd like to perform. My friend had a firewall installed, and the program kept trying to connect to the internet, so chose Safe Mode (without networking). I have no idea what it tried to do over the network.

Get the DLLS The program installs a bunch of somewhat important looking DLLs and a few just plain odd files into C:\WINDOWS\, C:\WINDOWS\system and C:\WINDOWS\system32. You can tell because the filenames contain misspellings like ieeexplorer.dll, explorr.dll, funniest.dll, funny.dll, and such silly things. The easiest way to get rid of everything is to go into these directories and sort the list by date created. I didn't delete them in case anything was actually important, I just moved them to the desktop, zipped them, and deleted the originals.

Remove assorted spyware files Delete files in C:\Program Files\. On the machine I was working on, it also installed a program called WebHancer. So delete the SpyMaxx and WebHancer folders.

Kill the executable To find out the executable name, I opened up my friendly local DOS prompt and typed "tasklist". The executable was named jtgsochvg.exe or something like this. So run 'taskkill /F /ID jtgsochvg.exe' or whatever it may be. Die, stupid spyware app. Oh yeah, and don't kill svchost.exe. Apparently its important, Windows runs several of them and flips out when they quit unexpectedly. Who knew!

Add/Remove Programs Yep. You'll see SpyMaxx in this window. Get rid of it!

Delete registry entries Remember that "Task manager has been disabled by administrator" message? This site has good info on how to get the task manager back. Also cruise through the registry tree and get rid of anything that has to do with SpyMaxx or WebHancer.

Boy do I hate Windows.The machine appears to be up and running just fine now.