How to delete TopSpyware (Topantispyware) - Removal tool, fix instructions

Name: TopSpyware

Aliases: Topantispyware, topantivirus, Adware.TopAV

Type: Spyware (Adware)

Size: 9,216 bytes

First appeared on: 29.03.2005

Damage: Medium

Brief Description:
TopSpyware is an adware program that displays an icon in the System Tray, which passes itself off as the Windows Update icon. It flashes a warning of a virus alert. If the user double-clicks on the icon, the web page http://topantivirus.biz is displayed on the web browser, offering a solution for the fake infection.

TopSpyware also modifies the Windows Desktop, and if the user double-clicks anywhere on it, the mentioned web page is also accessed.

TopSpyware reaches computers when the user accesses web pages that download other adware programs belonging to the family CWS (Cool Web Search), such as CWS.YEXE and CWS.Searchmeup.

Visible Symptoms:

TopSpyware is easy to recognize once it has affected the computer, as it displays an icon flashing a fake virus alert in the System Tray.

Additionally, TopSpyware modifies the Windows Desktop with such text:
VIRUS ALERT!
YOUR PC IS INFECTED!
IT HAS BEEN DETECTED THAT YOUR PC HAS AT LEAST 3 DANGEROUS VIRUSES!
TO KNOW FOR SURE YOU URGENTLY NEED TO RUN AN ANTIVIRUS TEST ON YOUR PC!
PROTECT YOUR PC!
REMOVE ALL VIRUSES NOW!

or

WARNING!
YOU'RE IN DANGER!
ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES,
SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH
STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.

Every site you or somebody or even something, like spyware, opened in your browser, with all images,
and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life!

SECURE YOURSELF RIGHT NOW!
REMOVE ALL SPYWARE FROM YOUR PC!

Technical description:

TopSpyware creates the following files:

  • SVCHOSTS.DLL in the Windows system directory. This file is a DLL (Dynamic Link Library) that displays the icon in the System Tray.
  • DESKTOP.HTML in the subfolder WEB of the Windows directory. This file contains the picture displayed on the Desktop.

File names: srpcsrv32.dll; txfdb32.dll; spoolsrv32.exe

Once executed, Adware.Topantispyware performs the following actions:

  1. Downloads a file from the iqsearch.cc domain and executes it.
  2. Copies itself as %Windir%\System32\spoolsrv32.exe.
    Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
  3. Adds the value:
    "Srv32 spool service" = "%Windir%\System32\spoolsrv32.exe"

    to the registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

    so that the Adware.Topantispyware runs every time Windows starts.

  4. Creates the following files:

    %Windir%\System32\srpcsrv32.dll
    %Windir%\System32\txfdb32.dll
    %Windir%\Web\desktop.html

  5. Sets %Windir%\Web\desktop.html as the desktop wallpaper.

Propagation:

TopSpyware reaches computers when the user accesses web pages that download other adware programs belonging to the family CWS (Cool Web Search), such as CWS.YEXE and CWS.Searchmeup.

Removal tool and instruction: N/A