SpyAxe anti-spyware installed by trojan

SpyAxe anti-spyware installed by trojan

Summary: Supposed anti-spyware program SpyAxe is installed by a trojan named zlob.cy (aka Trojan-Downloader.Win32.Zlob) according to F-Secure. SpyAxe showed up on the scene about two months ago and has earned quite a name for itself. SpyAxe manages to appear on users’ desktops without any notice or consent...

TOPICS: Malware

Supposed anti-spyware program SpyAxe is installed by a trojan named zlob.cy (aka Trojan-Downloader.Win32.Zlob) according to F-Secure. SpyAxe showed up on the scene about two months ago and has earned quite a name for itself. SpyAxe manages to appear on users' desktops without any notice or consent, as seen here, with a warning that your computer is infected with spyware. F-Secure says:

SpyAxe is nice enough to detect the Trojan that downloads it, but it won't disinfect it unless you pay for a SpyAxe license, $49.50 U.S. (plus a nonimal $2.95 transaction fee). I wouldn't dare pay for a licensed copy to verify that removal is actually done, but I have my doubts.

F-Secure says this infection is growing rapidly:

[...] there seems to have recently been a huge spike in the distribution of Zlob. We found a way to see how many unique registration IDs have been handed out by the site Zlob registers with. Most of the day, there seemed to be about 1,000 new infections per hour, but now that the U.S. is waking up & powering on their computers, that number has risen to about 2,500 infections per hour.

Instructions for removing SpyAxe using a free tool called SmitRem written by anti-spyware community developer noahdfear can be found at bleepingcomputer.com. SmitRem removes the Trojan-Spy.HTML.Smitfraud.c malware infection and its variants, AntivirusGold, PSGuard Spyware Remover, SpySheriff, Spy Trooper, SpyAxe, and Security Toolbar. SmitRem has been downloaded 252,652 times according to the web page, an indication of how widespread this infection is. An example of a HijackThis log with SpyAxe and the Smitfraud infection can be seen here.

The SpyAxe website has a contacts page. If you've been a victim,  consider letting them know how you feel about it. The website says the company is located in New Zealand, but the domain name spyaxe.com is registered to Sun Shine Ltd. with a Seattle address.

Domain Name: SPYAXE.COM

    SunShine Ltd
    David Taylor   
    187th Ave, 5
    King County
    Tel. +206.9543154

The site's IP address belongs to Netcathosting in the Ukraine, and the domain registrar is ESTdomains, which I believe is closely related to ESThost, a group known to host a large number of CoolWebSearch sites running exploits. ESThost is also closely related to a California ISP/hosting company Atrivo, also known to host a large number of CWS sites. Note the IP is currently blacklisted by Spamhaus.  Four other domains reside on that IP address, almanah.biz, nospywaresoft.com, spyaxe.net and spyaxesupport.com. Links go to the whois lookup for the domain, not the domain itself.

No doubt SpyAxe will earn a top spot on Spyware Confidential's top ten rogue anti-spyware list to be posted soon. See anti-spyware spread by spyware for information on apps very similar to SpyAxe.

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • SpyAxe WhoIs Info = BOGUS

    This probably comes as no surprise whatsoever to you, but the WhoIs info for SpyAxe is totally bogus. Speaking as someone who lives in the Puget Sound area, any address containing "187th Ave" (regardless of what "direction" might follow it) would not be located in Seattle proper and also would not be located in ZIP code 98101. Secondly, a Google search on the phone number leads to a David Ackerson, listed as both a business and a residence. Google contains no address information for the phone number except "Seattle, WA 98101."

    As I prefaced, I'm sure the info comes as no surprise, but should be of some interest.
    • no surprise is right

      I didn't check out the address, etc. on Google, but I'm not surprised that it's bogus. Probably the whois info for the other domains on the IP is bogus, too. I'd say essentially 100% of the time the whois for these kind of sites is bogus. False info can be reported to InterNIC and ICANN, but when the registrar is one of the black hats, it's useless because nothing would be done.
  • Spyaxe new Variants

    Yes, as of today there is a new variants of Spyaxe and its called spywarestriker. It just hits my computer and cannot remove it using old procedures. Good thing I passed on a site to remove this spyaxe new variants. Here is the site for your reference: http://www.precisesecurity.com/adware-spy/awsax-008dec.htm
  • How to Remove Spyaxe - Removal Procedure

    I just want to say many thanks for the specific and easy-to-follow instruction on spyaxe removal. Spyaxe is such an annoyances for the computer users. For your reference: http://www.precisesecurity.com/adware-spy/awsax-008dec.htm
  • Delete Spyaxe New Variants

    Removing Spyaxe and its new variants:
    1. Start computer in SAFE MODE.
    2. Delete the files:
    3. Do an online virus scan while on safe mode.
    For more detailed instructions please visit:
  • TrojanWin.32.Zlob.hp

    I`m disabled in a remote area this machine was donated to maintain independent life quality which is stressful enough but being self taught in computing these malicious deviants do real physical harm I got a dvt bloodclot chasing one!

    Microsoft xp-pro security center and neither beta spy or live security center scan found it

    I formatted the drive wrote zeroes on my dell optiplex gx 150 wd 40gb did clean install went online to update my defender-pro(kaspersky)virus base there it was again in the system volume information folder that cannot be disinfected!
  • RE: SpyAxe anti-spyware installed by trojan