Virus and Spyware Removal Guides, uninstall instructions

What is AuraLookup?

AuraLookup is a rogue application that we discovered while inspecting new submissions to VirusTotal. After analyzing this app, we learned that it operates as advertising-supported software (adware) and is part of the AdLoad malware family.

What is LatestFeed?

LatestFeed is a rogue applications that our researchers found while looking through new submissions o VirusTotal. After analyzing this piece of software, we determined that it operates as adware and belongs to the AdLoad malware family.

What kind of page is ourcommonnews[.]com?

Ourcommonnews[.]com is a rogue webpage that our research team found during a routine inspection of untrustworthy sites. It operates by pushing browser notification spam and redirecting visitors to other (likely unreliable/malicious) websites. Most users enter such sites via redirects caused by pages using rogue advertising networks.

What kind of page is displayforreviews[.]com?

Displayforreviews[.]com is a deceptive website that shows a fake CAPTCHA to trick visitors into allowing it to deliver notifications and redirects them to other untrustworthy websites. Most of these pages are promoted using shady methods. Our team has discovered displayforreviews[.]com while examining pages that use rogue advertising networks.

What is Dark Angels Team ransomware?

While inspecting new submissions to VirusTotal, our researchers discovered the Dark Angels Team ransomware-type program. We determined that this malicious program belongs to the Babuk ransomware family.

After launching a sample on our test machine, we learned that it encrypts files and appends their filenames with a ".crypt" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.crypt", "2.png" as "2.png.crypt", and so on for all of the affected files.

Once the encryption process was completed, this ransomware dropped a ransom note - "How_To_Restore_Your_Files.txt" - onto the desktop. This file contained a link to a Tor website, which displayed identical text to the ransom note. Based on these messages, it is evident that Dark Angels Team targets companies rather than home users.

What kind of malware is Spiderlock?

Spiderlock is the name of ransomware belonging to a ransomware family called ZEPPELIN. We discovered it while inspecting samples submitted to the VirusTotal page. It was found that Spiderlock encrypts files and appends ".sl.[victim's_ID]" to filenames. Also, it creates the "ALL YOUR FILES ARE ENCRYPTED.txt" file that contains a ransom note.

An example of how Spiderlock modifies filenames: it renames "1.jpg" to "1.jpg.sl.25A-077-5F7", "2.png" to "2.png.sl.25A-077-5F7", and so forth.

What kind of page is advertismentzone[.]com?

Advertismentzone[.]com displays a fake CAPTCHA to trick visitors into agreeing to receive notifications. Also, it redirects to another (identical) website. Most websites like advertismentzone[.]com are promoted via other pages that use shady advertising networks. We have discovered advertismentzone[.]com while inspecting one of those sites.

What kind of malware is Starmoon?

We have discovered a new ransomware variant called Starmoon. It was found on VirusTotal (while analyzing the malware samples submitted to this page). Starmoon is part of the Spora ransomware family. It encrypts files and appends the victim's ID, starmoon@my.com email address, and four random characters as the extension to their filenames.

Also, Starmoon ransomware creates text in "ReadMe_Now!.hta" and "Read_Me!_.txt" text files containing a ransom note. An example of how Starmoon renames files: it replaces "1.jpg" with "1.jpg[ID=hLOg5c-Mail=Starmoon@my.com].8rOq", "2.exe" with "2.exe[ID=hLOg5c-Mail=Starmoon@my.com].8rOq", and so forth.

What kind of website is captchamode[.]top?

Captchamode[.]top is designed to display deceptive content to trick visitors into allowing it to deliver untrustworthy notifications. Additionally, it can redirect to various shady websites. In most cases, pages like captchamode[.]top are visited inadvertently. We have discovered this site while analyzing other pages that use rogue advertising networks.

What kind of page is adstomy[.]com?

Adstomy[.]com is a rogue site, which our researchers found while inspecting untrustworthy websites. This page promotes spam browser notifications and redirects visitors to different (likely dubious/malicious) pages. Most users enter sites of this kind via redirects caused by webpages using rogue advertising networks.