Jump to content

Removal instructions for SushiLeads

Metallica
 Share

Recommended Posts

  • Staff
Metallica

Metallica

Posted
  • Staff
Posted

What is SushiLeads?

 

The Malwarebytes research team has determined that SushiLeads is adware. These adware applications display advertisements not originating from the sites you are browsing.

 

How do I know if my computer is affected by SushiLeads?

You may see this entry in your list of installed programs:

 

warning4.png

and this scheduled Task :

warning3.png

 

How did SushiLeads get on my computer?

 

Adware applications use different methods for distributing themselves. This particular one was bundled with other software.

 

How do I remove SushiLeads?

 

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.
Is there anything else I need to do to get rid of SushiLeads?
  • No, Malwarebytes' Anti-Malware removes SushiLeads completely.
  • This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks.
How would the full version of Malwarebytes Anti-Malware help protect me?

 

We hope our application and this guide have helped you eradicate this hijacker.  

 

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the SushiLeads adware. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

 

protection1.png

Technical details for experts

 

You will see these signs in a HijackThis log:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8800;https=127.0.0.1:8887O4 - HKCU\..\Run: [SushiLeadsApplication] C:\Program Files (x86)\sushileads\SushiLeadsApplication.exeO23 - Service: SushiLeadsUpdaterService - Unknown owner - C:\Program Files (x86)\sushileads\NpUpdaterService.exe
 

You may see these signs in FRST logs:

 () C:\Program Files (x86)\sushileads\SushiLeadsApplication.exe () C:\Program Files (x86)\sushileads\NpUpdaterService.exe HKCU\...\Run: [SushiLeadsApplication] => C:\Program Files (x86)\sushileads\SushiLeadsApplication.exe [378880 2015-02-26] () ProxyServer: [{usersid}] => http=127.0.0.1:8887;https=127.0.0.1:8887 ProxyServer: [{usersid}] => http=127.0.0.1:8800;https=127.0.0.1:8887 R2 SushiLeadsUpdaterService; C:\Program Files (x86)\sushileads\NpUpdaterService.exe [10240 2015-02-26] () [File not signed] C:\Windows\System32\Tasks\SushiLeads C:\ProgramData\sushileadsSushiLeads (HKLM-x32\...\sushileads) (Version: 2.4.0.5 - SushiLeads)Task: {2C3E443B-D4B9-4BF0-A513-041737329E29} - System32\Tasks\SushiLeads => C:\Program Files (x86)\sushileads\ScheduledTask.exe [2015-02-26] ()
 

 

Alterations made by the installer:

File system details  ---------------------------------------------    Adds the folder C:\Program Files (x86)\sushileads       Adds the file AppResources.dll"="2/26/2015 11:07 AM, 6144 bytes, A       Adds the file Captcha.exe"="2/26/2015 11:07 AM, 9728 bytes, A       Adds the file Common.Logging.dll"="2/17/2015 2:49 PM, 44544 bytes, A       Adds the file HtmlAgilityPack.dll"="2/17/2015 2:49 PM, 134656 bytes, A       Adds the file Microsoft.Win32.TaskScheduler.dll"="2/17/2015 2:49 PM, 290816 bytes, A       Adds the file Newtonsoft.Json.dll"="2/17/2015 2:49 PM, 433664 bytes, A       Adds the file NpUpdaterService.exe"="2/26/2015 11:07 AM, 10240 bytes, A       Adds the file Quartz.dll"="2/17/2015 2:49 PM, 885760 bytes, A       Adds the file RestSharp.dll"="2/17/2015 2:49 PM, 160256 bytes, A       Adds the file ScheduledTask.exe"="2/26/2015 11:07 AM, 5632 bytes, A       Adds the file sushileads_icon.ico"="6/1/2015 11:29 AM, 19122 bytes, A       Adds the file SushiLeadsApplication.exe"="2/26/2015 11:07 AM, 378880 bytes, A       Adds the file uninstall.exe"="6/11/2015 8:51 AM, 124060 bytes, A    Adds the folder C:\ProgramData\sushileads       Adds the file instlgsent.config"="6/11/2015 8:53 AM, 0 bytes, A       Adds the file ServiceConfig2.json"="6/11/2015 8:52 AM, 1632 bytes, A    In the existing folder C:\Windows\System32\Tasks       Adds the file SushiLeads"="6/11/2015 8:52 AM, 3532 bytes, ARegistry details  ------------------------------------------    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SushiLeadsApplication_RASAPI32]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SushiLeadsApplication_RASMANCS]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\sushileads]       "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\sushileads\sushileads_icon.ico,0"       "DisplayName"="REG_SZ", "SushiLeads"       "DisplayVersion"="REG_SZ", "2.4.0.5"       "Publisher"="REG_SZ", "SushiLeads"       "UninstallString"="REG_SZ", "C:\Program Files (x86)\sushileads\uninstall.exe"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NpApp\installed]       "dt"="REG_SZ", "11.06.2015 06:51:59"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NpApp\nstlls\11.06.2015 06:51:59]       "branding"="REG_SZ", "sushileads"       "dplct"="REG_SZ", "false"       "dt"="REG_SZ", "11.06.2015 06:51:59"       "origin_id"="REG_SZ", "aa775249-ea2d-489f-8638-98e131ea5ca7"       "subid"="REG_SZ", "NOT_PROVIDED"       "uid"="REG_SZ", "{28501199-5E57-49D5-BBAB-0A3026FE0A86}"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NpApp\settings]       "displayname"="REG_SZ", "SushiLeads"       "dt"="REG_SZ", "11.06.2015 06:51:59"       "inj"="REG_DWORD", 1       "origin_id"="REG_SZ", "aa775249-ea2d-489f-8638-98e131ea5ca7"       "siteid"="REG_SZ", "Sales"       "sitename"="REG_SZ", "sushileads"       "stdwn"="REG_SZ", "0"       "subid"="REG_SZ", "NOT_PROVIDED"       "uid"="REG_SZ", "{28501199-5E57-49D5-BBAB-0A3026FE0A86}"       "version"="REG_SZ", "2.4.0.5"    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\SushiLeadsUpdaterService]       "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\EventLogMessages.dll"    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SushiLeadsUpdaterService]       "Description"="REG_SZ", "SushiLeads Updater."       "DisplayName"="REG_SZ", "SushiLeadsUpdaterService"       "ErrorControl"="REG_DWORD", 1       "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\sushileads\NpUpdaterService.exe"       "ObjectName"="REG_SZ", "LocalSystem"       "Start"="REG_DWORD", 2       "Type"="REG_DWORD", 16       "WOW64"="REG_DWORD", 1    [HKEY_CURRENT_USER\Software\Microsoft\KanarCore\Dynamic]       "Attached"="REG_DWORD", 1    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]       "ProxyServer"="REG_SZ", "http=127.0.0.1:8800;https=127.0.0.1:8887"    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]       "SushiLeadsApplication"="REG_SZ", "C:\Program Files (x86)\sushileads\SushiLeadsApplication.exe"
Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 6/11/2015Scan Time: 9:11:19 AMLogfile: mbamSuchiLeads.txtAdministrator: YesVersion: 2.01.6.1022Malware Database: v2015.06.11.01Rootkit Database: v2015.06.02.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: {username}Scan Type: Threat ScanResult: CompletedObjects Scanned: 328548Time Elapsed: 3 min, 25 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 2PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\NpUpdaterService.exe, 3216, Delete-on-Reboot, [3c318c2d3b4fbe78ea83cc1f55aee020]PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\SushiLeadsApplication.exe, 3224, Delete-on-Reboot, [6904eccd5b2fe74f34345b9038cb867a]Modules: 0(No malicious items detected)Registry Keys: 3PUP.Optional.SushiLeads.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\sushileads, Quarantined, [55182a8f256559ddd944483183838b75], PUP.Optional.SushiLeads.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SushiLeadsUpdaterService, Quarantined, [3c318c2d3b4fbe78ea83cc1f55aee020], PUP.Optional.SushiLeads.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\SushiLeadsUpdaterService, Quarantined, [e18c4e6bdeacc0769ad24e9d1ce77b85], Registry Values: 2PUM.Bad.Proxy, HKU\S-1-5-21-1707720958-3452775987-2250322232-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:8800;https=127.0.0.1:8887, Quarantined, [80ed2c8d137789adbd62482cfc09c040]PUP.Optional.SushiLeads.A, HKU\S-1-5-21-1707720958-3452775987-2250322232-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SushiLeadsApplication, C:\Program Files (x86)\sushileads\SushiLeadsApplication.exe, Quarantined, [6904eccd5b2fe74f34345b9038cb867a]Registry Data: 0(No malicious items detected)Folders: 2PUP.Optional.SushiLeads.A, C:\ProgramData\sushileads, Quarantined, [a4c9bafff09a3cfad83dfdeefe0544bc], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads, Delete-on-Reboot, [8edf13a62862da5c0e09bc2f32d1916f], Files: 17PUP.Optional.SushiLeads.A, C:\Users\{username}\Desktop\SuchiLeads.exe, Quarantined, [e489bbfe5d2df04689b5d4a7cb35fb05], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\uninstall.exe, Quarantined, [55182a8f256559ddd944483183838b75], PUP.Optional.SushiLeads.A, C:\Windows\System32\Tasks\SushiLeads, Quarantined, [e6870dac543667cffb6b8c5fdb286e92], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\NpUpdaterService.exe, Delete-on-Reboot, [3c318c2d3b4fbe78ea83cc1f55aee020], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\SushiLeadsApplication.exe, Delete-on-Reboot, [6904eccd5b2fe74f34345b9038cb867a], PUP.Optional.SushiLeads.A, C:\ProgramData\sushileads\instlgsent.config, Quarantined, [a4c9bafff09a3cfad83dfdeefe0544bc], PUP.Optional.SushiLeads.A, C:\ProgramData\sushileads\ServiceConfig2.json, Quarantined, [a4c9bafff09a3cfad83dfdeefe0544bc], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\AppResources.dll, Delete-on-Reboot, [8edf13a62862da5c0e09bc2f32d1916f], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\Captcha.exe, Quarantined, [8edf13a62862da5c0e09bc2f32d1916f], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\Common.Logging.dll, Delete-on-Reboot, [8edf13a62862da5c0e09bc2f32d1916f], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\HtmlAgilityPack.dll, Delete-on-Reboot, [8edf13a62862da5c0e09bc2f32d1916f], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\Microsoft.Win32.TaskScheduler.dll, Delete-on-Reboot, [8edf13a62862da5c0e09bc2f32d1916f], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\Newtonsoft.Json.dll, Delete-on-Reboot, [8edf13a62862da5c0e09bc2f32d1916f], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\Quartz.dll, Delete-on-Reboot, [8edf13a62862da5c0e09bc2f32d1916f], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\RestSharp.dll, Delete-on-Reboot, [8edf13a62862da5c0e09bc2f32d1916f], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\ScheduledTask.exe, Quarantined, [8edf13a62862da5c0e09bc2f32d1916f], PUP.Optional.SushiLeads.A, C:\Program Files (x86)\sushileads\sushileads_icon.ico, Quarantined, [8edf13a62862da5c0e09bc2f32d1916f], Physical Sectors: 0(No malicious items detected)(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.