How to remove the dangerous Superfish adware preinstalled on Lenovo PCs

19.02.2015
Lenovo's been caught going a bit too far in its quest for bloatware money, and the results have put its users at risk. The company has been preloading Superfish, a "visual search" tool that includes adware that fakes the encryption certificates for every HTTPS-protected site you visit, on its PCs since at least the middle of 2014. Essentially, the software conducts a man-in-the-middle attack to fill the websites you visit with ads, and leaves you vulnerable to hackers in its wake.

You can read all the sordid details here. This article is dedicated to helping you discover whether your Lenovo PC is infected with Superfish, and how to eradicate it if you are.

Which Lenovo PCs have Superfish preinstalled

Lenovo isn't saying specifically. A representative would only say that the adware was loaded on select consumer-grade machines.

Lenovo forum posts indicate that Superfish has been preinstalled on PCs since at least mid-2014. A report by Myce in January claims that at least the Lenovo Y50, Z40, Z50, G50 and Yoga 2 Pro laptops are affected. For safety's sake, if you've bought a new Lenovo PC any time in the past year, you should assume your PC may have Superfish preinstalled.

How do I know if my Lenovo PC has Superfish preinstalled

It should be easy to discover if your PC came with Superfish preloaded. The adware intrinsic to Superfish is designed to inject visual price-comparison ads into the web pages you visit, in a "Visual Search results" section "powered by VisualDiscovery." If you see that, you're affected (though maybe "infected" is the better word to use).

Update: Browsing to this website will quickly let you know if you have Superfish installed. Thanks, Filippo Valsorda!

Even if you haven't seen that pop up in your browsing, you should check and see if Superfish is installed on your Lenovo PC. Doing so is easy: Just head to Control Panel > Programs > Uninstall a Program and look for VisualDiscovery. If you see it, uninstall it!

Once that's done, run a virus scan. Apparently, many antivirus engines flag Superfish as adware--since it is--or a potentially unwanted program. Conducting a scan can help ensure that the Superfish software is truly gone.

But...

Ditch that troublesome root certificate

The biggest problem with Superfish isn't the adware itself so much as the way it hijacks legitimate SSL traffic. It does so by installing a self-generated root certificate in the Windows certificate store--a hallowed area usually reserved for trusted certificates from major companies like Microsoft and VeriSign--and then resigns all SSL certificates presented by HTTPS sites with its own certificate.

In other words, Superfish conducts a man-in-the-middle attack and breaks the sanctity of HTTPS encryption. And simply removing the adware itself doesn't remove the rogue root certificate.

You can revoke that certificate manually, however. Here's how, as told to PCWorld by Chris Boyd, a malware intelligence analyst at Malwarebytes.

First, press Windows key + R on your keyboard to bring up the Run tool, then search for certmgr.msc to open your PC's certificate manager.

Once that opens, click on "Trusted root certificate authorities" in the left-hand navigation pane, then double-click "Certificates" in the main pane. A list of all trusted root certificates will appear. Find the Superfish entry, then right-click on it and select "Delete."

That should do it. This Microsoft support article outlines a different way of deleting trusted root certificates, though it hasn't been updated in years.

With that, your new PC should be free of all of Superfish's nasty tentacles. Shame on Lenovo for letting this happen to begin with.

IDG News Service's Lucian Constantin provided additional reporting for this article.

(www.pcworld.com)

Brad Chacos