How to remove the dangerous Superfish adware preinstalled on Lenovo PCs

Lenovo has been preloading new consumer PCs with Superfish adware that hijacks the secure HTTPS encryption of every site you visit.

Lenovo's been caught going a bit too far in its quest for bloatware money, and the results have put its users at risk. The company has been preloading Superfish, a "visual search" tool that includes adware that fakes the encryption certificates for every HTTPS-protected site you visit, on its PCs since at least the middle of 2014. Essentially, the software conducts a man-in-the-middle attack to fill the websites you visit with ads, and leaves you vulnerable to hackers in its wake.

You can read all the sordid details here. This article is dedicated to helping you discover whether your Lenovo PC is infected with Superfish, and how to eradicate it if you are.

Which Lenovo PCs have Superfish preinstalled?

Lenovo isn't saying specifically. A representative would only say that the adware was loaded on select consumer-grade machines.

Lenovo forum posts indicate that Superfish has been preinstalled on PCs since at least mid-2014. A report by Myce in January claims that at least the Lenovo Y50, Z40, Z50, G50 and Yoga 2 Pro laptops are affected. For safety's sake, if you've bought a new Lenovo PC any time in the past year, you should assume your PC may have Superfish preinstalled.

How do I know if my Lenovo PC has Superfish preinstalled?

It should be easy to discover if your PC came with Superfish preloaded. The adware intrinsic to Superfish is designed to inject visual price-comparison ads into the web pages you visit, in a "Visual Search results" section "powered by VisualDiscovery." If you see that, you're affected (though maybe "infected" is the better word to use).

Update: Browsing to this website will quickly let you know if you have Superfish installed. Thanks, Filippo Valsorda!

Even if you haven't seen that pop up in your browsing, you should check and see if Superfish is installed on your Lenovo PC. Doing so is easy: Just head to Control Panel > Programs > Uninstall a Program and look for VisualDiscovery. If you see it, uninstall it!

Once that's done, run a virus scan. Apparently, many antivirus engines flag Superfish as adware--since it is--or a potentially unwanted program. Conducting a scan can help ensure that the Superfish software is truly gone.

But...

Ditch that troublesome root certificate

The biggest problem with Superfish isn't the adware itself so much as the way it hijacks legitimate SSL traffic. It does so by installing a self-generated root certificate in the Windows certificate store--a hallowed area usually reserved for trusted certificates from major companies like Microsoft and VeriSign--and then resigns all SSL certificates presented by HTTPS sites with its own certificate.

In other words, Superfish conducts a man-in-the-middle attack and breaks the sanctity of HTTPS encryption. And simply removing the adware itself doesn't remove the rogue root certificate.

You can revoke that certificate manually, however. Here's how, as told to PCWorld by Chris Boyd, a malware intelligence analyst at Malwarebytes.

First, press Windows key + R on your keyboard to bring up the Run tool, then search for certmgr.msc to open your PC's certificate manager.

Once that opens, click on "Trusted root certificate authorities" in the left-hand navigation pane, then double-click "Certificates" in the main pane. A list of all trusted root certificates will appear. Find the Superfish entry, then right-click on it and select "Delete."

That should do it. This Microsoft support article outlines a different way of deleting trusted root certificates, though it hasn't been updated in years.

With that, your new PC should be free of all of Superfish's nasty tentacles. Shame on Lenovo for letting this happen to begin with.

IDG News Service's Lucian Constantin provided additional reporting for this article.

Join the CSO newsletter!

Error: Please check your email address.

Tags iscosecurityLenovomalware

More about IDGLenovoMalwarebytesMicrosoftNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brad Chacos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place