How to remove the dangerous Superfish adware preinstalled on Lenovo PCs

lenovoyoga2

Lenovo’s been caught going a bit too far in its quest for bloatware money, and the results have put its users at risk. The company has been preloading Superfish, a "visual search" tool that includes adware that fakes the encryption certificates for every HTTPS-protected site you visit, on its PCs since at least the middle of 2014. Essentially, the software conducts a man-in-the-middle attack to fill the websites you visit with ads, and leaves you vulnerable to hackers in its wake.

You can read all the sordid details here. This article is dedicated to helping you discover whether your Lenovo PC is infected with Superfish, and how to eradicate it if you are. 

Which Lenovo PCs have Superfish preinstalled?

Lenovo isn’t saying specifically. A representative would only say that the adware was loaded on select consumer-grade machines.

Lenovo forum posts indicate that Superfish has been preinstalled on PCs since at least mid-2014. A Lenovo press release says the following laptop models may be affected:

  • G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
  • U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
  • Y Series: Y430P, Y40-70, Y50-70
  • Z Series: Z40-75, Z50-75, Z40-70, Z50-70
  • S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
  • Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
  • MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
  • YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
  • E Series: E10-30

How do I know if my Lenovo PC has Superfish preinstalled?

It should be easy to discover if your PC came with Superfish preloaded. The adware intrinsic to Superfish is designed to inject visual price-comparison ads into the web pages you visit, in a “Visual Search results” section “powered by VisualDiscovery.” If you see that, you’re affected (though maybe “infected” is the better word to use).

superfish in action on apple Mills Baker

Superfish injected ads in action on the Apple website.

Update: Browsing to this website will quickly let you know if you have Superfish installed. Thanks, Filippo Valsorda! Lastpass also tossed up a website that can check for Superfish.

Even if you haven’t seen weird ads pop up in your browsing, you should check and see if Superfish is installed on your Lenovo PC. Doing so is easy: Just head to Control Panel > Programs > Uninstall a Program and look for VisualDiscovery. If you see it, uninstall it! (Edit Feb. 20: Lenovo has now published its Superfish automated removal tool, though I'd still recommend running through these steps after using it to confirm that Superfish is indeed eradicated.)

Once that’s done, run a virus scan. Apparently, many antivirus engines flag Superfish as adware—since it is—or a potentially unwanted program. Conducting a scan can help ensure that the Superfish software is truly gone. 

But…

Ditch that troublesome root certificate

The biggest problem with Superfish isn’t the adware itself so much as the way it hijacks legitimate SSL traffic. It does so by installing a self-generated root certificate in the Windows certificate store—a hallowed area usually reserved for trusted certificates from major companies like Microsoft and VeriSign—and then resigns all SSL certificates presented by HTTPS sites with its own certificate.

In other words, Superfish conducts a man-in-the-middle attack and breaks the sanctity of HTTPS encryption. And simply removing the adware itself doesn’t remove the rogue root certificate. (Update: Microsoft quickly pushed out a Windows Defender update on Friday that removes the adware and the rogue certificate from the Windows certificate manager, but not Firefox's certificate manager.)

You can revoke that certificate manually, however. Here’s how, as told to PCWorld by Chris Boyd, a malware intelligence analyst at Malwarebytes.

First, press Windows key + R on your keyboard to bring up the Run tool, then search for certmgr.msc to open your PC’s certificate manager.

superfish in root store Chris Palmer

The rogue Superfish certificate preinstalled in the trusted root store on some new Lenovo PCs.

Once that opens, click on “Trusted root certificate authorities” in the left-hand navigation pane, then double-click “Certificates” in the main pane. A list of all trusted root certificates will appear. Find the Superfish entry, then right-click on it and select “Delete.”

That should do it. This Microsoft support article outlines a different way of deleting trusted root certificates, though it hasn’t been updated in years.

Superfish is also capable of worming into Firefox's separate certificate manager, as well. If you use Firefox, open the browser, then head to Options > Advanced > Certificates > View Certificates. If you see a listing for Superfish, click on it and select "Delete or Distrust."

With that, your new PC should be free of all of Superfish’s nasty tentacles. Shame on Lenovo for letting this happen to begin with.

IDG News Service's Lucian Constantin provided additional reporting for this article. This article has been updated several times with additional information.

Related:

Subscribe to the Best of PCWorld Newsletter

Comments