VMtoday

VMware News, Views, and How-To's from vExpert Josh Townsend

You are here: Home / Archives for malware

malware

How To Remove Superfish Adware from Lenovo Laptops

by Leave a Comment

I started seeing reports of adware/malware being installed on Lenovo laptops yesterday.  The story is picking up steam today (Wired covered it here), and that’s a good thing because this little bit of adware poses some significant risks.  The program causing the problem, Visual Discovery, was pre-installed by Lenovo on some laptop models since August 2014.  Visual Discovery causes pop-up ads and inserts ads in web pages that directs traffic to suspicious or even harmful 3rd party websites.  The ads it serves are craftily injected into Google search results and other pages that you expect to be clean, making it easy for the unsuspecting to click and get more adware, viruses and scams.  I have one of the impacted models – a Lenovo Y50-70 – and saw this garbage as soon as I powered it up the first time.  I removed it, but many won’t notice it until its too late.  (For what it’s worth, I really like this laptop – malware aside.  Powerful, good graphics and sound, well built and cheaper than many competing models – probably because Lenovo offset costs by installing Visual Discovery).

The biggest issue with this bit of nastyware is that it intercepts all your web traffic – including encrypted traffic – to analyze it and use it to offer you targeted ads.  To do this, it needs to break the encryption (that Google, your bank or email provides) and then use it’s own encryption certificate to send traffic to its original destination.  There are many problems with this approach, but perhaps the biggest issue is that the encryption certificates that Visual Discovery uses (issued by Superfish, Inc.) all share the same private encryption key, and that key is easy to crack.  This makes it easy for the bad guys to create websites that impersonate valid websites (like your bank), including an encryption certificate that appears to be valid for your bank (but is really using the Superfish certificate).  Any data you send to the fake sites can be intercepted and read in plain text – your user name, password, mother’s maiden name, first born and the university major of your best friend’s cousin’s nephew’s neighbor’s college roommate during the second half of her freshman year, before she decided to become a gym teacher.  But I digress….

Several sites offer removal instructions for Visual Discovery and Superfish, but many are incomplete (including Lenovo’s).  To completely remove Visual Discovery and Superfish, you need to follow a few steps:

First, open the Windows Control Panel, click ‘Uninstall Programs’ and find ‘Superfish, Inc. Visual Discovery’, and click Uninstall.

Uninstall Superfish Visual Discovery

Next, you need to remove the Superfish encryption certificate from your PC.  To do this, use Windows Search to look for ‘mmc.exe’.

Search for mmc.exe

Execute the program and an empty Microsoft Management Console (MMC) opens (Lenovo’s removal instructions tell you to use the ‘Manage Computer Certificates’ link in the Control Panel, but this won’t expose everything you’ll need to remove.  The same with using the certmgr.msc instructions on other sites….).

Add Remove MMC Snap-in

Now we need to add a couple snap-ins to the MMC. From the File menu, choose ‘Add/Remove Snap-in…’.  Select the ‘Certificates’ snap-in and click the ‘Add >’ button.

Add Certificates Snap-in to MMC

You’ll be prompted to choose a certificate store to open.  Choose ‘My user account’, then click Finish.

Manage Certificates for My User Account

Now repeat the Add/Remove snap-in steps, this time choosing ‘Computer account’ in the final step.

manage-certs-for-lm

Choose ‘Local Computer’ when prompted.

select-local-computer

Expand the Certificates – Current User node.  Then expand ‘Trusted Root Certification Authorities’ and look for the ‘Superfish, Inc.’ certificate.  Right-click the certificate and choose delete.

remove-superfish-usr

Acknowledge the warning about deleting certificates by clicking Yes.

remove-cert-warning

Now repeat the previous steps under the ‘Certificates – Local Computer’ node.

remove-superfish-lm

If you’re a Firefox user, verify that the Superfish certificate isn’t trusted by the browser.  Open the Firefox menu and click ‘Options’.

firefox-options

Switch to the ‘Advanced’ tab, then select the ‘Certificates’ tab and finally click the ‘View Certificates’ button.

firefox-view-certs

Switch to the ‘Authorities’ tab. Scroll through the list of certificates and look for Superfish. If you find it, delete it.firefox-authorities

At this point, Superfish Visual Discovery should be gone, but it’s still a good idea to run a scan for traces of the junkware (note that most antivirus programs don’t check for malicious certificates – that’s why we manually removed them).  Use your antivirus program first.  If you don’t have a 3rd-party scanner (Norton, McAfee, etc.), search for ‘Windows Defender’ on your computer and run this built-in virus scanner from Microsoft.

Next, use Malwarebytes to scan for Superfish Visual Discovery and any of its friends.  A basic version of Malwarebytes is free, or you can buy a full featured version from Amazon here: https://amzn.to/1Exp7gb.  Quarantine and remove anything that Malwarebytes discovers.

Final step – visit this site to verify that Superfish can’t intercept your web traffic: https://filippo.io/Badfish/.  If this site shows that Superfish isn’t intercepting your connections your connections you should be good to go.  Now run antivirus and Malwarebytes on a regular basis, don’t let toolbars and other unknown apps get installed, and choose unique and complex passwords for any website logins that you value!