Showing results for 
Search instead for 
Do you mean 

Removal Instructions for VisualDiscovery Superfish application

Helpful? Click ►
Started ‎02-19-2015 by
Modified ‎02-23-2015 by

Removal Instructions for VisualDiscovery Superfish application

by ‎02-19-2015 06:45 AM - edited ‎02-23-2015 02:19 PM (110,036 Views)

LENOVO STATEMENT ON SUPERFISH

 

At Lenovo, we make every effort to provide a great user experience for our customers.  We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer.  In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks.  The goal was to improve the shopping experience using their visual discovery techniques. 
 
In reality, we had customer complaints about the software.   We acted swiftly and decisively once these concerns began to be raised.  We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it.
 
We stopped the preloads beginning in January.  We shut down the server connections that enable the software (also in January), and we are providing online resources to help users remove this software.   Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future.  Detailed information on these activities and tools for software removal are available here:
 
http://support.lenovo.com/us/en/product_security/superfish
http://support.lenovo.com/us/en/product_security/superfish_uninstall


To be clear: Lenovo never installed this software on any ThinkPad notebooks, nor any desktops, tablets, smartphones or servers; and it is no longer being installed on any Lenovo device.  In addition, we are going to spend the next few weeks digging in on this issue, learning what we can do better.  We will talk with partners, industry experts and our users.  We will get their feedback.  By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security.  We are confident in our products, committed to this effort and determined to keep improving the experience for our users around the world.

Superfish may have appeared on these models:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45, G40-80
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch 
Y Series: Y430P, Y40-70, Y50-70, Y40-80, Y70-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70, Z70-80
S Series: S310, S410, S40-70, S415, S415Touch, S435, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 Pro, Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11, MIIX 3 1030
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11, YOGA3 Pro
E Series: E10-30

Lenovo Edge 15 

 

Please see related Lenovo News Release on Superfish

 

 

 Please use the following link for uninstall details - these are being updated frequently

 

UPDATE from 2/20 - an automated tool is now available to uninstall.  The tool, license, source code, and alternate manual uninstall instructions available on the link below.

 


http://support.lenovo.com/us/en/product_security/superfish_uninstall

Comments
cenc
Paper Tape

that does not remove the fake SSL root certificate that is used for a man in the middle attack to intercept all encrypted connections.

 

 

Flepi
Ctrl-Alt-Del

It's not enought...

 

Didn't remove al...

 

I want a clean win8.1 and clean drivers for my computer bought last week !!

 

I'm in France so do what  you have to do to protect my connection and my laptop !!

adam_at_bt
Paper Tape

This is totally unacceptable.

 

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."

 

Are you kidding me? I've heard some whoppers in my time and this almost tops it. The gall. Which "marketing manager" thought this idea would actuall fly? 

 

-- Former Lenovo Customer

techkitsune
Fanfold Paper
"Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well. " Awesome! That means I can compromise any computer that still has this cruft left over! Good job FAILING AT SECURITY, LENOVO. Even better job at hiring someone incompetent like Mark to highlight that. Oh, and since Lenovo deliberately and knowingly distributed this software, which illegally assumes the identities of individuals and companies (including my own) that also means Lenovo is guilty of identity theft. Since it bypasses security measures and defeats encryption before it can happen, it's also a violation of the CFAA - federal charges need to be brought against Lenovo for this.
techkitsune
Fanfold Paper
"Our goal is to find technologies that best serve users."

A laptop without bloatware best serves users. A laptop with bloatware best serves other people.

You are very obviously NOT looking out for your users.
tMettam
Paper Tape

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."

This statement pretty much disintegrates any bit of respect left for Lenovo. Either you didn't look very hard, or the people doing this were completely incompetent.

m0nst3r44
Ctrl-Alt-Del

The cracked certificate exposes Lenovo users to man-in-the-middle attacks, similar to those opened up by Heartbleed. Armed with this password and the right software, a coffee shop owner could potentially spy on any Lenovo user on her network, collecting any passwords that were entered during the session. The evil barista could also insert malware into the data stream at will, disguised as a software update or a trusted site.

Even worse, there's no clear fix for the issue. The software can be uninstalled (instructions are here), but that won't entirely solve the issue. Superfish sets all infected computers to run web encryption through Superfish's certificate authority, which is now easily unlocked by the published password — but simply uninstalling the software won't undo those settings. Researchers are still exploring the bug and more fixes can be expected in the days to come — but in the meantime, anyone affected by the bug should avoid public Wi-Fi networks (if possible, Wi-Fi in general) whenever possible. This test will show if your computer is affected, courtesy of researcher Filippo Valsorda.

 

 

 

but theres no cause for alarm right? 

this is mind blowing.

come on mark tell us all how its nothing to worry about again, this is shamefull

 

BE CAREFULL THEY ARE EDITING POSTS TO SUIT THE NEEDS OF THE COMPANY

techkitsune
Fanfold Paper
Just checked using a customer's new Yoga and a fake bank account I have set up for security checking just like this. Superfish transmits IN THE CLEAR username and password. Taking the laptop to the bank right now - odds are Lenovo won't be welcome in any IT sector once the banks get wind of this.
DragonPurr
Punch Card

Not only was this an immensely terrible idea from the very start, but the people who developed this crappy software misspelled its name. Its real name is DUPERPHISH !  This is more like MALWARE, and not just adware, as it secretly, without the user's knowledge, hijacks HTTPS SSL/TLS connections where you thought that you were connecting to a secure Web site such as a bank, financial institution, or online store.

 

Considering that Lenovo's officials in Beijing have strong ties to the Chinese government, and in light of the NSA's own hardware-based spying, I *NEVER* use a Lenovo computer for any kind of financial transaction. Nor do I store any really personal or sensitive information on a Lenovo computer.  They are only good for gaming and some casual Web surfing, and that's it.   I am not sure that I entirely trust the NSA's motives either... but I trust them more than having China or Russia siphoning data from me.

ChristineB
Ctrl-Alt-Del

I'm floored -- just read the ZD Net article.

 

Since early January I've been looking for a new Lenovo notebook.  Every few days I spent an hour or two reading reviews and scanning Ebay and Amazon for the right model in my price range.  Been buying a new Lenovo every couple years for at least 7 or 8 years.  I greatly appreciated the help I've received in this forum and had no intention of ever buying another brand.

 

And now I have to find another brand.   There's no way that I will EVER buy another product from a company like Lenovo that sinks so low and DELIBERATELY installs malware.

 

I could spit nails .....

 

 

 

 

 

 

Altoid666
Token Ring

Now I have to look over my shoulder on every Lenovo Update/Download.  Shame on you.  What a way to breach our trust.  The article describes how to "remove" Superfish.  How lame.  The residual files and registry entries still reside on one's computer and can be used as a back door to "fish" passwords and account information.  

This should have NEVER happened in the first place,  Placing Malware/Spyware/Adware on one's private property is unforgivable.  This is not the American way.  Maybe in China it's OK to sneak and spy but not here in the USA.

Now I am mad!  The "Explanation" in the above artice is so weak it's a joke.  There is NO justification for sneaking Superfish on anyone's computer, EVER.

 

 

Former Administrator

 

All,

 

Thanks for the onging feedback even though it has proven to be a difficult topic.

As Lenovo teams have continued work on this today, I have updated the KB , and would also point to a security advisory we just published to our support site.

 

http://support.lenovo.com/us/en/product_security/superfish

 

There are additional actions underway, and I anticipate some additional updates on this subject.

 

Best regards,

 

Mark

m0nst3r44
Ctrl-Alt-Del

you dont care to retract your statements now mark??? you sat and assured everyone there was no prob.

how do we know youre not in on this to? shamefull, disrespectfull and down right pitifull, your suppose to be a social media manager? you're a farce and an un-educated  admin that should be removed from your current possition.

techkitsune
Fanfold Paper
Here's a suggestion: Fire your entire IT staff, whom has proven themselves totally incompetent at basic code auditing and review. Some random joe with a few hours ripped that malware apart and had the private key. That YOUR supposedly better 'professionals' couldn't do this speaks volumes about how competent they are. Next step: Fire yourself - caught in a lie, check it out; http://imgur.com/H8459Z3,87zOroU
m0nst3r44
Ctrl-Alt-Del

thats all it come down to damage control at all costs. lie cheat and steal they dont care its about the bottum line$$

 

my firm has 18 of these infected laptops sitting on my shop bench all recalled cause of you, so now i'll wipe them all fresh with fresh keys from MSDN and then bill lenovo for my time for the work they caused.

cenc
Paper Tape

so lenova will not provide any practical steps for protecting users beyond PR spin.

 

Here is a few options, while lenova figures out how to run and hide from this:

 

1. completly remove windows and install linux or BSD operating sytems. Honestly, kept a copy of windows and the driver partitions that came with my Lenova computer, even though I use linux. Now I am going to completly remove even those partitions.

 

2. get a fresh copy of windows direct from microsoft. Do not use the OEM copy or backups from Lenova. We seem to not be able to trust them.

 

3. buy a diffrent computer, from a company that does not back door your.

 

4. install a firewall, that blocks all outbound traffic. We can't trust what is being sent out from the software that comes pre-installed on these computers. Only allow, known, and required traffic out.

 

Will, be having a close look at the bios and other microcode on my lenova computers for any signs of other "features" sending data for no good reason.

m0nst3r44
Ctrl-Alt-Del

firewall is null and void its a root cert that pins to browsers and also infects some browsers stores

http://i.imgur.com/wQaG3sg.jpg

thus beciuase its a root pinnable cert it can alter settings for anything to do what it wants with no interaction from the user.

techkitsune
Fanfold Paper
"4. install a firewall, that blocks all outbound traffic. We can't trust what is being sent out from the software that comes pre-installed on these computers. Only allow, known, and required traffic out."

Won't work. If you open SSL for web-surfing, it's getting out.
dvonderburg
Paper Tape

I have been fighting malware that has been invited by this POS application, and I don't mean Point Of Sale. I have spent countless hours with refresh installs from the onboard Windows 8.1. install partition and I am pissed! 3 times I refreshed Windows and 3 times some sort of malware was installed by this bloatware. I want a new refresh of the partition with a clean Windows 8.1 and 0 bloatware! I used to support and love Lenovo. Now I want a divorce!

techkitsune
Fanfold Paper
If you want a 'divorce' just like a real divorce you're gonna have to walk into the courtroom.
m0nst3r44
Ctrl-Alt-Del

Lenovo's dishonest response is compounding the impact of this already-severe problem by obfuscating its impact in a lame attempt to downplay what they've done. They're not only injecting ads in their customers' browsing sessions, but their clownish hijacking broke SSL and handed a powerful hijacking tool to any cracker out there who's not a moron.

This is a bad decision that will go down in history, even with the stiff competition we've seen lately from the Sony hack and heartbleed. The prudent consumer would be wise to treat them extremely warily.

Drewbot
Fanfold Paper

Lenovo should know every customer who purchased the impacted machines directly via the web - how come I haven't received an urgent email from them detailing the problem with the steps to correct?  If I hadn't happened to read tomshardware.com today, I'd have never known about this issue and would be happily working away on a compromised machine.  

 

I still haven't read any words accepting responsibility or an APOLOGY from Lenovo for this crapware.

cenc
Paper Tape

Point taken regarding the firewall and ssl. Someone needs to look and see if these fake certs are viewable in a packet captures, and what they are doing. they inject advertising at least, so they got to send data somewhere.

 

What I was pointing out was that if they installed this, what else did they install?

 

We are left needing to monitor all out bound traffic on lenova computers (good idea anyway), but we should not need to do it with assumption that the hardware seller is also the adversary undermining our security and leaking private data.

 

All of the above, is a conversation we should not even need to have. Lenova should be telling us exactly what it does, provide the source code, and provide access to all the information related with this exploit (it is an exploit now).

 

techkitsune
Fanfold Paper
It's gone past exploit. This is wide-open access. It hijacks everything. VPN traffic. SMTP, POP, you name it it's hijacking it. Don't bother monitoring outbound traffic. Every avenue is compromised (this is the same software used in several 'Parental Control' programs) and thus there is no point. The entire system might as well be wide open. This has the potential to be worse than BLASTER, for those that remember that Win2K/XP disaster.
vaswa5uy
What's DOS?
Found on Pastebin:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIDHHhyAEZQoICAggA
MBQGCCqGSIb3DQMHBAiHEg+MCYQ30ASCAoDEvGvFRHvtWOb5Rc0f3lbVKqeUvWSz
xQn+rZELHnwb6baolmbFcsi6XkacVzL/EF7Ll4de/CSQ6pZZCCvfDzov0mPOuGve
SAe7hbAcol7+JWVfzbnVTblPf0i7mwSvK61cKq7YfcKJ2os/uJGpeX9zraywWyFx
f+EdTr348dOez8uHkURyY1cvSHsIdITALkChOonAYT68SVighTeB6xOCwfmsHx+X
3Qbhom2YCIxfJiaAoz2/LndCpDaEfOrVrxXFOKXrIbmeDEyjDQj16AVni9uuaj7l
NiO3zrrqxsfdVINPaAYRKQnS102jXqkH01z72c/MpMMC6dwZswF5V3R7RSXngyBn
1GLxVFHKR753Gt0IDag13Bd8Jt890/v0tE0Kx66jCkRGn+VCq6+bsnh7VpTH/cG5
dlFnv56lv2leknu5ghdJHX8YQ6HjnioaaheLA+ORAxqAlD8Itt1/pRBOOMSkutdz
d1px9dB2ZBpSoRAOcBwU5aFaw9uu+tXyzrPM3tZomu8ryQYMNlmVgPNDJOz6jPJi
jaZHWTS7U6j370oH/B0KTUG/ybrJGFnOmPP4h2u/ugG75EkfotURsvbrWuetQhOi
TCH+9nbIcT3pxnTXqI2IRHZXMturQ+6fqlJF3bb9bWarMBuC3KgprqyqXxeM0Sqg
VlyKLWwAuMf2Ec7t7ujqaNmVgv6bpwHEbR6njIi7lC7j4w6D2YQ8vacgvS3MB/K0
SX54HNVBVuXhAixPtYJ6tOBGm7QFAKaXju0PJ+AljnMEsHRekOs2u42OHBXEWDE8
VHw7/lTXWsJkBcQM+g/svyqV4xKHDAixPms2SUwJyKjvEgV+CQok4F/T
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIC9TCCAl6gAwIBAgIJANL8E4epRNznMA0GCSqGSIb3DQEBBQUAMFsxGDAWBgNV
BAoTD1N1cGVyZmlzaCwgSW5jLjELMAkGA1UEBxMCU0YxCzAJBgNVBAgTAkNBMQsw
CQYDVQQGEwJVUzEYMBYGA1UEAxMPU3VwZXJmaXNoLCBJbmMuMB4XDTE0MDUxMjE2
MjUyNloXDTM0MDUwNzE2MjUyNlowWzEYMBYGA1UEChMPU3VwZXJmaXNoLCBJbmMu
MQswCQYDVQQHEwJTRjELMAkGA1UECBMCQ0ExCzAJBgNVBAYTAlVTMRgwFgYDVQQD
Ew9TdXBlcmZpc2gsIEluYy4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOjz
Shh2Xxk/sc9Y6X9DBwmVgDXFD/5xMSeBmRImIKXfj2r8QlU57gk4idngNsSsAYJb
1Tnm+Y8HiN/+7vahFM6pdEXY/fAXVyqC4XouEpNarIrXFWPRt5tVgA9YvBxJ7SBi
3bZMpTrrHD2g/3pxptMQeDOuS8Ic/ZJKocPnQaQtAgMBAAGjgcAwgb0wDAYDVR0T
BAUwAwEB/zAdBgNVHQ4EFgQU+5izU38URC7o7tUJml4OVoaoNYgwgY0GA1UdIwSB
hTCBgoAU+5izU38URC7o7tUJml4OVoaoNYihX6RdMFsxGDAWBgNVBAoTD1N1cGVy
ZmlzaCwgSW5jLjELMAkGA1UEBxMCU0YxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJV
UzEYMBYGA1UEAxMPU3VwZXJmaXNoLCBJbmMuggkA0vwTh6lE3OcwDQYJKoZIhvcN
AQEFBQADgYEApHyg7ApKx3DEcWjzOyLi3JyN0JL+c35yK1VEmxu0Qusfr76645Oj
1IsYwpTws6a9ZTRMzST4GQvFFQra81eLqYbPbMPuhC+FCxkUF5i0DNSWi+kczJXJ
TtCqSwGl9t9JEoFqvtW+znZ9TqyLiOMw7TGEUI+88VAqW0qmXnwPcfo=
-----END CERTIFICATE-----
jfgunter
What's DOS?

I see instructions only for windows 8. How can I remove this from windows7? 

swaroop86
Paper Tape

I am from India. I recently purchased z50-70 laptop and was facing issues with some websites. after some research found out about superfish about a week ago. For example superfish interferes with the web interface of whatsapp in chrome. I does not allow the QR code to load. As soon as I uninstalled superfish whatsapp and all other website loading issues were resolved.

 

Now I am worried about the recovery partition which I think includes all the pre installed crap form lenovo. What if I have to format my laptop and reinstall windows superfish will be back and again I have to remove it and the certificates etc? Kindly give a solution for the same too.

dvonderburg
Paper Tape

Mark_Lenovo - I have had a cooling off period sleeping on this matter and decided I still like the Lenovo Yoga 2 13 computer design I recently purchased. It’s the bloatware that Lenovo added to the equipment that makes it a terrible decision. I believe Lenovo owes everyone a recall and to send all involved a Downloadable File Link, DVD, or USB Memory Stick with software to replace the recovery partition with a generic flavor of the Windows 8.1 OS. My Yoga has crashed 3 times since Nov 2014 by fault of virus infection invited by the superfish certificate, and each time forced me to the recovery refresh. Each time the recovery was used the bloatware was present, including the superfish application I had to uninstalled each time. Superfish vulnerable back door caused my computer recently to obtain “epicunitscan.info” virus which was difficult and time consuming to remove. Please rectify this with a replacement to our recovery partition.

Former Administrator

 

All,

 

The content of this article is being updated with new information from Lenovo.   I expect further updates throughout today including instructions to address other OS and browsers.  Work is underway to provide automated solutions for removal of Superfish as well.

 

We are also compiling questions and will have a Q & A page to address many additional concerns being raised shortly.

 

I appreciate the additional feedback - thank dconderburg.  We will pass these along to our product teams as well.

 

Thanks for your patience and continued feedback.

 

Best regards,


Mark

tompkinsmark
Paper Tape

Agree with dvonderburg...

Lenovo owes its customers a certified clean reinstall -- with no extraneous software at all...   

There should be no question about this -- the temporizing reflected above is further evidence of Lenovo's responsibility for this.     ... and the fact that they are posting as a solution uninstalling the program and the certificate (when other contamination is evident) provides even more evidence of the company's culpability and failure to take responsibility.

adriancorella
Paper Tape
I ordered a Lenovo Y40-80 on January 30th and it was infected with Superfish. So please update your list of infected systems, assuming of course you actually know where you installed the software and the true extent of the problem.
drMetro
Blue Screen Again

OK Mark and all here is a NEW ZD net article posted today MSFT has added removal to Defender

MSFT adds Superfish Removal to Defender

Former Administrator

 drmetro,

 

Thanks.  That should help automate this.

 

For those that have Firefox you may want to  check the latest updates here as we now have instructions for Firefox.    http://support.lenovo.com/us/en/product_security/superfish_uninstall

 

Adrian,

 

Please see my PM to you.  If you could send your system serial number by PM it will help us check the build date and see if updates need to be made to our list of systems.   I appreciate the feedback!

 

Mark

Tipiak
Token Ring

I understand now why my z50 never functioned normally.

 

This makes effective 30 days I observe various problems like :

- Mouse starts to click around

- Downloaded pdf documents run Hightail without valid reason

- Favicons modified on some https session and Font degraded on display ... with this, no need to invest in an HD model !

- Unknown registered IP addresses in McAfee firewall, settings changed

- Integrity violation detected with SFC command three days after a windows repair...

 

Then,

If lenovo do not personally contact me and quickly replace my machine, I'll see what action I could take to be compensated or, failing that, to protect the new consumers.


I understand better now why some companies are skeptical even with Thinkpad. We are not yet out of the **bleep** with these new powerful machines! No wonder the economy could slow sometimes, we are all private and business users.

tompkinsmark
Paper Tape

Three issues remain open...

(1)   Lenovo needs to acknowledge their responsibility for this broken product and for resolving the problem (and not by imposing new costs on their customers) -- this has still not happened.  The growing indications that the folks involved in the Superfish item should not have been allowed access to product installation, do not seem to fully understand the mechanism that they imposed, and cannot be trusted to respond appropriately now all exacerbate Lenovo's responsibilty and liability for this sequence of events.

(2)   Lenovo has failed to provide a mechanism (either CD's mailed, or a robust and targeted download) for a re-install of a clean OS...    under the circumstances, an "erase" of some elements of this sort of malware is hardly sufficient.   The assertion that the problem has been "turned off" is far less satisfactory than the situation requires.

(3)   The various fixes that were posted yesterday do not include a fix of the registry -- leaving at least one trace of vulnerability extant on the computers that they have sold.  Absent independently verified assurance that the problem has been eliminated, these fixes are partial and inadequte.

 

We're now at least two days out -- time to fix  this!

JLieutenis
Paper Tape

I encouraged a friend to buy 2 Lenovo  Z50-70 laptops which he purchased Feb 9th and which were built on Feb.11, 2015.

They arrived at his home last Wednesday and by Thursday I had heard about the Superfish debacle.  I was somewhat hopeful he had escaped the worst since Lenovo's press releases and statements, prior to this morning were that contact with the Superfish servers were shut down in December and no computers with Superfish were shipped after the beginning of January, 2015. Quote:

  • Lenovo stopped preloading the software in January.
  • We will not preload this software in the future.

Imagine my disgust and dismay when we went to set up the computers last night and found Superfish alive and well on computers built, as I mentioned, on Feb 11, 2015. "Final Assembly" is what I take the build date to mean and I understand that software bundles may have been added earlier in the assembly process; but of course that is not what the Lenovo statement said. The original "solution" did not include removal of the Superfish certificate.   So, I spent all last night removing Superfish from both computers. When I ran the registry component of CCleaner, 59 registry entries for VisualDiscovery showed up as Active X issues. I cannot believe Lenovo expects customers to continue using devices that have been infected and possibly altered as a result of using Superfish.

The recovery partition contains a version of Windows 8.1 that is most likely infected with Superfish so should it be neccesary to Refresh or Restore the computer, my friend and his  children will be doing the same disinfecting process again. I feel very badly for those people who have had this malware on their devices all this time.  That "narrow" window during which Lenovo claims to have installed Superfish on a limited number of notebooks seems to be a window that is opening wider and wider with each passing hour. Indeed, the "new and refreshed" Lenovo statement about this problem states that Lenovo stopped shipping notebooks with Superfish in February. I honestly do not think Lenovo knows how many devices were infected and whether or not they are still assembling, let alone shipping, contaminated computers.

I, like most of you, cannot believe that Lenovo found no security issues involved with the Superfish programs hijacking of legitimate connections and cracking secure connections. I would call their investigation "Superfish-al", at best.

If you, like I, believe your computer's security may have been compromised, use the steps on this site:

https://filippo.io/Badfish/

Follow the instructions to see if Superfish or its creator, the CA company, Komodia is at all present on your machines. Good luck. I hope Lenovo can see that it stands to lose even more of a once loyal client base, not only for inflicting Superfish upon us, but by its "tone deaf" responses to customer concerns.

 

ChristineB
Ctrl-Alt-Del

JLieutenis, thanks so much for your post.   I can't believe the people who are perfectly content with Lenovo helping them with the removal.  

 

"I would call their investigation "Superfish-al", at best."

 

And you made me laugh, thanks!  Don't have much to laugh about lately, having to start my search for a new notebook from scratch.

pelicanpete
Paper Tape
Easy question for Mark: When are you going to send out full vanilla versions of Windows so we can permanently get rid of Superfish and its very dangerous certificates - it is still on the restore partition isn't it - even after using your tool? If you can't answer tbis soon I'm going to have to try and get a refund which is a shame as otherwise it's a great laptop.
Tipiak
Token Ring

I'm not an expert, but the removal tool provided by Mark seems to have done the job, even though there are still some traces in the registry. About the hidden factory partition and waiting for the DVD to replace it, it is still possible to achieve with OKR personal backup after cleaning the pc.

 

Now we can ask the legitimate question of what other programs on Lenovo products, could be problematic for the security of our personal data?

 

Two weeks earlier I asked the Lenovo Support for Realtek RTFTrack and RtCamU64 programs which are integrated with windows, or Realtek Bluetooth BtServer Application, to know their functions, they advised me to uninstall VisualDiscovery, but does said nothing about the three programs.

 

Are we photographed each logon? Why these programs remain active, while the bluetooth and VeriFace was deactivated?

 

It is time the PC world shows a bit more pedagogy, transparency, and respect for the consumer.


I have no fears about the quality of Lenovo products, but for the rest ...


I swore that the next warning I change my OS to say the least.

tompkinsmark
Paper Tape

So the challenge is getting clearer...

As JLieutenis notes above, there is more damage than is fixed by the Superfish program uninstall and the certificate uninstalls (including the Mozilla applications)...    e.g. residual pieces in the registry -- and we have the continuing issue of the recovery partition probably also being contaminated.    (Any chance of spawn lurking the BIOS too?)

Accordingly, there only seem to be two solutions:

(1)   Return the machine for a refund (which would need to include shipping costs and opportunity costs for the time consumed by all this);

(2)   Obtain a new OS license key (as several sites note, your license key may be a generic key employed by Lenovo, so you need to obtain a key that will allow you to reinstall a licensed copy of the OS), then

(a)  Wipe the hard drive and recovery partition clean (I've had the DBAN utility recommended -- then

(b)  Reinstall the OS (presumably a clean copy of the OS, so that no other bloatware would be installed -- a download is possible from Microsoft) and enter the license key and

(c)  Reinstall all of the drivers.

 

We still have some loose ends which Lenovo has not addressed:

Is this malware only on the hard disk -- or are there other elements in the BIOS?

When will we get more reassurance that Visual Discovery/Superfish and their partners in slime at Komodia will be blocked from any further mischief -- at this point, "turned off" (for now) is hardly adequate reassurance?

How soon will they make OS license keys available to those who are willing to do the wipe and reinstall?

and, how will they compensate those involved for their time and efforts (and support them to make sure that residual problems do not arise)?

 

Even if we start counting from Friday (which would only be reasonable if we believed the fanciful notion that Lenovo bears no responsibility for software installed at the build -- but, of course, they were doubtless getting paid to do this so somewhere in the organization there was an affirmative decision to let Visual Discovery/Superfish and their partners at Komodia install on these machines), we're now at least three days out without a complete solution...   

Former Administrator

Adrian,

 

We've updated the list of systems that could have contained superfish and now reflect the Y40-80.

 

tompkinsmar, Jlietenis,

 

Thanks - good feedback on registry bits left over.  These may be benign, but we will investigate.

Also, good questions on implications for OKR and recovery media - looking into that as well.

 

Best regards,

 

Mark

CaptCos
Fanfold Paper

Mark_Lenovo

 

The superfish is NOT removed by the Lenovo removal method. It remains on the recovery disk and it is automatically loaded into memory when the system is recovered.

 

I give more information in my post:

https://forums.lenovo.com/t5/Security-Malware/Potentially-Unwanted-Program-Superfish-VisualDiscovery...

 

Like I say in my other post - Stop this nonsense of "discussions with the Lenovo team" and issue us a clean install disk!

 

Why would you even consider not giving us clean disks?

 

I know that Lenovo wants this problem GONE. As long as it stays on our recovery partitions, it will be coming back to haunt you until the last infected computer finally dies. By immediately wiping it off all your infected machines - with IMMEDIATE effect - Lenovo will show its commitment to its customers and to computer security in general.

 

I want this crap OFF MY BRAND NEW MACHINE! I am excited to use my new machine and do not want to return it. Unfortunately, I cannot use my new machine until I get this security breach off of it.

 

--Steve

Former Administrator

Captcos,

 

I've replied in your thread - we are currently checking recovery media now and I will advise as additional information becomes available.   For now, using the OKR function is not a way to remove SuperFish.  Instead, please use the Lenovo provided removal tool here -> http://support.lenovo.com/us/en/product_security/superfish_uninstall

 

By using the tool, you should be able to immediately remove SuperFish and start using your new machine.

 

Thanks

 

Mark

CaptCos
Fanfold Paper

Mark,
Again, thanks for the heads-up. I replied to your reply to my other post ;-)

I was not trying to remove the fish using the OKR. I needed to reload my system and the OKR brought the infection back. That is why we need the new disks.

I got the following message from your email support: "Unfortunately we cannot send you an installation disc, but if you click on this link:
http://support.lenovo.com/us/en/product_security/superfish_uninstall
You will find information on how to uninstall and remove superfish."

I was told the same thing by LENOVO phone support. They are refusing to understand that the infection is embedded in our recovery disks.

It is like Lenovo is saying, 'We did our part to remove the infection and there is nothing else we are going to do to help you.'

Mark, If indeed we will soon have recovery disks to wipe the infection from our machines - YOU NEED TO GET THIS INFORMATION OUT TO YOUR SUPPORT CENTERS so they can tell us.

I had just about given up dealing with Lenovo, when you wrote to me. I really did not want to take this problem to the next level.

-------
Mark,
It turns out that of the over 7 billion people on this planet, I am the leading expert in an extremely important field of aviation (PM me if you want to know more).

I had no idea that I was an expert, until I wrote a paper on the subject, and found out that nobody else even comes close to the knowledge that I have (me, a nobody).

My friends and family bought me my Lenovo computer so that I could continue my communications with the DLR and NASA. I want to be able to run simulations as well.

I really need to get back to working on this subject BUT I can do NOTHING until I get rid of this infection.  I cannot afford to play the "it might be gone from my computer" game when dealing with these agencies and with this subject.

What about just sending us out a Microsoft install disk?
(Did I mention I am broke and have NO money, so buying solutions to this problem doesn't work.)

--Steve

tompkinsmark
Paper Tape

So we find ourselves, a week later, still listening to (quoting "M_L", "... we are currently checking recovery media now and I will advise as additional information becomes available.")

Further, we are treated to "In an interview on Tuesday, [by] Peter Hortensius, Lenovo’s chief technology officer" who asserts that this was all an "opt-in" addition to the OS....   (NY Times, Feb. 24) -- an astonishingly egregious claim...  the interview concludes with "All we can say is we made a mistake and we apologize. That’s not nearly enough. So our plan is to release, by the end of this week, the beginning of our plan to rebuild that trust."   We are now "at the end of this week" and this plan remains illusive.

 

So -- once again -- a mechanism for installing a clean OS consistent with our purchase, with no vestigates of the Superfish and Komodia hijackings.   It's well overdue.

 

Lenovo deserves the reporting that is now building (see Computerworld).

 

Let's get this done!

 

absinthefiend
Paper Tape

Removing the Superfish adware with the Lenovo tool (or any of the other antivirus software tools which address this issue) is not a permanent solution, since it will come back each and every time a factory settings restore is performed.

 

Please send us all a clean Microsoft OS install disk or USB stick (for those of us without optical drives) so that we can bypass the tainted restore partition and get on with actually using the computers which we paid for.

Fuzzilla
Fanfold Paper

I would respectfully request if and when Lenovo will issue clean System Restore Media and/or Microsoft Windows OS Installation media, in optical or USB format, as the user sees fit for all affected systems.

This is an official request

Flepi
Ctrl-Alt-Del

Hello,

I asked for clean install since the 11th february and nothing... "On attend que la poussière retombe" "we're waiting for the dust to cleanup " (approximatively sorry bad english )...

So we stay with our bad lenovos, and with an unsafe recovery, nothing for the inconvenience... and for the time lost and everything that  superfish includes (unsecure private life and account etc...)

not commercial...disapointed really

Fuzzilla
Fanfold Paper

  Disappointed doesn't even begin to describe it.  That I am aware of this violates Microsoft policies as well as United States Federal Laws.  Lenovo should be held responsible for issuance of a corrected media format Installation Recovery Routine that wiped the storage drive and reinstalls the system to an "As Shiped" state without any adware installed.  Since not every owner has the option of downloading such a large file, nor should they have to use a compromised system to create a Installation or Recovery media such as USB/CD/DVD/Blu-Ray I feel the responsibility falls back to Lenovo to provide a clean solution, not a removal tool.  IMO Windows 8.x is simply too complex to reliably remove all traces of any software in question from the entire storage devices file system, Registry and Program Files.

  I don't know about you but I don't buy lenovo computers to save a buck, I buy them based on past experience and quality of hardware, software and support.  Since my SL510 I have noticed a disappointing downward trend in these areas as the SL510 power input connector is prone to failure.  Also noticed is a downward trend in quality of support.  Even more concerning is this trend of ballooning concerns regarding this issue for the compromised Trusted Root Cert's of browsers.

  I would expect Lenovo to quickly respond by offering a clean Install/Recovery solution as a download followed by the option to request preloaded media post haste.Since the entire Install/Recovery software came preloaded with the machine I see no reason why the end-user or corporation/business should be responsible for any costs incurred in offering clean install media.

 

I am still waiting on a response from Lenovo to my request please.

tompkinsmark
Paper Tape

Another week has gone by and Lenovo has still not made recovery media available.

As others have noted, this delay adds to the greviences created by these problems.

Contributors