Lenovo's SuperFish Removal Tool on GitHub
github.comI hate to collapse the high level of discussion on HN all the way down to the least common denominator "my computer doesn't work" discussion, but ...
There is no such thing as cleaning your PC or removing the malware or removing the virus(es).
You reload the OS, from scratch, with non-OEM (that is, generic) OS media. Otherwise you will lose.
This has been true for 20 years and it only gets more true as OS software becomes more abstracted and tightly coupled to hardware.
Do not remove superfish. Do not "clean" your PC. In fact, don't even upgrade your OS from one major revision to the next. Wipe your system, install from generic media.
Tell everyone you know.
I can see this NOT being an option for a lot of users—"Mom and Dad" types, people who travel, etc. Many would prefer nothing is done if it's an option between "full reinstall" and "live with the cert".
In this case Windows Defender and Lenovo's own tool remove the app + certificate. I think that's certainly "enough" as we're not dealing with malware which has trashed the system in other ways. Heck, they have to pay for a fresh copy of Windows first too.
TL;DR: "Clean install from a standard image" sounds like great advice on paper but it's not practicable for normal users.
> TL;DR: "Clean install from a standard image" sounds like great advice on paper but it's not practicable for normal users.
Ignoring sailfish for the moment: mom and dad types take their infected machines to other people.
Those people should know enough to know that malware removal is a con and that the quickest, most effective, way of cleaning the machine is a clean install of the OS.
This has been true for a very long time. It's weird to see malware tools recommended so often on HN.
> In this case Windows Defender and Lenovo's own tool remove the app + certificate. I think that's certainly "enough" as we're not dealing with malware which has trashed the system in other ways.
You don't know that for sure. Hence, reinstall. Also, why not use a Libre operating system? I've never had my GNU activation fail.
I guess you never mistyped a Red Hat Enterprise Linux installation number before then.
You mean that monstrosity from RHEL 5? I'm so glad they got rid of that in RHEL 6.
Because that's completely unreasonable and you know that.
That's ridiculous for a couple of reasons:
1. This is adware: sure it might not remove itself cleanly, but it doesn't have any mechanism to re-apply itself after being removed properly.
2. Malware can't magically re-apply itself when all its traces have been safely removed.
3. Reinstalling your OS is not a magic bullet, the image you're installing may also contain the same malware and there are even some viruses that will hide in your BIOS or storage firmware.
Reinstalling your OS is a "just-to-be-safe" measure when you are not sure whether you've removed all traces. But when there are proper tools available such as this one that removes all traces you are safe.
It is much more important to know what you're infected with and how to properly, than to have blind faith that reinstalling your OS will fix everything.
2: once they're run software on your machine it's not your machine anymore an you cannot know that you have removed all traces of the malware.
Re-installing your OS is not a "just to be safe" measure: it is quicker and more effective than using some malware removal tool.
Using malware removal tools and not reinstalling the OS is sleazy, especially if you charge money for it.
The issue is not necessarily superfish, but also any malware that could have infected your system by exploiting the bogus CA in the past few days. You don't know if you were infected, so to be 100% safe, a fresh install is the best option.
If you remove all the infection points of the malware, it's gone. Computers are not magic, and you rarely win by being superstitious with them. Most malware are as good as gone once they've been detected and removed by a decent antivirus.
I'm not saying this due to some marketing claims, but just by looking at the results from independent testing organisations like AV-Test (http://www.av-test.org/en/news/news-single-view/17-software-...) or av-comparatives (http://www.av-comparatives.org/removal-tests/).
Sure, where's the clean media and the license for that?
You usually can't install (non-OEM) Windows with the serial present on the sticker attached to the computer
http://www.howtogeek.com/186775/how-to-download-windows-7-8-...
Use the serial from the COA. Initial activation will fail, but when you perform telephone activation it succeeds.
>You reload the OS, from scratch, with non-OEM (that is, generic) OS media. Otherwise you will lose.
Good luck getting that from Lenovo.
> Good luck getting that
Just get it [1]:
> ...use the tool on this page to create your own installation media using either a USB flash drive or a DVD.
[1] http://windows.microsoft.com/en-AU/windows-8/create-reset-re...
> return ( (Issuer.ToLower().Contains("superfish, inc")) || (IssuerName.ToLower().Contains("superfish, inc")) );
While in this case, it might be ok, please never do this in your own programs. Before deciding to act on something, make sure that you are as precise as possible before taking action.
In this case, as all machines had the same certificate, use the key fingerprint or the whole certificate for comparison. And failing that, do an equality match on the name. A case insensitive substring match is way too wide and you might be accidentally removing things you didn't want to remove ("pilif's Superfish, Including production" is an issuer name of a certificate that would be removed by Lenovo's code).
It's easy to be accurate when checking. It's hard to undo accidental damage. And no matter how much time it takes you right now to go the extra length, it will pale in comparison to the hell you will have to go through once the accident happens.
Let's also not forget the multiple 100+ line methods and try-catches which don't even bother to log or handle the error they catch.
There also doesn't appear to be tests, at least at first glance.
Edit... Taking a closer look there is clear copy-pasta and several potential bugs
Wow. Releasing the source to the removal tool might be the first right (rather than actively wrong and then merely a little less wrong) thing Lenovo has done in this entire disaster.
It feels like I can almost hear the screams of the engineers explaining why a black-box removal tool is nowhere near enough.
There's a directory with maybe 30+ exe's in this repo. So it's a black box to some extent but it looks like they're known browser utilities so presumably someone could verify them.
https://github.com/lenovo-inc/superfishremoval/tree/master/S...
While the NSS suite is fairly standard, I downloaded both pre-built Windows binaries from here:
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/msvc9/
However the SHA256 hashes do not match those of the provided Lenovo binaries. The Lenovo binaries are also bigger than either build provided by Mozilla.
However this does NOT mean there is something wrong, Lenovo may have just compiled them using a different compiler/compiler options/library versions. It is actually common for two people compiling the same source to get different binaries (see, for example, the TrueCrypt issue where TrueCrypt's pre-built binaries were hard to reproduce because the library versions were so specific).
Lenovo may also have supplied the wrong Readme file (that's where I get the version number from).
If you're paranoid, delete them from the Lenovo package, and download them from Mozilla.
Their hand was forced. I'm sure this is going to cost some money, possibly by both sides.
The notion they were unaware of what Superfish was and did is simply implausible. This is damage control, full force.
> The notion they were unaware of what Superfish was and did is simply implausible.
They certainly knew they were installing creepy adware for money, there is no doubt about that.
I don't think we know whether they looked close enough to see that they were MITM-ing SSL connections. I don't think they'd have objected either way, but I'm not certain.
I'm sure they didn't know about the security issues. (Mostly because they wouldn't have thought to look for them, but still.) Even after that disastrous CEO statement that called the security issues 'theoretical' I don't think they'd knowingly ship software as broken as that. (It might be different for government backdoors, but those are more likely in the hardware, firmware or hardware drivers just because the interesting enterprise and government customers would never use a Lenovo-provided image with Superfish anyway. And most likely Lenovo the company doesn't know about the backdoor either, only the single engineer that built it.)
Even after that disastrous CEO statement that called the security issues 'theoretical'
I think this is the real outrage here - that the company is run by an asshat who thinks that little of his customers. I refuse to recommend Lenovo or any of their products until this guy either demonstrates unreserved contrition (and by contrition, I mean a clear apology that acknowledges that the very concept of installing such an intrusive and obnoxious program on their customers' computers is wrong), or is sacked. Buying or recommending anything from Lenovo under the current circumstances is unacceptable.
By the same note... I haven't bought a sony piece of hardware in years (from what they did with CDs over a decade ago, and how they handled it)... this is a lot better in terms of a technical response, despite stupid upper management and PR response.
Even though the code isn't up to the standards of some.. (with full test coverage, etc)... having a relatively small utility that works is better than nothing.. and anyone here can fork and flush out the project.
I'm not quite sure why they are using other software checked into the repo as opposed to using nuget with restore/pull on build setup... Just the same, it's a decent move.
Putting Superfish and the software in question on the computer in the first place, far more of a bonehead move, but I doubt the people who released this patch are the same ones who decided to include it in the first place. This is how bad our personal privacy has been invaded...
I just followed Lenovo’s instructions [0] to uninstall SuperFish on a friend’s computer (Lenovo Yoga 2, Win 8.1). These instructions are NOT sufficient. After uninstalling SuperFish through the normal windows uninstallation program, and the Root CA certs for IE and Firefox, suddenly none of the HTTPS sites worked! The browser complained (rightly), that the the certificate is wrong because it is signed by SuperFish.
I had to do some research to detect, that there is still a service called VisualDiscovery, which is activated on startup. Looking in the properties I can see that it starts “C:\Program Files (x86)\Lenovo\VisualDiscovery\VisualDiscovery.exe”. I stopped it and now it works as supposed. But I still have to find a way how to uninstall this stuff.
I’m a Linux guy, but I find it crazy, that after uninstalling VisualDiscovery/SuperFish there are still executables and a service remaining on the disk. This is crazy.
[0] http://support.lenovo.com/us/en/product_security/superfish_u...
(Apologies if the formatting is problematic, my first post).
1. Stop the service:
2. Open up your favourite process manager and remove any superfish processes (containing the word superrfish).sc stop VisualDiscovery3. Perform the uninstall via Add/Remove Programs (under superfish)
4. Confirm %ProgramFiles%/Lenovo/VisualDiscovery is deleted.
5. Open System32 and confirm there are no files beginning with VisualDiscovery
6. Open AppData and confirm that no files start with VisualDiscovery
7. Remove certificates (Firefox and Global).
8. Remove from Registry: HKLM\SOFTWARE\Wow6432Node\VisualDiscovery.
After that, VisualDiscovery should be fully removed.
Thank you, I'll try this.
But why is it not in Lenovo's instructions? After following only their instructions, you are in a worse state than before, i.e. SuperFish still working, but without root CAs, browsers shouting (good so), and users panicking.
There's also these instructions from Ars Technica: http://arstechnica.com/security/2015/02/how-to-remove-the-su...
Thanks. But it omits the step of how to uninstalling the service, that is still running when following all the steps. Maybe it is something just limited to the Yoga 2?
Did you do "Step 7. Restart your device"?
I don't have a real clear idea of it, but I think many uninstallers are lazy about removing running services. So it might have been necessary there to complete the removal.
They should have also registered rmvr.io and added "Fork me on github" and all that. Then they'd be hip.
Well, that's nice, but apparently Microsoft already pushed a Windows Update that deletes Superfish and its stupid cert, so...
Go Microsoft!
... That was weird.
As I see many people complaining about the code quality and the lack of tests et cetera:
You have to cut the developers some slack considering the time they had to develop this.
They clearly intended to finish it while the issue was still hot and in 2-3 days you can't easily build good software with a plethora of tests.
My sympathy is limited given this malware was bundled by Lenovo.
When are laptop vendors going to stop shovelling crapware on laptops?
Is this project really from Lenovo? The github profile has just this 1 project?
Yes, Lenovo link to it themselves [1].
[1] http://support.lenovo.com/us/en/product_security/superfish_u... "Automatic Removal Tool Source code"
Also possible that a Lenovo employee was at a coffee shop using wifi connected to the corporate CMS using http"s" and someone unrelated to Lenovo linked their fake repo on his/her behalf.
The account page is using the Lenovo logo. If it isn't them, I'd expect Github to get a takedown request ASAP, especially considering the current situation.
The direct-download url is also from lenovo.
http://download.lenovo.com/pccbbs/thinkvantage_en/metroapps/...
Why would you trust Lenovo on this?
So this is Lenovo's first github repo. Please don't tell me that it is their first free/open source project developed by their own.
Better install Linux.
The last thing I would advise any non-technical (and even technical!) person to do is to go to github and download a bunch of executables and see what happens.
Zero kudos Lenovo.