Biz & IT —

How to remove the Superfish malware: What Lenovo doesn’t tell you

Uninstalling the software doesn't undo the damage it does to your system.

If you have a Lenovo system that includes the Superfish malware, you'll want to remove it. Blowing away your system and reinstalling Windows is one way to do this, but while it's a relatively straightforward process, it's a time-consuming one. Using Lenovo's own restore image won't work, because that will probably reinstate Superfish anyway. Performing a clean install from Windows media will work, but you'll have to reinstall all your software and restore all your data from backup to do the job fully.

An alternative is to remove the malware itself. Lenovo has published instructions, but at the time of writing, they're woefully inadequate. Lenovo's instructions describe how to remove the advertising software, but unfortunately, it doesn't address the important bit: the gaping security vulnerability. Update: Lenovo's instructions are now much better, including all the steps we listed here, describing clean-up of both the Superfish software and the security flaw it creates. The company is going to be releasing an automated clean-up tool, too, for those uncomfortable with making the changes manually.

The Superfish root certificate can be used to create certificates for any domain, and those certificates will be implicitly trusted by the browser on any Superfish-infected system, leaving victims vulnerable to man-in-the-middle attacks. To fix this, the certificate itself needs to be removed.

There are several places that the Superfish certificate can be installed. Windows has its own certificate store that includes, among other things, the root certificates that it trusts. Superfish installs its certificate to the Windows store. Some third-party software, including Mozilla Firefox and Mozilla Thunderbird, doesn't use the Windows store; instead, those apps have their own private certificate stores. Superfish can insert its root certificate into those stores, too, though this isn't guaranteed. To make a Superfish system secure, all of these stores must be cleaned.

The first step to cleaning a system is to uninstall the Superfish software. This is done in the conventional way: open Windows' Programs and Features applet (our preferred way: right-click the Start button on the taskbar and pick Programs and Features from the menu). Find an entry called something along the lines of "Superfish Inc. VisualDiscovery" (the exact name may vary; Lenovo's instructions call it simply "Visual Discovery") and double-click it. There won't be any on-screen indication, but after a few seconds, the software is removed.

Getting rid of the software is only part of the battle.
Enlarge / Getting rid of the software is only part of the battle.

Lenovo says you should then reboot. It can't hurt.

Next up, it's time to clean out the Windows certificate store. Open up a command prompt (again, we prefer to do this by right-clicking the Start button and choosing Command Prompt), enter the command certmgr.msc, and hit return.

This opens the Windows certificate manager app. On the left-hand side, navigate to Trusted Root Certification Authorities and then, within that folder, to Certificates. You should see the fairly short list of certificate authorities that Windows trusts. One of these will be named "Superfish, Inc." and that's the one we want to get rid of. Select it, then press delete.

There's our culprit.
Enlarge / There's our culprit.

Windows will warn you about this action. Deleting root certificates can have grave consequences; get rid of the wrong ones and your browser may stop trusting any secure content or Windows Update might stop believing that patches are authentic, and that's what this warning is here to warn you about. After making sure you have the Superfish certificate (and only the Superfish certificate) selected, hit yes.

If you only use Internet Explorer, Chrome, or Opera and do not have Firefox or Thunderbird installed, you should be good at this point. Internet Explorer, Chrome, and Opera all use the system certificate store, so they are now protected. Firefox and Thunderbird users need to read on.

From within Firefox, open the menu in the top right and choose options. From there, go to the Advanced tab, and within that, the Certificates subtab.

Click View Certificates to see Firefox's list of trusted certificates, and scroll through the list until you see the Superfish entry. Click the entry—in our experience, you'll need to select the second line (the one that includes the "Software Security Device" part)—and then press the Delete or Distrust... button.

Firefox will show you a confirmation. After double-checking that it is indeed Superfish that you're deleting, press OK.

The process for Thunderbird is very similar, but the menus and dialog boxes look slightly different for some reason. First, go to the options box.

Then to the Certificates subtab of the Advanced tab.

Click View Certificates and scroll the list until you see the Superfish entry.

Select Superfish and press the Delete or Distrust... button.

Verify that the warning message shows the right information, then click OK.

With that, the task should be complete, and your system will no longer trust the bogus Superfish certificate, nor any sites or software abusing the certificate.

Channel Ars Technica