Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.SuperFish

Adware.SuperFish

Updated:
March 02, 2015
Infection Length:
852,328 bytes
Risk Impact:
Low
Systems Affected:
Windows

Behavior

Adware.SuperFish is an adware program that inserts advertisements into web pages

Antivirus Protection Dates

  • Initial Rapid Release version February 19, 2015 revision 023
  • Latest Rapid Release version November 04, 2017 revision 040
  • Initial Daily Certified version February 20, 2015 revision 001
  • Latest Daily Certified version November 05, 2017 revision 002
  • Initial Weekly Certified release date February 25, 2015
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Once executed, the program creates the following files:
  • %ProgramFiles%\WindowShopper\Settings.xml
  • %ProgramFiles%\WindowShopper\Superfish.dll
  • %ProgramFiles%\WindowShopper\Uninstall.exe
  • %ProgramFiles%\WindowShopper\WSHelper.dll
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\background.js
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\background.js~
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\icon_128.png
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\icon_16.png
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\icon_48.png
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\manifest.json
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\one-time-run.js
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\sfcode.js
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\sfcode.js~
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\user.js
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\user.js.old
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\user.js~
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\zepto.min.js
  • %UserProfile%\Application Data\Local\Microsoft\Internet Explorer\DOMStore\[VARIABLE]\www.superfish[1].xml
  • %UserProfile%\Application Data\Roaming\Microsoft\Windows\Start Menu\Programs\WindowShopper\Uninstall.lnk
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome\superfish\content\about-showme.xul
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome\superfish\content\status-bar-superfish.js
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome\superfish\content\status-bar-superfish.xul
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome\superfish\skin\specialsavings_logo.png
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome\superfish\skin\superfish_logo.png
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome\superfish\skin\Thumbs.db
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome.manifest
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\components\nsSuperfishComponent.js
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\components\nsSuperfishComponent.js.old
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\defaults\preferences\pref.js
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\install.rdf
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\Settings.xml
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\sfStatistics.xml
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\user.js
  • %System%\VisualDiscovery.ini
  • %System%\VisualDiscoveryOff.ini
  • %ProgramFiles%\Lenovo\VisualDiscovery
  • %Windir%\Temp\VisualDiscovery.log
  • %Windir%\Temp\VisualDiscoveryr.log
  • %System%\Drivers\VDWFP64.sys
  • %System%\Drivers\VDWFP.sys
  • %UserProfile%\Local Settings\Temp\VisualDiscoveryr.log

    The program also creates the following registry subkeys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SuperfishIEAddon.DLL
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{51B4D471-086A-4137-AD28-84EED05088AE}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A69A551A-1AAE-4B67-8C2E-52F8B8A19504}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4CCDB009-EC10-4696-9991-419D39D3D1DD}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E1EF512D-604D-4776-AF11-410704DA1911}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuperfishIEAddon.BHObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuperfishIEAddon.BHObject.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuperfishIEAddon.ExtentionUI
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuperfishIEAddon.ExtentionUI.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{A69A551A-1AAE-4B67-8C2E-52F8B8A19504}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowShopper
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\WindowShopper
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\superfish.com
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\www.superfish.com
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C864484869D41D2B0D32319C5A62F9315AAF2CBD
    • HKEY_LOCAL_MACHINE\SOFTWARE\Lenovo\VisualDiscovery
    • HKEY_LOCAL_MACHINE\SOFTWARE\VisualDiscovery
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataController.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataController
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataTable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataTable.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.WFPController
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.WFPController.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\VisualDiscovery.exe

      The program adds browser extensions to Internet Explorer, FireFox, and Chrome. The browser extensions insert advertisements into web pages.
      Symantec detects SuperFish as Adware.SuperFish and remediates the application by removing the application and its associated files. It also removes the SuperFish root certificate from the Windows Certificate Store. For Firefox and Thunderbird users, it is necessary to manually remove the root certificate or use the removal tool provided by Lenovo.

      Lenovo has reached out to SuperFish to disable all server activity associated with their product. Lenovo has updated their website with instructions for how to remove SuperFish and recommends that customers follow the instructions to remove SuperFish and all related files from their computers. Symantec recommends that users utilize the following manual removal steps to remove SuperFish from the computer.

      Manual removal instructions:
      Uninstall the SuperFish application using “Add or remove programs” from the Windows Control panel.

      On Windows 8, from the Start menu, search for "certmgr.msc" and press Enter . Delete the SuperFish root certificate using “Manage computer certificates” if you are using the following web browsers or any other browser that utilizes the Windows Certificate store.
      • Internet Explorer
      • Google Chrome
      • Opera
      • Safari
      • Maxthon
      On the left hand panel, select Trusted Root Certificate Authorities and then navigate to the sub-folder, Certificates .

      On the right panel, find “Superfish, Inc. ”.

      Right click on “Superfish, Inc. ” and select Delete .

      Note: To remove SuperFish from Firefox, please see the “Firefox removal instructions” section.

      After the certificate for SuperFish has been deleted, restart your computer.

      Firefox browser and Thunderbird email client removal instructions
      Open the Firefox browser and select Option s from the menu.

      Select Advanced from the Options window.

      Next, select the Certificates tab and then click View Certificates .

      In the "Certificate Manager" window, select the Authorities tab and then scroll through the list to find and select the “Superfish, Inc. ” certificate. Click the Delete or Distrust button.

      In the Delete or Distrust CA Certificates window, select the “Superfish, Inc. ” entry. Click on OK in all open windows to accept the changes.

      After the certificate for SuperFish has been deleted, restart your computer.

      Repeat this process for the Thunderbird email client.

      Note: If the computer has multiple users, the manual removal steps only remove the root certificate for the currently logged in user. To completely remove Adware.SuperFish from the computer, repeat the manual removal steps for each user.