Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.SuperFishRemove

Adware.SuperFishRemove

Updated:
March 02, 2015
Infection Length:
852,328 bytes
Risk Impact:
Low
Systems Affected:
Windows

Behavior

Adware.SuperFishRemove provides instructions on how to remove Adware.SuperFish for Firefox and Thunderbird users.

Note: These steps are designed solely to be used in conjunction with Symantec products and can be used to remove Adware.SuperFish from the Firefox and Thunderbird platforms.

For full SuperFish removal instructions, please see Adware.SuperFish .

Antivirus Protection Dates

  • Initial Rapid Release version February 26, 2015 revision 022
  • Latest Rapid Release version February 26, 2015 revision 022
  • Initial Daily Certified version February 26, 2015 revision 064
  • Latest Daily Certified version February 26, 2015 revision 064
  • Initial Weekly Certified release date March 04, 2015
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Once executed, the program creates the following files:
  • %ProgramFiles%\WindowShopper\Settings.xml
  • %ProgramFiles%\WindowShopper\Superfish.dll
  • %ProgramFiles%\WindowShopper\Uninstall.exe
  • %ProgramFiles%\WindowShopper\WSHelper.dll
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\background.js
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\background.js~
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\icon_128.png
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\icon_16.png
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\icon_48.png
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\manifest.json
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\one-time-run.js
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\sfcode.js
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\sfcode.js~
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\user.js
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\user.js.old
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\user.js~
  • %UserProfile%\Application Data\Local\Google\Chrome\User Data\Default\Extensions\[VARIABLE]\1.2.0.15_0\zepto.min.js
  • %UserProfile%\Application Data\Local\Microsoft\Internet Explorer\DOMStore\[VARIABLE]\www.superfish[1].xml
  • %UserProfile%\Application Data\Roaming\Microsoft\Windows\Start Menu\Programs\WindowShopper\Uninstall.lnk
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome\superfish\content\about-showme.xul
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome\superfish\content\status-bar-superfish.js
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome\superfish\content\status-bar-superfish.xul
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome\superfish\skin\specialsavings_logo.png
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome\superfish\skin\superfish_logo.png
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome\superfish\skin\Thumbs.db
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\chrome.manifest
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\components\nsSuperfishComponent.js
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\components\nsSuperfishComponent.js.old
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\defaults\preferences\pref.js
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\install.rdf
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\Settings.xml
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\sfStatistics.xml
  • %UserProfile%\Application Data\Roaming\Mozilla\Firefox\Profiles\[VARIABLE].default\extensions\superfish@superfish.com\user.js
  • %System%\VisualDiscovery.ini
  • %System%\VisualDiscoveryOff.ini
  • %ProgramFiles%\Lenovo\VisualDiscovery
  • %Windir%\Temp\VisualDiscovery.log
  • %Windir%\Temp\VisualDiscoveryr.log
  • %System%\Drivers\VDWFP64.sys
  • %System%\Drivers\VDWFP.sys
  • %UserProfile%\Local Settings\Temp\VisualDiscoveryr.log

    The program also creates the following registry subkeys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SuperfishIEAddon.DLL
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{51B4D471-086A-4137-AD28-84EED05088AE}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A69A551A-1AAE-4B67-8C2E-52F8B8A19504}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4CCDB009-EC10-4696-9991-419D39D3D1DD}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E1EF512D-604D-4776-AF11-410704DA1911}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuperfishIEAddon.BHObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuperfishIEAddon.BHObject.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuperfishIEAddon.ExtentionUI
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuperfishIEAddon.ExtentionUI.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{A69A551A-1AAE-4B67-8C2E-52F8B8A19504}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowShopper
    • HKEY_CURRENT_USER\Software\AppDataLow\Software\WindowShopper
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\superfish.com
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\www.superfish.com
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C864484869D41D2B0D32319C5A62F9315AAF2CBD
    • HKEY_LOCAL_MACHINE\SOFTWARE\Lenovo\VisualDiscovery
    • HKEY_LOCAL_MACHINE\SOFTWARE\VisualDiscovery
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataController.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataController
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataTable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataTable.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.WFPController
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VisualDiscoveryLib.WFPController.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\VisualDiscovery.exe

      The program adds browser extensions to Internet Explorer, FireFox, and Chrome. The browser extensions insert advertisements into web pages.
      Symantec detects SuperFish as Adware.SuperFish and remediates the application by removing the application and its associated files. It also removes the SuperFish root certificate from the Windows Certificate Store. For Firefox and Thunderbird users, it is necessary to manually remove the root certificate or use the removal tool provided by Lenovo.

      Lenovo has reached out to SuperFish to disable all server activity associated with their product. Lenovo has updated their website with instructions for how to remove SuperFish and recommends that customers follow the instructions to remove SuperFish and all related files from their computers. Symantec recommends that users utilize the following manual removal steps to remove SuperFish from the computer.

      Firefox browser and Thunderbird email client removal instructions
      Uninstall the SuperFish application using "Add or remove programs" from the Windows Control panel.

      Open the Firefox browser and select Options from the menu.

      Select Advanced from the Options window.

      Next, select the Certificates tab and then click View Certificates .

      In the "Certificate Manager" window, select the Authorities tab and then scroll through the list to find and select the "Superfish, Inc. " certificate. Click the Delete or Distrust button.

      In the Delete or Distrust CA Certificates window, select the "Superfish, Inc. " entry. Click on OK in all open windows to accept the changes.

      After the certificate for SuperFish has been deleted, restart your computer.

      Repeat this process for the Thunderbird email client.

      Note: If the computer has multiple users, the manual removal steps only remove the root certificate for the currently logged in user. To completely remove Adware.SuperFish from the computer, repeat the manual removal steps for each user.