Now It’s THREE Pre-Installed Malwares on Lenovo Laptops

Matthew Hughes 24-09-2015

Not again, Lenovo. Seriously?


You guessed it. They’ve been caught shipping their customers computers laden with privacy-unfriendly malware, showing that they haven’t learned the lessons from the public outcry over Superfish.

This particular piece of malware runs daily, and collects personal usage data, which is then surreptitiously forwarded to Omniture – an online marketing and web analytics firm that was acquired by Adobe in 2009.

Bizarrely, this particular piece of malware found its way to Lenovo’s ThinkPad, ThinkCentre and ThinkStation PCs. These are the higher-end machines in Lenovo’s lineup, costing as much as an equivalent Apple Computer, and are aimed at power and business users.

So, what happened?

Lenovo Is Spying On You

The first person to discover this particular piece of malware was Michael Horowitz – A columnist for ComputerWorld who pens the Defensive Computing column.


Horowitz recently purchased two laptops from IBM. The first was a ThinkPad T520, the second was a ThinkPad T420. Both were refurbished, and shipped with fresh installations of Windows 7 Professional.


Shortly after acquiring them, he installed TaskSchedulerView. This is a freeware application from NirSoft that makes it simple to see what tasks are scheduled in Windows. In both laptops, he found an entry that concerned him. Each day, his computers were running a program called the“Lenovo Customer Feedback Program 64”.

The identity of the makers of this program is obvious. Its author was “Lenovo”, and the accompanying description said: “This task uploads Customer Feedback Program data to Lenovo”. Actually, it was going to Omniture, the marketing company we mentioned earlier. It’s not totally clear what data they were collecting.


But it is clear they were able to get away with it by burying it in a pages-deep EULA that you almost certainly won’t read. Nobody reads EULAs 8 Ridiculous EULA Clauses You May Have Already Agreed To Here are some of the most ridiculous terms and conditions in the EULAs of popular services. You may have already agreed to them! Read More .

Later in this post, we’re going to talk about how you can remove the Lenovo Customer Feedback Program if you’ve got an affected machine. But first, it’s probably a good idea to start talking about the multiple crimes against privacy Lenovo have committed in the past few months.


Of all of Lenovo’s own-goals over the past month, few were as public and disastrous as the SuperFish debacle of February this year. If you want to read about it in more detail, I suggest you check out Christian Cawley’s reporting of the incident Lenovo Laptop Owners Beware: Your Device May Have Preinstalled Malware Chinese computer manufacturer Lenovo has admitted that laptops shipped to stores and consumers in late 2014 had malware preinstalled. Read More , which was excellent.

In short, last year Lenovo shipped a bunch of low-to-mid-end laptops with a piece of software called SuperFish. In Lenovo’s own words, this was to empower consumers to “find and discover products visually”. But really, it was a nasty piece of malware that hijacked users’ web browsers, and inserted their own adverts.


But it did more than that. It injected a self-signed root HTTPS What Is HTTPS & How To Enable Secure Connections Per Default Security concerns are spreading far and wide and have reached the forefront of most everybody's mind. Terms like antivirus or firewall are no longer strange vocabulary and are not only understood, but also used by... Read More certificate, which allowed them to hijack any and all encrypted traffic. HTTPS is what makes online banking and online shopping secure, and SuperFish effectively broke that.


Breaking HTTPS also allowed them to inject adverts into secure websites, like Amazon. My colleague Dann Albright wrote an explainer of SSL Hijacking Superfish Hasn't Been Caught Yet: SSL Hijacking Explained Lenovo's Superfish malware caused a stir, but the story's not over. Even if you removed the adware from your computer, the same vulnerabilty exists in other online applications. Read More earlier this year. But it also fundamentally undermines your own personal security. What’s worse, it used the same encryption key on each infected machine.

Terrible practice. Terrible security. But believe me, it gets much, much worse.


Unbeatable, BIOS-Based Malware

August this year, it transpired Lenovo had loaded laptops with unwanted malware that couldn’t be removed by wiping your computer.

Let that set in for a second. If you replaced your hard drive and re-installed Windows, you’d still be stuck with it. Your only option would be to either return the laptop to the manufacturer, or install an alternative OS like Linux or BSD.

This malware was hidden in the laptop’s firmware, and abused the anti-theft feature in Windows 8 and 10. Whenever the laptop booted up, the executable would be extracted from the firmware at boot-up and installed. Because it was in the firmware, it was persistent.


Lenovo used this to force the OneKey Optimizer on consumers. This, as Ars Technica pointed out, does some useful system maintenance like update system drivers. But it also does some task of questionable value, like performance “optimizations” and cleaning “system junk files”.

It didn’t help that the OneKey Optimizer is filled with security issues. There are buffer overflows and insecure network connections galore. It’s certainly not something you’d install of your own volition.

Lenovo have stopped shipping laptops with the dodgy firmware, and have issued replacement firmware for affected laptops.

As you can see, Lenovo is a bit of a recidivist in when it comes to disrespecting their customer’s privacy. But how do you deal with the current Lenovo screw-up-du-jour?

How To Fix It

Knowing is the first battle. If your laptop is a ThinkStation, ThinkCenter, or a ThinkPad, you’re potentially infected. First, grab a copy of TaskSchedulerView, and have a look to see if there’s “Lenovo Customer Feedback Program 64” running.

If it’s there, bad luck. Lenovo has been spying on you. That said, you’ve got a few options:

Please Stop Buying Lenovo Products

Lenovo haven’t learned their lessons. They don’t respect their customers. They don’t respect your privacy or security. You shouldn’t buy their products.

Moreover, it shows a blatant lack of respect for their users. If you buy a laptop (and remember, ThinkPads are expensive), you should expect the business relationship to end once you’ve taken ownership of it, except for when it comes to warranties and support. You certainly shouldn’t expect your laptop manufacturer to actively surveil you for their own benefit.

So, please. Once again. Stop buying Lenovo products. It’s the only way they’ll learn.

If you’ve got this piece of badware installed on your computer, or you’d like to recommend an alternative PC manufacturer to Lenovo, I want to hear about it. Leave me a comment below and we’ll chat.

Photo Credit: Chip on Motherboard by VedMe85 (Via Shutterstock)

Related topics: Online Privacy, Surveillance.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Lucyrad
    July 27, 2016 at 12:34 am

    I know this post is old at least 1year . First I have to say sorry for not having a good control of English . I purchased a Lenovo laptop 2014 , wonderful , it worked like a charm , but then 2015 I installed windows 10 update to windows 7 sp1 and hell broke loose .With the automatic updates I got all Lenovo's curses : Costumer feedback ,Lenovo driver , Platform service, PM service . My computer started to have a mind on it's own : restarting randomly , freezing , crashing , the mouse won't work , I had to unplug to restart . And to make the story shorter , I reinstalled windows at least 3 times . But Lenovo came back at me with windows 10 automatic updates from Microsoft . I uninstalled everything from Lenovo and what do you know , in one hour everything was back . And so on every day . After uninstalling all crap Lenovo, computer works fine ,until they appear again . I got red of Automatic updates ,Cortana and One drive but Lenovo still install all crap back . So is not Lenovo had me killed is Microsoft allowing all .What do they care my computer is Lenovo ?
    I just think they are together in this . Microsoft have to update windows 10 not computers and drivers . Worst of all , there is no fix for such a fraud , They got my money when I purchased the laptop now they want my life .Thanks Microsoft and Lenovo .Shame on you .

  2. lucio lardi
    June 19, 2016 at 9:07 am

    I have conflicted since last Noevember with a PUP brought by UltraUnzip. I never suspected such a software as I though it was preinstalled and when I realised that UltraUnzip was the problem I thought that maybe I installed it by mistake when preparing my new PC for use. Now your article had spur a second thought - maybe I was right and it came to me preinstalled.

  3. Anonymous
    September 30, 2015 at 10:53 pm

    There are two types of data collection spelled out by Lenovo in their document on the subject

    One type of data collection stops after 90 days, they say, the other does not. The other also does not appear in the list of installed software which is why you have to hack the task scheduler to stop it from running. Or, you can find and modify the dozen programs that feed it data and turn off the data collection in each of them.

  4. Anonymous
    September 26, 2015 at 8:49 pm

    Anyone who uses Windows 10, Android, or web browsers without clearing their entire cache every day and using a proxy is in the same boat as Lenovo users. People seem to pick and choose the privacy invasions they're going to be offended by nowadays. If you really want privacy, then you can start by using a Linux distribution and a VPN and even then it's not going to protect you from the government.

  5. Anonymous
    September 25, 2015 at 10:30 pm

    It looks like I've got it installed too, but I can't find it in my control panel. Is it listed as something else, like Lenovo Dependency Package or something? That sounds pretty suspicious...

  6. Anonymous
    September 25, 2015 at 3:26 pm

    This is ridiculous. I heard about it before but this is too much. I was going to buy my next Lenovo Laptop. Now i'll have to think about it...

  7. Anonymous
    September 24, 2015 at 9:08 pm

    There simply aren't many companies making enterprise-grade client computer product lines. For portable computers, Dell has Latitude and Precision. Toshiba has Tecra and HP has Elitebook... and Lenovo has Thinkpad. That's it. That's the list. Maybe throw in Surface devices from Microsoft and/or Macbook Pros if you're feeling charitable.

    Of those, Lenovo is the only company that offers a global warranty. It also has a long history of shipping extremely rugged, modular hardware that's easily serviced. There's a reason Thinkpad hardware is highly regarded by techies and businesspeople alike.

    I don't have any machines impacted by the current issue, though I do have Tx20 and Tx30 machines (I'm actually typing on a T420 right now). I spot-checked a couple machines and can't find the indicated software on any of them. I'm not sure what OS media or Windows licensing model was used to load Windows on the computers in the article, it is at the very least something optional and probably tied to either OEM media or optional Lenovo-branded software that a technician would have to add after the fact. I checked machines running Windows 7 Enterprise, a Lenovo Windows 7 Pro (Lenovo OEM license) and retail Windows 10 Pro.

    I'm not going to install OneKey Optimizer, but on the surface, it looks very similar to the PC Doctor software that used to ship with most Windows-based laptops. "Optimizers" of any provenance are dubious at best, but software of similar function (less the apparently reporting to a third party) has shipped with branded OEM PCs for at least the last decade.

    Is OneKey actually Malware? Maybe. I think I might break out a Network traffic monitor and see what it's actually sending out. It might be the same sort of BS telemetry that Windows 10 sends to Microsoft (or, hey, that OSX sends to Apple and Android sends to Google) or other fairly innocuous information.

    In any case, it's not forced on your by your system firmware. It does seem to be something that can be removed and it also appears to be an optional install in the first place.

    I'm not saying that there's nothing to worry about or that there isn't an ongoing breach of trust between Lenovo and people using its products, but this does not appear to be an issue on the same level as Superfish and there's really no reason to scream fire in a crowded theater. I especially don't think that the issue as it presently stands is a good reason to boycott Lenovo.