Why does my antivirus software detect XiaoU/LenovoService uninstaller, Lenovo software, as malware?
I recently purchased a Lenovo H50-55 computer with Windows 10 Home x64 on it. I uninstalled some of the Lenovo software that shipped with the computer, but not all of it.
I ran a full malware scan of the computer using Avast Free Antivirus and it detected C:\Program Files (x86)\Lenovo\XiaoU\UnInstall\LenovoService\setup.exe
(which is a Lenovo file) as malicious and told me it was 'Win32:Malware-gen'.
This prompted further investigation and so I uploaded the file to VirusTotal, the results of which can be seen here (12 out of 53 antivirus programs detected it as malicious).
- Two of the antivirus programs on VirusTotal detected the setup.exe file as 'W32/OnlineGames.HI.gen!Eldorado', which according to this Microsoft page here may steal some pretty serious data.
- This is however a generic article for the family of malware (although this Microsoft page is more specific and about a very similarly named piece of malware that steals credentials).
I uploaded the file to Comodo Valkyrie, the results of which can be seen here. The service deemed it malware. UPDATE: Manual analysis of the file on Comodo Valkyrie deemed it clean.
I told Avast to fix the file but I'm concerned that further malware could still remain or that data could have already been stolen.
- Is this a real threat or not?
- What should I do next?
I'm considering wiping the entire PC and reinstalling Windows 10 from scratch but that won't help if data theft has already occurred.
I don't know if this is related, but I found a task in Windows Task Scheduler called 'Lenovo Customer Feedback Program 64 35' which I disabled but was previously running an exe called C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe
every day. There seems to be only a little bit of information about the Customer Feedback Program on the Internet. I believe that the Customer Feedback task is separate to the potentially malicious file. The customer feedback exe is deemed safe by VirusTotal and Lenovo themselves have an article about it here, which says that it sends non-personal data.
My network connection seems to be dropping out for brief periods of time every so often. I do not know whether this is a related issue.
Solution 1:
If you click on the "Static Analysis" link for the file on the Comodo Valkyrie page, you will see that one of the reasons for flagging the file was because "TLS callback functions array detected". There may be a legitimate reason for the inclusion of that code within the executable you uploaded to the site, but TLS callback code can be used by malware developers to thwart the analysis of their code by antivirus researchers by making the process of debugging the code more difficult. E.g., from Detect debugger with TLS callback:
TLS callback is a function that called before the process entry point executes. If you run the executable with a debugger, the TLS callback will be executed before the debugger breaks. This means you can perform anti-debugging checks before the debugger can do anything. Therefore, TLS callback is a very powerful anti-debugging technique.
TLS Callbacks in the Wild discusses an example of malware using this technique.
Lenovo has a bad reputation in regards to the software it has distributed with its systems. E.g., from the February 15, 2015 Ars Technica article Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections:
Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.
The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.
A man-in-the-middle attack defeats the protection you would otherwise have by visiting a site using HTTPS rather than HTTP allowing the software to snoop on all web traffic even traffic between the user and financial institutions such as banks.
When researchers found the Superfish software on Lenovo machines, Lenovo initially claimed "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns." But the company had to retract that statement when security researchers revealed how the Superfish software made Lenovo systems open to compromise by malfactors.
In response to that debacle, Lenovo's Chief Technical Officer (CTO), Peter Hortensius, then stated "What I can say about this today is that we are exploring a wide range of options that include:creating a cleaner PC image (the operating system and software that is on your device right out of the box)..." Perhaps that option was discarded. E.g., see the September 2015 article Lenovo Caught Red-handed (3rd Time): Pre-Installed Spyware found in Lenovo Laptops by Swati Khandelwal a security analyst at The Hacker News, that discusses the "Lenovo Customer Feedback Program 64" software you found on your system.
Update:
In regards to legitimate uses for Thread Local Storage (TLS) callbacks, there is a discussion TLS in the Wikipedia Thread Local Storage article. I don't know how often programmers use it for legitimate uses. I've only found one person mentioning his legitimate use for the capability; all the other references to it I've found have been to its usage by malware. But that may simply be because the usage by malware developers is more likely to be written about than programmers writing about their legitimate usage. I don't think its usage alone is conclusive evidence Lenovo is trying to hide functions in the software that its users would likely find alarming if they knew everything the software did. But, given Lenovo's known practices, not just with Superfish, but subsequently with its use of the Windows Platform Binary Table (WPBT) for the "Lenovo System Engine" to ensure the OneKey Optimizer (OKO) software would be installed on a system even if a user attempted to create a "clean" installation of Windows, as described in Lenovo used Windows anti-theft feature to install persistent crapware, I think there is reason to be somewhat wary and am far less likely to give Lenovo the benefit of the doubt than I might other companies.
Unfortunately, there are a lot of companies which try to make more money off their customers by selling customer information or "access" to their customers to other "partners". And sometimes that is done through adware, which doesn't necessarily mean the company is providing personally identifiable information to those "partners". At times a company may want to collect information on its customers' behavior just so it can provide more information to marketers on the type of customer the company is likely to attract rather than information identifying an individual.
If I upload a file to VirusTotal and find just one or two of the many antivirus programs it uses to scan uploaded files flagging the file as containing malware, I often regard those as false positive reports, if the the code has obviously been around for quite some time, e.g., if VirusTotal reports it previously scanned the file a year ago, and I otherwise have no reason to distrust the software developer and, to the contrary, some reason to trust the developer, e.g., because of a longstanding good reputation. But Lenovo has already tarnished its reputation and 12 out of 53 antivirus programs flagging the file you uploaded is about 23%, which I regard as a worryingly high percentage.
Though, since most antivirus vendors usually provide little, if any, specific information on what leads to a file being flagged as a particular type of malware and exactly what a particular malware description means in terms of its operation, its often hard to ascertain exactly what you need to worry about when you see a particular description. In this case it could even be that most of them are seeing a TLS callback and flagging the file on that basis alone. I.e., it is possible that all 12 are making a false positive claim on the same mistaken basis. And sometimes different products share the same signatures for identifying malware and that signature may also occur in a legitimate program.
As for the "W32/OnlineGames.HI.gen!Eldorado" result reported by a couple of the programs on VirusTotal being a name similar to PWS:Win32/OnLineGames.gen!B without specific information on what led to the conclusion that the file is associated with W32/OnlineGames.HI.gen!Eldorado and what behavior is associated with W32/OnlineGames.HI.gen!Eldorado, i.e., what registry keys and files should one expect to find and how software with that particular description behaves, I wouldn't conclude that the software steals gaming credentials. Without any other evidence, I think that is unlikely. Unfortunately, a lot of the malware descriptions you will see are just similarly named generic descriptions that are of little value in determining how worried you should be when seeing that description attached to a file. "W32" is often attached to the beginning of a lot of names by some antivirus vendors. The fact that they share that and "OnlineGames" and "gen" for "generic" in the names wouldn't lead me to conclude that files given those names operate in the same manner.
I'd remove the software, since I'd judge it to use system resources with no benefit to me, and, if you play online games you could reset your passwords as a precaution, though I doubt the Lenovo sofware has stolen online gaming credentials or is doing keystroke logging. Lenovo doesn't have a stellar reputation for the software they include on their systems, but I've seen no reports that they've distributed any software that would operate in such a manner. And the periodic loss of network connectivity could even be outside of your PC. E.g., if other systems at the same location also periodically experience a loss of connectivity, I'd think there is more likely an issue at a router.