Not so Superfish-al: Lenovo still shipping infected systems as customers grapple with removal

One of the most daunting challenges of any security problem in consumer software is the difficulty of distributing a patch to everyone affected. Unless the software is tightly locked down and updates are mandatory, there are inevitably users who slip through the cracks, fail to apply an update when told to do so, or rarely connect online. It was inevitable that Lenovo would run into some of these problems with Superfish, but the company appears to have done only the minimum required to actually pull the software off the shelves.

For example, while Lenovo may have stopped shipping Superfish in January, it didn’t actually do any recalls to prevent previously built systems from including the malware — which means, yes, it’s still perfectly possible to buy a laptop with Superfish, assuming it shipped out before Lenovo’s change of heart. The Lenovo removal toolkit also doesn’t quite work as advertised — while it does remove the Superfish certificate and close the man-in-the-middle attack, it leaves behind the Superfish executable, SuperfishCert.dll, and at least one registry setting related to VisualDiscovery.

See link below
[source] http://www.extremetech.com/computing/200731-not-so-superfish-al-lenovo-still-shipping-infected-systems-as-customers-grapple-with-removal