The secret UEFI level spyware installer kit discovery was made by a user, willSmith1701 on Ars Technica Forum. He had purchased a Lenovo G50-80 and did a clean install using a retail disc. However when he tried to reboot the system he got a pop up message saying The popup has a option to either cancel, or to agree and install. However that is not the issue here. Since the user tried a clean install, he shouldnt be getting such a message in the first place. This message may be a indication of UEFI/BIOS level spyware in the Lenovo PCs. Another user, Chuck11 found many entries in the Windows system which contain files like  LenovoCheck.exe and LenovoUpdate.exe. These entries appear again on reboot, even if the user deletes them Another user, ge814, gave a detailed reply about how the files, LenovoCheck.exe and LenovoUpdate.exe are being created by Lenovo PCs and Laptops. If you delete those files, or just overwrite them with junk, they reappear when you reboot. If you Disable the service, it is Running when you reboot! See this thread for someone else who noticed this, with more details – nobody believes him! He thinks it’s UEFI” He says that before booting windows 7 or 8, the BIOS checks if C:\Windows\system32\autochk.exe is the Lenovo one or the original Microsoft one. If it is not the lenovo one, it moves it to C:\Windows\system32\0409\zz_sec\autobin.exe, and then writes it’s own autochk.exe. During boot, the Lenovoautochk.exe writes a LenovoUpdate.exe and a LenovoCheck.exe file to the system32 directory, something it should not be doing. Then it sets up a services to run one of them when an internet connection is established. Once it is connected to the Internet, it visits the site > https://download.lenovo.com/ideapad/wind … 2_oko.json. That itself is very serious issue for Lenovo PC users because  of combination of  “ForceUpdate” parameter and the lack of ssl, makes it vulnerable to a man-in-the-middle attack and remote code execution by anyone who can intercept the users traffic. The only way to escape these two backdoors created by Lenovo PCs and Laptops are to flash your BIOS. Having said that, only those users who are fairly conversant with flashing BIOS/Firmware may proceed or else you may brick your PC/Laptop.

First you’ll need a USB Flash ROM reader/writer(a cheap CH341A one works fine) and SOIC-8 test clips. Take the back cover off the laptop, and also disconnect the battery, and locate the BIOS chip on the motherboard. Connect the test clips to the BIOS and connect the other end of the other end of the test clips to the USB writer you have bought. Now connect the USB writer to another computer. On the other computer use the USB reader/writer to dump a copy of the BIOS. The BIOS dump will be an 8MB file. You need to split it into 2 files: the first 2MB and the last 6MB. Download UEFITool from github(https://github.com/LongSoft/UEFITool ) and open the 6MB file. Look through the modules and find the one called “NovoSecEngine2” and mark it for deletion. Save a new copy of the 6MB file. Now make a new 8MB file by taking the 2MB beginning from earlier and appending the new 6MB file on to the end. Use the USB reader/writer to flash that new 8MB file to your PC/Laptop’s BIOS Once your are done, disconnect the wires and put the laptop back together. Reinstall a fresh copy of windows again, and check your C:\Windows\system32\autochk.exe file to make sure it’s signed by Microsoft, not Lenovo. If you have the original Microsoft one there, congratulations, your laptop is now clean.

It is clear that Lenovo is shipping their PCs/Laptops with boot level rootkit that force installs unwanted spyware and bloatware. The files created by the rootkit are further connecting Update : Lenovo has issued a statement about its LSE Rootkit saying that LSE is no longer being installed on Lenovo PCs. It has also added that its popular Think-Pad and other Think branded PCs/Laptops are not affected by this vulnerability. It has also requested its customers to immediately update their firmware with the recent release so that the LSE can be disabled. List of LSE rootkit affected Lenovo Products are given below : Lenovo Notebook

        Flex 2 Pro 15 (Broadwell)         Flex 2 Pro 15 (Haswell)         Flex 3 1120          Flex 3 1470/1570         G40-80/G50-80/G50-80 Touch         S41-70/U41-70         S435/M40-35         V3000          Y40-80         Yoga 3 11          Yoga 3 14         Z41-70/Z51-70         Z70-80/G70-80

Lenovo Desktop World Wide

        A540/A740         B4030         B5030         B5035         B750         H3000         H3050         H5000         H5050         H5055         Horizon 2 27         Horizon 2e(Yoga Home 500)         Horizon 2S         C260         C2005         C2030         C4005         C4030         C5030         X310(A78)         X315(B85)

Lenovo Desktop China Only

        D3000         D5050         D5055         F5000         F5050         F5055         G5000         G5050         G5055         YT A5700k         YT A7700k         YT M2620n         YT M5310n         YT M5790n         YT M7100n         YT S4005         YT S4030         YT S4040         YT S5030