This alert has been my first encounter with spyware problems on Windows Vista which has otherwise been very resistant to invasions from annoying marketers, hackers, and spys. It appears to be rather new and neither AdAware nor McAfee Antivirus detect it as a problem. Furthermore, a simple file search for the apparent offending program returned no results although I was able to browse to the location and see the file there.
Hopefully this will be an easy fix, so these results will most likely allow you to remove the bothersome application yourself.
I tracked down the little bugger by trial and error. I waited for the window to pop up, and I left it open while going to task manager [ctrl-alt-delete and select Task Manager]. On the processes tab of task manager, I started ending processes on items until I ended the process which shut down the window. At that point, I knew I had found the beginning of the problem.
For details on how to remove the item, click READ MORE.
When I ended the process visfdw.exe the alert window closed leading me to believe that this was my offending item. A quick Google for 'visfdw.exe' led me to a new posting on BleepingComputer.com which was from a user experiencing exactly the same problem. That user's convenient posting of a HijackThis Log listed the process in exactly the same location that I was able to find it on my computer: - an HKEY_CURRENT_USER run key (in the registry editor at hkey-current user-software-microsoft-windows-currentversion-run)
- which started the process "C:\Users\School\AppData\Roaming\Google\visfdw.exe"
As the run key is labeled winlogone (clearly a fake reference to the winlogon process), I should have caught this when I first looked through the registry as soon as the problem started. Oh, well.
This is a very tried and true way of starting up spyware and adware programs. Back when I was doing telephone support for Microsoft on Windows XP, we encountered this technique regularly. In the beginning, simply removing the registry entry would solve the problem, and I hope that to be the case here. More advanced problems will have a second process running which is time-bombed to cause more severe problems if the item being watched is removed, but that remains to be seen. As I am working on the machine in question to write this, if it goes down I will switch to Linux and give you folks another update. For now though, I plan to post this and then remove the registry entry and delete the entire Google folder at C:\Users\School\AppData\Roaming\Google (I'm sure if I need something Googleish in there, I can reinstall it). I'm not suggesting that you do the same, but I will let you know if it solves the problem on my computer and you can make a decision for yourself.
All the best, Greg
Although I had to go into safe mode to delete the Google folder in C:\Users\School\AppData\Roaming\ the process seems to have worked.
A few notes:
- The location of the folder on your machine will be C:\Users\YOUR USER ACCOUNT\AppData\Roaming\ which means the account you log onto the computer with.
- To enter safe mode, restart the computer and tap the F8 key while it boots up. Choose Safe Mode from the list and proceeed normally after the computer starts to browse down to the folder and delete it.
- Once the folder and the registry key are deleted, restart the computer normally - your display may come up in Windows Classic. To change back to Windows Aero - the way Vista normally looks, right click an empty area on your desktop, choose color and appearance and select Windows Aero from the selection box.
This worked for me -- at least so far -- so you may find it helpful. As always, your mileage may vary, so make your own decisions and/or consult a professional. G. |
