What the hell is Sysfader.exe ?

Discussion in 'other security issues & news' started by tempnexus, Mar 12, 2004.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Ok I get a crash once in a while and many times is just a window that takes a second but right now I actually did a window capture and got this.

    Sysfader:Explorer.exe
    Instruction at 0x77f57e4f reference memory at 0x00000067 the memory was unable to be written.

    I've ran SpySweeper, AdAware, TD-3, BoClean, Nod32 and Bitdefender. IT comes up with nothing...but the pc is sometimes unstable...so what the hell is sysfader?

    Thanks so much
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi tempnexus,

    Have you checked your computer for spyware?
    Stupid question. I now see you ran SpySweeper.
    Try this anyway http://www.wilderssecurity.com/showthread.php?t=15913

    I found this:
    http://www.hardwareanalysis.com/content/topic/15565/

    Regards,

    Pieter
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  4. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    This is weird no one knows for sure some say it's a file that places win into hybernation mode others say: "sysfader is used to effect fade in/out of menus and tooltip balloons. If it's persistently hanging-up, it can be disabled in Display Properties -> Effects -> uncheck "Use Transition Effects for menus and tooltips" (note: this is how it's disabled in Win2K; it might be done differently in XP)."
     
  5. finewings

    finewings Guest

    I don't kown what it is either. BUT i solove it just now. Try to boot in the safe mode. Run msconfig in start->run. There seems to be some doubtable services there, stop them. Restart the computer... Good luck!
     
  6. Sgt Bilko

    Sgt Bilko Guest

    I have exactly the same problem. Unfortunatly I can't offer any help as to what it is :(
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Could you check with SFC (?) if the explorer.exe is still ok?
     
  8. freedom1

    freedom1 Guest

    I am having a similar problem with SysFader

    I have run Ad Aware, Spy Bot and Notons and cant find anything

    Everytime I go to a ftp site my browser hangs. When I go to my task manager I always has SysFader as not responding. Normal surfing seems OK its only when I go to a ftp site

    Any advice would be appreciated, Thanks in advance!
     
  9. freedom1

    freedom1 Guest

    I thought that I would also post my HJT log as it may help in working out what the problem is

    Logfile of HijackThis v1.97.7
    Scan saved at 5:59:54 PM, on 10/07/2004
    Platform: Windows XP SP1
    MSIE: Internet Explorer v6.00

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\soundman.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\My Documents\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page
    O2 - BHO: (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - C:\Program Files\MSN Toolbar\en-us\msntb.dll
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\bin\jusched.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O16 - DPF: (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Found a dutch page in the MS knowledge base telling the problem is known in Internet Explorer 6.0 and in a later hotfix it would have been fixed.

    Somewhere i saw this description:
    Based on Google it seems to be part of the Windows system and is used when you enable the "Fade effect" in Windows Display properties (Display properties -> Appearance -> Effects).

    So not sure if the one combines the other?
     
  11. Taze

    Taze Guest

    Found in another thread... Hope it helps!
    _________________________________
    Well ultimately I've found the answer, and lo and behold it was a virus. It didn't have anything to do with the installation I did, however - it had seemingly been on my PC for almost a month without doing anything.

    The virus is a Trojan called 'Winshow'.

    Here is the fix...
    This problem is created by a trojan (VBS_Winshow.A, as Trend Micro refers to it as)
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_WINSHOW.A&VSect=T

    or adware as Symantec refers to it as.

    http://securityresponse.symantec.com/avcenter/venc/data/adware.winshow.html

    This past weekend happens to be about the one month anniversary of its initial appearance; perhaps this is the reason why it the 'copy' error started showing up. On my machine, it looks like it first deposited itself on 10/30/03. Its main impact for me was it would not allow multiple launches of IE from the desktop icon, and it became impossible over the weekend to synch my pda, HD MP3 player or use my multi-card reader, and impacted anything else that was hooked up through my USB 2.0 card. IE session since the beginning of November have seemed somewhat buggy; anything depending upon a plug-in applet (like Java) took FOREVER to load. The 'copy' boot error does not show up with every bootup or login, making it seem like the problem goes away.

    In 2000/XP, you need to search for the folders Winshow and Winlink, usually deposited in C:\ Documents and Settings \ (user) \ Local Settings \ Application Data, where (user) is whatever name you log into or use XP/2000 with. If you have them, you will need to delete eventually, but you'll first have to delete the registry entries (if you don't, the trojan will simply recreate the folders with the next bootup). There probably is the file 'msupdater.exe' on your machine as well, this and the two folders have been associated as a IE hijacker routine a number of people have reported on the internet.

    Norton's WinDoctor can delete some of the registry entries (it did for me, but it didn't get everything), but you really need to use it or better yet, use Hijack This, booted into Safe Mode (where the trojan isn't allowed to start before attempting to delete its components).

    For those who don't know, Hijack This is an anti-hijacking app is easy to find (and best of all, is free). You can find it on CNET and other places to download. In my case, it came in a .zip file; within it was a .exe file that launches Hijack This when clicked. It doesn't appear to install itself to Windows. Upon starting in Safe Mode, you should get a window; select Scan, and in a second or two you will get a listing of the processes that launch on startup with your specific computer. Look for the Winlink and Winshow entries (under BHO on my computer), click the tick boxes, and click Fix Check.

    Once done, you can reboot normally, go and find the the msupdater.exe file, Winshow and Winlink folders and delete w/o them showing up again.

    To further clean up, you can go into the registry (with regedit, but only if you know what you're doing in there), and search for both winlink and winshow; there may be remnants still lurking as there were on my computer. If you find them, delete them; the trojan shouldn't be active at this point so it shouldn't recreate them. NOTE: if you have multiple login user identities on your machine, you may have to do this exercise for EACH one. If you're knowledgeable and brave enough, you can delete the registry entries in Safe Mode also, without using Hijack This or any other app.
     
  12. Rockersuke

    Rockersuke Guest

    Looks like it's not Winshow

    Nops, I have also the same "Sysfader" symptoms but none of the Winshow files/keys. I think "Winshow" is not related to this.

    Damn! ^_^''
     
  13. Whynot

    Whynot Registered Member

    Joined:
    Feb 8, 2004
    Posts:
    50
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I wonder if people who updated IE 6.0 with all patches still have the problem?
     
  15. granduke

    granduke Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    4
    Location:
    Germany,EU near Jooske
    I have win XP and update my IE 6.0 almost like everyday (although there's none atm).

    And guess what,i dont even have sysfader.exe in my comp.I've searched and couldn't find one. :)
     
  16. ipje

    ipje Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    50
    Location:
    the netherlands
    You have spysweeper on you're computer if this is version 3.0 then this could be you're problem. The last month I had problems with the "right click" of my mouse and crash of explorer.exe. But things were getting worse today I was not able to access files/maps with rightclick/using keyboard. In a dutch forum I read the same problems for other OS and spysweeper 3.0 (I use XP). Give it a try when you have version 3.0, uninstall it and see if you're problem is solved.
     
  17. Rockersuke

    Rockersuke Guest

    I've never installed Spysweeper and I always install Micorosoft updates, including the ones that they have released right today om my WinXP SP1 system...

    ...but the ###### explorer chrash with sysfader message is still there! Sometimes when I rightclick something, sometimes when I try to open anything... as random as usual...

    sigh!
     
  18. Squib

    Squib Guest

    I experienced it for the first time today - it froze the taskbar, but after several minutes (and pressing Alt-Ctrl-Del) the taskmanager came up and I could exit the hung "Sysfader.exe"

    Everything returned to normal. No restart needed.

    I have no idea what it is, but I was trying to open the start menu at the time it struck... background task was initialising a really old HDD from a 386.

    Recent changes to my system: Disabled hardware acceleration because alpha blending caused display drivers (3dfx) to crash when I was in the middle of writing an application :(

    Maybe having little or no hardware acceleration increases the chances of suffering the dreaded sysfader attack?
     
  19. Jamesyb

    Jamesyb Guest

    Can anyone give more help to this issue?

    What services did you delete/stop?

    How do I get to display settings in XPo_O
     
  20. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    When you talk about the devil...
    Today i was watching filmtrailers using IE & Quicktime6.5.1 , when suddenly i got also & for the first time(! ) this Sysfader error:
    "Instruction at 0x10023b12 reference memory at 0x000000b8 the memory was unable to be written"
    When i used Mozilla1.7 & QuickTime i don't have the error.

    I think it is not a virus because i checked my pc with Kaspersky, Norton online, Housecall, e-Trust and they didn't found anything.
    I also scanned using Adaware, Spybot S&D, Spysweeper, Bazooka, a² and Pestpatrol.
    Only Pestpatrol found 593 pests. But they were almost all from GameSpyArcade and the other 4 must be false positives, because they were Microsoft dll's.

    And yes my IE & XP is updated with the last patches.

    edit: :eek: problem seems to have dissapeared, everything works fine now. And strangely, i can't find any sysfaderfile on my computer. So i am sorry, my post doesn't seem to be very usefull anymore. But i leave it here cause I did had the same mistake at one point.
     
    Last edited: Jul 25, 2004
  21. Qwack

    Qwack Guest

    You aren't nuts.

    I have the same problem.

    Sysfader not responding and can't be stopped with Windows Task Manager.
    Have to shut down thr Sytem with the Power Button.

    Looked for Sysfader. Couldn't find it.

    I also have another symptom. When I shut down Zone Alarm it comes back
    with a message about "True Vector Internet Monitor not responding".

    I'm looking for a way to solve the problem.....
     
  22. Griffman1

    Griffman1 Guest

    Hi, I've been having a problem with my computer for about a week now and today when I was playing around with it trying to fix it sysfader.exe popped up in the task manager. It was only for about a half second and I'm not exactly sure that it was spelled correctly..when I saw it though I typed it in google and it brought me here.

    The problem I've been having with my computer is whenever I load it up the icons on the desktop and the start menu all disappear..I went into the task manager at first when it happened and there was no explorer.exe so I ran a new task through the manager "explorer.exe". The icons came back and so did the start menu..but it was for about 2 seconds and then reclosed. I don't know if this is tied in with the sysfader.exe thing but if anyone could help me it would be greatly appreciated. :)
     
  23. Griffman1

    Griffman1 Guest

    me again..I don't know what you might need to know but I'm running windows XP
     
  24. hmmm

    hmmm Guest

    hi there i was just having the same error sysfader blah and i know where it comes from at least in my case....


    its the machine debug manager servive which gets installed with visual studio.net and similar such as .net framework etc just check it and disable it in services ....but u need to enable it if u r programming wih studio again


    test it for meit helped
     
  25. hmmmm

    hmmmm Guest

    and i forgot its mdm.exe
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.