What the hell is Sysfader.exe ?

[tempnexus]

Ok I get a crash once in a while and many times is just a window that takes a second but right now I actually did a window capture and got this.

Sysfader:Explorer.exe
Instruction at 0x77f57e4f reference memory at 0x00000067 the memory was unable to be written.

I've ran SpySweeper, AdAware, TD-3, BoClean, Nod32 and Bitdefender. IT comes up with nothing...but the pc is sometimes unstable...so what the hell is sysfader?

Thanks so much

[Pieter_Arntz]

Hi tempnexus,

Have you checked your computer for spyware?
Stupid question. I now see you ran SpySweeper.
Try this anyway http://www.wilderssecurity.com/showthread.php?t=15913

I found this:
http://www.hardwareanalysis.com/content/topic/15565/

Regards,

Pieter

[Pilli]

Hi Tempnexus, I can only find one possible useful link:
http://www.opentechsupport.net/forum...c/19441-1.html

Hope it helps Pilli

[tempnexus]

This is weird no one knows for sure some say it's a file that places win into hybernation mode others say: "sysfader is used to effect fade in/out of menus and tooltip balloons. If it's persistently hanging-up, it can be disabled in Display Properties -> Effects -> uncheck "Use Transition Effects for menus and tooltips" (note: this is how it's disabled in Win2K; it might be done differently in XP)."

I don't kown what it is either. BUT i solove it just now. Try to boot in the safe mode. Run msconfig in start->run. There seems to be some doubtable services there, stop them. Restart the computer... Good luck!

I have exactly the same problem. Unfortunatly I can't offer any help as to what it is

[Jooske]

Could you check with SFC (?) if the explorer.exe is still ok?

I am having a similar problem with SysFader

I have run Ad Aware, Spy Bot and Notons and cant find anything

Everytime I go to a ftp site my browser hangs. When I go to my task manager I always has SysFader as not responding. Normal surfing seems OK its only when I go to a ftp site

Any advice would be appreciated, Thanks in advance!

I thought that I would also post my HJT log as it may help in working out what the problem is

Logfile of HijackThis v1.97.7
Scan saved at 5:59:54 PM, on 10/07/2004
Platform: Windows XP SP1
MSIE: Internet Explorer v6.00

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\BIPAC-7000 ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page
O2 - BHO: (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - C:\Program Files\MSN Toolbar\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..

[Jooske]

Found a dutch page in the MS knowledge base telling the problem is known in Internet Explorer 6.0 and in a later hotfix it would have been fixed.

Somewhere i saw this description:
Based on Google it seems to be part of the Windows system and is used when you enable the "Fade effect" in Windows Display properties (Display properties -> Appearance -> Effects).

So not sure if the one combines the other?

Found in another thread... Hope it helps!
_________________________________
Well ultimately I've found the answer, and lo and behold it was a virus. It didn't have anything to do with the installation I did, however - it had seemingly been on my PC for almost a month without doing anything.

The virus is a Trojan called 'Winshow'.

Here is the fix...
This problem is created by a trojan (VBS_Winshow.A, as Trend Micro refers to it as)
http://www.trendmicro.com/vinfo/viru...SHOW.A&VSect=T

or adware as Symantec refers to it as.

http://securityresponse.symantec.com...e.winshow.html

This past weekend happens to be about the one month anniversary of its initial appearance; perhaps this is the reason why it the 'copy' error started showing up. On my machine, it looks like it first deposited itself on 10/30/03. Its main impact for me was it would not allow multiple launches of IE from the desktop icon, and it became impossible over the weekend to synch my pda, HD MP3 player or use my multi-card reader, and impacted anything else that was hooked up through my USB 2.0 card. IE session since the beginning of November have seemed somewhat buggy; anything depending upon a plug-in applet (like Java) took FOREVER to load. The 'copy' boot error does not show up with every bootup or login, making it seem like the problem goes away.

In 2000/XP, you need to search for the folders Winshow and Winlink, usually deposited in C:\ Documents and Settings \ (user) \ Local Settings \ Application Data, where (user) is whatever name you log into or use XP/2000 with. If you have them, you will need to delete eventually, but you'll first have to delete the registry entries (if you don't, the trojan will simply recreate the folders with the next bootup). There probably is the file 'msupdater.exe' on your machine as well, this and the two folders have been associated as a IE hijacker routine a number of people have reported on the internet.

Norton's WinDoctor can delete some of the registry entries (it did for me, but it didn't get everything), but you really need to use it or better yet, use Hijack This, booted into Safe Mode (where the trojan isn't allowed to start before attempting to delete its components).

For those who don't know, Hijack This is an anti-hijacking app is easy to find (and best of all, is free). You can find it on CNET and other places to download. In my case, it came in a .zip file; within it was a .exe file that launches Hijack This when clicked. It doesn't appear to install itself to Windows. Upon starting in Safe Mode, you should get a window; select Scan, and in a second or two you will get a listing of the processes that launch on startup with your specific computer. Look for the Winlink and Winshow entries (under BHO on my computer), click the tick boxes, and click Fix Check.

Once done, you can reboot normally, go and find the the msupdater.exe file, Winshow and Winlink folders and delete w/o them showing up again.

To further clean up, you can go into the registry (with regedit, but only if you know what you're doing in there), and search for both winlink and winshow; there may be remnants still lurking as there were on my computer. If you find them, delete them; the trojan shouldn't be active at this point so it shouldn't recreate them. NOTE: if you have multiple login user identities on your machine, you may have to do this exercise for EACH one. If you're knowledgeable and brave enough, you can delete the registry entries in Safe Mode also, without using Hijack This or any other app.

Nops, I have also the same "Sysfader" symptoms but none of the Winshow files/keys. I think "Winshow" is not related to this.

Damn! ^_^''

[Whynot]

Have a read of this - it may throw some light on the subject
http://support.microsoft.com/default...b;en-us;828133
HTH

[Jooske]

I wonder if people who updated IE 6.0 with all patches still have the problem?

[granduke]

I have win XP and update my IE 6.0 almost like everyday (although there's none atm).

And guess what,i dont even have sysfader.exe in my comp.I've searched and couldn't find one.

[ipje]

You have spysweeper on you're computer if this is version 3.0 then this could be you're problem. The last month I had problems with the "right click" of my mouse and crash of explorer.exe. But things were getting worse today I was not able to access files/maps with rightclick/using keyboard. In a dutch forum I read the same problems for other OS and spysweeper 3.0 (I use XP). Give it a try when you have version 3.0, uninstall it and see if you're problem is solved.

I've never installed Spysweeper and I always install Micorosoft updates, including the ones that they have released right today om my WinXP SP1 system...

...but the ###### explorer chrash with sysfader message is still there! Sometimes when I rightclick something, sometimes when I try to open anything... as random as usual...

sigh!

I experienced it for the first time today - it froze the taskbar, but after several minutes (and pressing Alt-Ctrl-Del) the taskmanager came up and I could exit the hung "Sysfader.exe"

Everything returned to normal. No restart needed.

I have no idea what it is, but I was trying to open the start menu at the time it struck... background task was initialising a really old HDD from a 386.

Recent changes to my system: Disabled hardware acceleration because alpha blending caused display drivers (3dfx) to crash when I was in the middle of writing an application

Maybe having little or no hardware acceleration increases the chances of suffering the dreaded sysfader attack?

Can anyone give more help to this issue?

What services did you delete/stop?

How do I get to display settings in XP

[ronny]

When you talk about the devil...
Today i was watching filmtrailers using IE & Quicktime6.5.1 , when suddenly i got also & for the first time(! ) this Sysfader error:
"Instruction at 0x10023b12 reference memory at 0x000000b8 the memory was unable to be written"
When i used Mozilla1.7 & QuickTime i don't have the error.

I think it is not a virus because i checked my pc with Kaspersky, Norton online, Housecall, e-Trust and they didn't found anything.
I also scanned using Adaware, Spybot S&D, Spysweeper, Bazooka, a² and Pestpatrol.
Only Pestpatrol found 593 pests. But they were almost all from GameSpyArcade and the other 4 must be false positives, because they were Microsoft dll's.

And yes my IE & XP is updated with the last patches.

edit: problem seems to have dissapeared, everything works fine now. And strangely, i can't find any sysfaderfile on my computer. So i am sorry, my post doesn't seem to be very usefull anymore. But i leave it here cause I did had the same mistake at one point.

You aren't nuts.

I have the same problem.

Sysfader not responding and can't be stopped with Windows Task Manager.
Have to shut down thr Sytem with the Power Button.

Looked for Sysfader. Couldn't find it.

I also have another symptom. When I shut down Zone Alarm it comes back
with a message about "True Vector Internet Monitor not responding".

I'm looking for a way to solve the problem.....

Hi, I've been having a problem with my computer for about a week now and today when I was playing around with it trying to fix it sysfader.exe popped up in the task manager. It was only for about a half second and I'm not exactly sure that it was spelled correctly..when I saw it though I typed it in google and it brought me here.

The problem I've been having with my computer is whenever I load it up the icons on the desktop and the start menu all disappear..I went into the task manager at first when it happened and there was no explorer.exe so I ran a new task through the manager "explorer.exe". The icons came back and so did the start menu..but it was for about 2 seconds and then reclosed. I don't know if this is tied in with the sysfader.exe thing but if anyone could help me it would be greatly appreciated.

me again..I don't know what you might need to know but I'm running windows XP

hi there i was just having the same error sysfader blah and i know where it comes from at least in my case....


its the machine debug manager servive which gets installed with visual studio.net and similar such as .net framework etc just check it and disable it in services ....but u need to enable it if u r programming wih studio again


test it for meit helped

and i forgot its mdm.exe