sychost.ese app error

1 view
Skip to first unread message

GMG

unread,
Jan 21, 2010, 9:57:11 AM1/21/10
to
I have been seeing...

AXWIN Frame Window: sychost.exe app error

0x02b7f7ao referenced memory 0x02b7f7ao , could not be written

OK or cancel to debug

when I click cancel the computer reboots

I click OK and the computer freezes with a still active cursor


Message has been deleted

Elmo

unread,
Jan 21, 2010, 10:13:55 AM1/21/10
to

Sychost.exe is either a typo, (You named it "sychost.ese" in the
header.), or malicious software, intended to look like the common
Svchost.exe process. Open Task Manager (Ctrl/Alt-Del, or right-click
the Taskbar, click Task Manager), stop the process from running, then
run the following:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

--
Joe =o)

GMG

unread,
Jan 21, 2010, 10:27:47 AM1/21/10
to
Thank you...when it happens again I will check if it is sychost or svchost.
I have run the Malware program and it found nothing.


Jose

unread,
Jan 21, 2010, 10:36:50 AM1/21/10
to
On Jan 21, 10:27 am, "GMG" <gmgr...@yahoo.com> wrote:
> Thank you...when it happens again  I will check if it is sychost or svchost.
> I have run the Malware program and it found nothing.

Does this happen randomly, when you shutdown, or usually when you are
doing some specific thing - browsing (what browser?), reading a PDF
file maybe?

Please provide additional information about your system:

Click Start, Run and in the box enter:

msinfo32

Click OK, and when the System Summary info appears, click Edit, Select
All, Copy and then paste
the information back here.

There will be some personal information (like System Name and User
Name), and whatever appears to
be private information to you, just delete it from the pasted
information.

This will minimize back and forth Q&A and eliminate guesswork.

Look in the Event Viewer for clues around the time of the incident.

Here is a method to post the specific information about individual
events.

To see the Event Viewer logs, click Start, Settings, Control Panel,
Administrative Tools, Event Viewer.

A shortcut to Event Viewer is to click Start, Run and in the box
enter:

%SystemRoot%\system32\eventvwr.msc /s

Click OK to launch the Event Viewer.

The most interesting logs are usually the Application and System.
Some logs may be almost or completely empty.
Not every event is a problem, some are informational messages that
things are working okay and some are warnings.
No event should defy reasonable explanation.

Each event is sorted by Date and Time. Errors will have red Xs,
Warnings will have yellow !s.
Information messages have white is. Not every Error or Warning event
means there is a serious issue.
Some are excusable at startup time when Windows is booting. Try to
find just the events at the date
and time around your problem.

If you double click an event, it will open a Properties windows with
more information. On the right are
black up and down arrow buttons to scroll through the open events. The
third button that looks like
two pages on top of each other is used to copy the event details to
your Windows clipboard.

When you find an interesting event that occurred around the time of
your issue, click the third button
under the up and down arrows to copy the details and then you can
paste the details (right click, Paste
or CTRL-V) the detail text back here for analysis.

To get a fresh start on any Event Viewer log, you can choose to clear
the log (backing up the log is offered),
then reproduce your issue, then look at just the events around the
time of your issue.

If you are planning on replacing your svchost.exe with that patch,
hopefully you will include a plan for putting the original one back if
you need to. svchost.exe is a pretty fundamental XP process, so if
you break it, you need to be able to fix it.

GMG

unread,
Jan 21, 2010, 11:06:59 AM1/21/10
to
OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name YOUR-F78BF48CE2
System Manufacturer Compaq Presario 061
System Model PY059AA-ABA SR1550NX NA530
System Type X86-based PC
Processor x86 Family 15 Model 12 Stepping 0 AuthenticAMD ~2411 Mhz
BIOS Version/Date Phoenix Technologies, LTD 3.12, 4/20/2005
SMBIOS Version 2.4
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name YOUR-F78BF48CE2\Compaq_Owner
Time Zone US Mountain Standard Time
Total Physical Memory 2,048.00 MB
Available Physical Memory 1.36 GB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.95 GB
Page File Space 3.35 GB
Page File C:\pagefile.sys


This dvchost error appears with Slimbrowser and IE8 and it does happen when
I open a *.pdf file.

Thank you for your help


Message has been deleted

GMG

unread,
Jan 21, 2010, 11:34:29 AM1/21/10
to
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 1/21/2010
Time: 8:44:54 AM
User: N/A
Computer: YOUR-F78BF48CE2
Description:
Faulting application svchost.exe, version 5.1.2600.5512, faulting module
unknown, version 0.0.0.0, fault address 0x0280f7a0.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 35 2e 31 2e 32 36 30 5.1.260
0028: 30 2e 35 35 31 32 20 69 0.5512 i
0030: 6e 20 75 6e 6b 6e 6f 77 n unknow
0038: 6e 20 30 2e 30 2e 30 2e n 0.0.0.
0040: 30 20 61 74 20 6f 66 66 0 at off
0048: 73 65 74 20 30 32 38 30 set 0280
0050: 66 37 61 30 f7a0


GMG

unread,
Jan 21, 2010, 11:32:58 AM1/21/10
to
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 1/21/2010
Time: 9:13:49 AM

User: N/A
Computer: YOUR-F78BF48CE2
Description:
Faulting application svchost.exe, version 5.1.2600.5512, faulting module
unknown, version 0.0.0.0, fault address 0x00e8f7a0.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 35 2e 31 2e 32 36 30 5.1.260
0028: 30 2e 35 35 31 32 20 69 0.5512 i
0030: 6e 20 75 6e 6b 6e 6f 77 n unknow
0038: 6e 20 30 2e 30 2e 30 2e n 0.0.0.
0040: 30 20 61 74 20 6f 66 66 0 at off

0048: 73 65 74 20 30 30 65 38 set 00e8

PA Bear [MS MVP]

unread,
Jan 21, 2010, 12:51:24 PM1/21/10
to
There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

Microsoft PCSafety provides home users (only) with no-charge support in
dealing with malware infections such as viruses, spyware (including unwanted
software), and adware.
https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

Also available via...

Consumer Security Support home page
https://consumersecuritysupport.microsoft.com/

Otherwise...

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

2b. Vista or Win7=> Run this scan instead:
http://onecare.live.com/site/en-us/center/whatsnew.htm

3. Now run a thorough check for hijackware, including posting requested logs
in an appropriate forum, not here.

Checking for/Help with Hijackware:
� http://mvps.org/winhelp2002/unwanted.htm
� http://inetexplorer.mvps.org/tshoot.html
� http://www.mvps.org/sramesh2k/Malware_Defence.htm
� http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

whwtow

unread,
Jan 21, 2010, 3:36:01 PM1/21/10
to
This started with one of our computers yesterday. The McAfee total protection
was up to date, all MS updates current. At the time I began working on this
(yesterday afternoon) , there was one related post on Google with no replies.
Malwarebytes does not find it. Now there are beginning to be many post on
this identical problem, so obviuopsly this virus is spreading. One post
metioned "combofix", but I have not tried it yet as I am not familiar with
it. Any help is appreciated.

> • http://mvps.org/winhelp2002/unwanted.htm
> • http://inetexplorer.mvps.org/tshoot.html
> • http://www.mvps.org/sramesh2k/Malware_Defence.htm
> • http://www.elephantboycomputers.com/page2.html#Removing_Malware


>
> **Chances are you will need to seek expert assistance in
> http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
> http://www.spywarewarrior.com/viewforum.php?f=5,
> http://www.dslreports.com/forum/cleanup,
> http://www.bluetack.co.uk/forums/index.php,
> http://aumha.net/viewforum.php?f=30 or other appropriate forums.**
>
> If these procedures look too complex - and there is no shame in admitting
> this isn't your cup of tea - take the machine to a local, reputable and
> independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
>
> GMG wrote:
> > I have been seeing...
> >
> > AXWIN Frame Window: sychost.exe app error
> >
> > 0x02b7f7ao referenced memory 0x02b7f7ao , could not be written
> >
> > OK or cancel to debug
> >
> > when I click cancel the computer reboots
> >
> > I click OK and the computer freezes with a still active cursor
>

> .
>

PA Bear [MS MVP]

unread,
Jan 21, 2010, 8:07:09 PM1/21/10
to
Do Steps #1 thru #3 in my previous reply.

GMG

unread,
Jan 23, 2010, 8:46:28 AM1/23/10
to
Jose:

I have not had a response from you, since I sent all the info you asked
for.


Daave

unread,
Jan 23, 2010, 12:36:43 PM1/23/10
to

This is a new problem. There is a thread here you might find useful:

http://social.answers.microsoft.com/Forums/fi-FI/xprepair/thread/4e71490e-55ae-4e39-b286-672ed940656b

Although there is not enough information yet, your problem may be fixed
by one of the following:

1. chkdsk

2. combofix


Jose

unread,
Jan 23, 2010, 3:16:36 PM1/23/10
to

I have been busy claiming my 1.5 million British Pounds I won in a
lottery.

Your misinfo32 info is unremarkable and I cannot find anything about
this yet besides guesses and things to try.

Perhaps somebody else will have some intellectually stimulating ideas.

PA Bear [MS MVP]

unread,
Jan 23, 2010, 9:23:44 PM1/23/10
to
Daave wrote:
> GMG wrote:
>> I have been seeing...
>>
>> AXWIN Frame Window: sychost.exe app error
>>
>> 0x02b7f7ao referenced memory 0x02b7f7ao , could not be written
>>
>> OK or cancel to debug
>>
>> when I click cancel the computer reboots
>>
>> I click OK and the computer freezes with a still active cursor
>
> This is a new problem. There is a thread here you might find useful:
>
> http://social.answers.microsoft.com/Forums/fi-FI/xprepair/thread/4e71490e-55ae-4e39-b286-672ed940656b
> ...

cf.
http://groups.google.com/group/microsoft.public.security/browse_frm/thread/85872f0442f45369

cf.
http://groups.google.com/group/microsoft.public.windowsxp.general/msg/1174b4e449acdd04

Reply all
Reply to author
Forward
0 new messages