# fwdrv.sys - blue screens - autoReBoot



## shernoam (Sep 19, 2002)

Hi,
i have xpPro , 2.6Ghz P4 , 512Mb , 80GbHD , kerio fw 2.1.5
at first my pc auto rebooted itself every now & then.
so i checked the event viewer & saw this event:

The computer has rebooted from a bugcheck. The bugcheck was: 0x1000008e (0xc0000005, 0xf6a77084, 0xb955d584, 0x00000000). A dump was saved in: D:\WINDOWS\Minidump\Mini061606-01.dmp.

in order to solve this problem,
i right clicked & removed the V:
My computer-->Properties-->Advanced-->StartUp & Recovery-->Auto Restart

& what i saw at the blue screen was an error about fwdrv.sys ...
...as i understand it related to the kerio fw ... BUT i had this problem also when i had ZA installed(!)

 

thanks

PS.
i'm using this kerio version because it's free & support ICS... ZA no longer support ICS...+ it's resource intensive.


----------



## etaf (Oct 2, 2003)

As you say FWDRV.SYS is a part of Kerio Personal firewall
but
Some malware camouflage themselves as fwdrv.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the fwdrv.sys process on your pc whether it is pest. 
File fwdrv.sys is located in the folder C:\Windows\System32\drivers. The file size on Windows XP is 286720 bytes.


----------



## shernoam (Sep 19, 2002)

etaf said:


> As you say FWDRV.SYS is a part of Kerio Personal firewall
> but
> Some malware camouflage themselves as fwdrv.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the fwdrv.sys process on your pc whether it is pest.
> File fwdrv.sys is located in the folder C:\Windows\System32\drivers. The file size on Windows XP is 286720 bytes.


the file only exist at this pasth:
D:\Windows\System32\drivers
& is named with capital letters: FWDRV.SYS 
the exact size: 100 KB (102,912 bytes)


----------



## ozrom1e (May 16, 2006)

It shows the FWDRV.SYS in the correct directory in this article

http://www.kerio.com/manual/kpf/en/ch04s01.html

Both low-level drivers are stored in Windows system directory:

*

as the fwdrv.sys file typically in the C:\WINNT\system32\drivers directory under the Windows NT and Windows 2000 operating systems
*

as the fwdrv.sys and khips.sys files, typically in the C:\WINDOWS\system32\drivers directory under the Windows XP operating system
*

as the fwdrv.vxd and khips.sys files, typically in the C:\WINDOWS\system directory under the Windows 98 and Windows Me operating systems

I still do not know if it is an infection or not but let us find out. If you run a HijackThis we should find the answer

To download HJTsetup.exe To Download HijackThis go to the following: http://www.thespykiller.co.uk/html/downloads.html
Save the file to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\HijackThis.
Continue to click Next in the setup dialog boxes until you get to the Select Additional Tasks dialog.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialog box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
At the top of the Notepad HJT log screen, hit Edit then Select All then click Edit and then click Copy doing that copies the text to the clipboard, you won't see it yet....
Open a TechSupportGuy forum Reply window for this thread, to have ready to paste the Hijackthis log into. Click once to place the typing cursor in the reply window.
At the top of your TSG/browser window, hit Edit then Paste
You should see your copied Hijackthis log appear in the reply space....then, submit the reply
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## shernoam (Sep 19, 2002)

ok:

Logfile of HijackThis v1.99.1
Scan saved at 12:27:10, on 17/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ClamWin\bin\ClamTray.exe
D:\Program Files\eMule\emule.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\ICQLite\ICQLite.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=222.97.26.220:8080;gopher=222.97.26.220:8080;http=222.97.26.220:8080;https=222.97.26.220:8080;socks=222.97.26.220:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - D:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ClamWin] "D:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [eMuleAutoStart] D:\Program Files\eMule\emule.exe -AutoStart
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &Download All by Gigaget - D:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - D:\Program Files\Giganology\Gigaget\geturl.htm
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149934947574
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE49DDBE-2033-4D90-9A4F-850E5B47AB48}: NameServer = 192.116.202.222 213.8.172.83
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe


----------



## shernoam (Sep 19, 2002)

anyone ???

thanks


----------



## ozrom1e (May 16, 2006)

Hi The HJT logs are only diagnosed by a person on the HJT team and they are the only ones too do this. They are also a little bit busy and might still be sacked out but be assured they will get to doingyour log as soon as they can.

Have a good one.


----------



## ozrom1e (May 16, 2006)

Have read on this article

Kero Personal Firewall Multiple IP Options Denial of Service

http://www.eeye.com/html/research/advisories/AD20041109.html

In the article it gives the revision of Kero and says something about updating to a newer version. If you have the latest version I would suggest un-installing Kero and rebooting and re-installing Kero


----------



## etaf (Oct 2, 2003)

its also worth a move to secruity to get a HJT log checked - by clicking the red triangel and requesting a move - which i have doen for you


----------



## shernoam (Sep 19, 2002)

ozrom1e said:


> Have read on this article
> 
> Kero Personal Firewall Multiple IP Options Denial of Service
> 
> ...


as i understand,
only this version supports ICS.
if you know any other FREE fw that supports ICS let me know  
for now - i still have problems...

thanks


----------



## shernoam (Sep 19, 2002)

anyone ?


----------



## ozrom1e (May 16, 2006)

Here is a site that has 10 free firewalls you can take your pick and this is all of the free firewalls that I know of.

http://www.thefreecountry.com/security/firewalls.shtml


----------

