Jump to content


Photo

lbd.sys - BSOD


  • This topic is locked This topic is locked
14 replies to this topic

#1 Jaymzu

Jaymzu

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 13 April 2009 - 04:56 PM

Hi. I couldn't find any technical contact for Ad-Aware so I'm writing here

An application that we have written seems to cause systems running Ad-Aware to crash with BSOD because of lbd.sys . I googled a bit and it seems we're not the only ones (which leads me to believe that the problem is more on Ad-Aware's side rather than ours). For the moment, we're advising our users to temporarily disable ad-aware's Ad-Watch Live! while they run our application.

Is there a known bug in lbd.sys ?
Who can we contact to talk about it ?

Edited by Jaymzu, 13 April 2009 - 04:56 PM.


#2 GoddersUK

GoddersUK

    Valued Member/ Ad-Aware Beta Tester

  • Valued Member
  • PipPipPip
  • 688 posts

Posted 13 April 2009 - 09:42 PM

Hi there,

I'll report this as a bug and try and point an LS staff member in your direction.

GoddersUK
If you are a paying user (Plus/Pro License) you should visit the Lavasoft Support Centre.

If you need help to remove an infection:

Read this first. Follow ALL the steps in it. If you do not then you will just be asked to go away and do so.
Then post your HJT log (copy and paste, don't attach) into a NEW topic in the HJT Log Forum
Await advice from either a Volunteer Security Advisor or a member of Lavasoft staff.


If you see anyone other than a VSA or Lavasoft staff member giving advice in the HijackThis forum please PM a mod.


DO NOT POST HJT LOGS IN ANY FORUM OTHER THAN THE OFFICIAL HJT LOG FORUM. We will be unable to deal with them there and will just tell you to go to the right place.


Please do NOT bump HijackThis log posts, it won't help you receive help any faster - the VSAs look for posts with zero replies. If after one week you have not received a response please repost your log file in a NEW thread.

#3 Raziel v. Nosgoth

Raziel v. Nosgoth

    Advanced Member

  • Guests
  • PipPipPip
  • 3114 posts

Posted 14 April 2009 - 08:21 AM

Hello :D
as far as I know was it a glitch in AAW08.
Plz run an update to AE.
Next is : disable or uninstall NIS/ZoneAlarm/Symantec(former Norton).
If it doesn't solve the problem, post back with more detailed information about the afflicted
machines
Regards
Raziel ;)

Edited by Raziel v. Nosgoth, 14 April 2009 - 08:23 AM.

vae victis
( morituri te salutant )

#4 sysenter

sysenter

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 14 April 2009 - 12:13 PM

Hello,

I can easily reproduce the bug on XP and Vista (both 32 bit).

LBD.SYS doesn't seem to be versioned (version info is 1.0.0.000).
File size : 64.160 bytes
PE Checksum: 0x13A60

The crash is always at offset base+0x2895:

base+0x2895: 8B 0E mov ecx, dword ptr [esi] ; C0000005, access violation, ESI points to invalid memory.
base+0x2897: FF 15 <...> call IofCallDriver

The bug appears when scanning with BitDefender QuickScan - http://qscan.bitdefender.com/
BitDefender QuickScan does not contain kernel mode code.

I'm assuming improper parameter validation in lbd.sys.

Please let me know if you need more info.

Cheers,
sysenter

#5 Raziel v. Nosgoth

Raziel v. Nosgoth

    Advanced Member

  • Guests
  • PipPipPip
  • 3114 posts

Posted 14 April 2009 - 12:42 PM

Just found entries in ...
docs. and settings .... driver 32 / 64
Windows 32 driver
Programs

All Boot drivers
will test Bitdefender -- nope won't.
Read about the Cleaning-Behaviour of it ;) :D

Is it false positive ?

Addendum:
just scanned all lbd.sys files with avast and MAM
no problem.

Edited by Raziel v. Nosgoth, 14 April 2009 - 12:54 PM.

vae victis
( morituri te salutant )

#6 sysenter

sysenter

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 14 April 2009 - 02:26 PM

Raziel,

The problem is a CRASH (BSOD) in lbd.sys, like I said, possibly because of improper parameter validation.
The easiest way to reproduce the BSOD would be to run BitDefender QuickScan - http://qscan.bitdefender.com/

Like I said, since BitDefender QuickScan does not use kernel mode code, the crash is 100% because of LBD.SYS

Cheers,
sysenter

#7 Raziel v. Nosgoth

Raziel v. Nosgoth

    Advanced Member

  • Guests
  • PipPipPip
  • 3114 posts

Posted 15 April 2009 - 01:15 PM

It's reported to the IT guys.
I close here
vae victis
( morituri te salutant )

#8 GoddersUK

GoddersUK

    Valued Member/ Ad-Aware Beta Tester

  • Valued Member
  • PipPipPip
  • 688 posts

Posted 16 April 2009 - 02:23 PM

Hey guys,

Just heard from LS Staff that this should be fixed in the next update B)
If you are a paying user (Plus/Pro License) you should visit the Lavasoft Support Centre.

If you need help to remove an infection:

Read this first. Follow ALL the steps in it. If you do not then you will just be asked to go away and do so.
Then post your HJT log (copy and paste, don't attach) into a NEW topic in the HJT Log Forum
Await advice from either a Volunteer Security Advisor or a member of Lavasoft staff.


If you see anyone other than a VSA or Lavasoft staff member giving advice in the HijackThis forum please PM a mod.


DO NOT POST HJT LOGS IN ANY FORUM OTHER THAN THE OFFICIAL HJT LOG FORUM. We will be unable to deal with them there and will just tell you to go to the right place.


Please do NOT bump HijackThis log posts, it won't help you receive help any faster - the VSAs look for posts with zero replies. If after one week you have not received a response please repost your log file in a NEW thread.

#9 Jaymzu

Jaymzu

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 16 April 2009 - 02:33 PM

Good to hear. Will LavaSoft customers receive it automatically or do they have to go through an extra step (manually downloading a patch or something similar) ?

#10 GoddersUK

GoddersUK

    Valued Member/ Ad-Aware Beta Tester

  • Valued Member
  • PipPipPip
  • 688 posts

Posted 16 April 2009 - 05:32 PM

So long as users have Ad-Aware set to automatically update they should not have to do anything to receive the update. If they do not have it set to auto-update they will manually need to press the "Web Update" button on the main screen of the program.
If you are a paying user (Plus/Pro License) you should visit the Lavasoft Support Centre.

If you need help to remove an infection:

Read this first. Follow ALL the steps in it. If you do not then you will just be asked to go away and do so.
Then post your HJT log (copy and paste, don't attach) into a NEW topic in the HJT Log Forum
Await advice from either a Volunteer Security Advisor or a member of Lavasoft staff.


If you see anyone other than a VSA or Lavasoft staff member giving advice in the HijackThis forum please PM a mod.


DO NOT POST HJT LOGS IN ANY FORUM OTHER THAN THE OFFICIAL HJT LOG FORUM. We will be unable to deal with them there and will just tell you to go to the right place.


Please do NOT bump HijackThis log posts, it won't help you receive help any faster - the VSAs look for posts with zero replies. If after one week you have not received a response please repost your log file in a NEW thread.

#11 Jaymzu

Jaymzu

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 21 April 2009 - 11:45 AM

So long as users have Ad-Aware set to automatically update they should not have to do anything to receive the update. If they do not have it set to auto-update they will manually need to press the "Web Update" button on the main screen of the program.


Hey guys. Did 2 updates (one on the 17th and one today) and the problem is still there. Do you have an estimate on when the fix including lbd.sys will be up ?

Thanks

#12 casey_boy

casey_boy

    Volunteer Helper/Moderator

  • Volunteer Security Advisor
  • PipPipPip
  • 3565 posts

Posted 21 April 2009 - 12:16 PM

Those updates were for definition files only, not program updates. This is all we have...

This was fixed yesterday and will be available in the next software update... Sometime next week.


...so it should be put through in the next few days

Casey

Edited by casey_boy, 21 April 2009 - 12:17 PM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Malware Removal Help * If you'd like to say thanks *Lavasoft Customer Support


#13 casey_boy

casey_boy

    Volunteer Helper/Moderator

  • Volunteer Security Advisor
  • PipPipPip
  • 3565 posts

Posted 21 April 2009 - 01:51 PM

Fixed today. Update 8.0.4

http://www.lavasofts...showtopic=25141

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Malware Removal Help * If you'd like to say thanks *Lavasoft Customer Support


#14 Jaymzu

Jaymzu

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 21 April 2009 - 02:02 PM

Fixed today. Update 8.0.4

http://www.lavasofts...showtopic=25141

Casey


Can confirm it's fixed now. Great stuff, guys ! Thanks ! ;)

#15 casey_boy

casey_boy

    Volunteer Helper/Moderator

  • Volunteer Security Advisor
  • PipPipPip
  • 3565 posts

Posted 21 April 2009 - 02:05 PM

Great news. Thanks for the confirmation. Will close this topic now then. If, for some reason, you need it reopening, then PM any moderator.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Malware Removal Help * If you'd like to say thanks *Lavasoft Customer Support





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users