Left 4 Dead 2

Left 4 Dead 2

Ver estatísticas:
Recent Game Update = Malware + Broken game.
I'll try and keep this short and concise as possible.

Basically, L4D2 worked fine for the last 2 years with no drama whatsoever. Yesterday when I tried to launch the game, it was broken.

Symptoms include :
- Process launching but terminating right away with no error prompt other than
- A crashdump file being genearted in the apps folder

A brief google let me to several dead end steam threads, one had an UN-VERIFIED fix that involved using the net command to add a local service?


Anyway, my Anti Virus guard fond this today :


Beginning disinfection:
S:\Steam\steamapps\common\left 4 dead 2\left4dead2\bin\
S:\Steam\steamapps\common\left 4 dead 2\left4dead2\bin\server.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '51c6301c.qua'.
S:\Steam\steamapps\common\left 4 dead 2\bin\linux32\
S:\Steam\steamapps\common\left 4 dead 2\bin\linux32\mssmp3.asi
[DETECTION] Is the TR/Crypt.EPACK.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '49521f8a.qua'.
S:\Steam\steamapps\common\left 4 dead 2\bin\
S:\Steam\steamapps\common\left 4 dead 2\bin\stdshader_dx9.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '1b3c4563.qua'.




Steam, care to explain whats going on ? Is this yet another iteration of a steam url exploit gone bad? I understand that your unwilling to admit to your steam url breach but at least, can I get some answers about L4D2 ?

Thanks in advance.
< >
Exibindo comentários 17 de 7
MunkeyThrust 1/nov./2013 às 5:41 
Did you contact Steam support? They won't respond to this post.
Hell Diver 2.1 1/nov./2013 às 5:43 
those flags are for a GEN (generic) term, not specific, which is usually and mosrt probably a false positive.

look at the google result for "TR/Crypt.ZPACK.Gen2 Trojan" it is flagged as a false positive a fair amount, also if a file does have a virus whats to say it was that initial file that was infected, it could be a payload offloaded via a worm etc if it is indeed a virus at all.
Escrito originalmente por Dexter Morgan:
those flags are for a GEN (generic) term, not specific, which is usually and mosrt probably a false positive.

look at the google result for "TR/Crypt.ZPACK.Gen2 Trojan" it is flagged as a false positive a fair amount, also if a file does have a virus whats to say it was that initial file that was infected, it could be a payload offloaded via a worm etc if it is indeed a virus at all.

I am well aware of what a false positive is. Having multiple experiences with malware / keygens / cracks, its almost UNHEARD of for official legimite software to trip heuristics, if your well versed with false positives that is.

What strikes me as very odd is the fact that I had no such detection for the past 2, yes TWO YEARS running this game, those files were clean - until a very recent change it seems. Steam has yet to fess up about their steam url exploit debacle, let alone admit that they have a problem, I highly doubt that a false positive is involved here.


It really makes no sense whatsoever at how multiple, clean, 2 year old files got swapped out overnight and *coincidentally* my game stopped working at the exact same time, while tripping my AV guard, all at once.
Última edição por MrPEPE (NYR) ヽ(´ー`)ノ; 2/nov./2013 às 2:29
Rectus 2/nov./2013 às 2:29 
They changed the game quite a bit in the SteamPipe update, and several people have reported that same infection since then. The thing it detects is only a compression / code obfuscation tool, and not any actual malware.

To fix it you'll need to add an exeption to your virus scanner, and verify your game cache to restore the files.
Escrito originalmente por Rectus:
They changed the game quite a bit in the SteamPipe update, and several people have reported that same infection since then. The thing it detects is only a compression / code obfuscation tool, and not any actual malware.

To fix it you'll need to add an exeption to your virus scanner, and verify your game cache to restore the files.

Dully noted, thanks for the input. Unfortunately adding an exception is not my defintiion of a fix, until I get some transparency on the matter. I am wondering if I can submit my files to some sort of malware lab to run an extensive investigation on the decompiled / dissembled files.

Ideally, if someone could provide me with a previous clean version of these files, that would be much appreciated!
Última edição por MrPEPE (NYR) ヽ(´ー`)ノ; 2/nov./2013 às 2:34
They're packed binaries, that's all. Packers are known for causing false positives like that. Happens more than you think. Surprised you just ran into it now, maybe your AV updated their definitions and one of their heuristics went crazy.

The MD5 checksum for my server.dll is 4C59FE83C8D540E0195119D62A967C38 (on both my server and my client). If your MD5 checksum matches mine, then you do have 'clean' versions.

You might be waiting for a long time for a fix. Packers are a common feature in software. http://en.wikipedia.org/wiki/Executable_compression
Última edição por scintillating luminescence; 2/nov./2013 às 11:16
Escrito originalmente por AJ:
Happens more than you think. Surprised you just ran into it now, maybe your AV updated their definitions and one of their heuristics went crazy.

The MD5 checksum for my server.dll is 4C59FE83C8D540E0195119D62A967C38 (on both my server and my client). If your MD5 checksum matches mine, then you do have 'clean' versions.


Thanks for sharing your insight,


On that note regarding the occurence of false positives, I have run into numerous false positives on pirated software - but never once on legitimate software, for example out of my entire steam games library, L4D2 is the ONLY game that tripped heuristics and whats even stranger - It passed malware detection tests just fine for the past two years.

Regarding my AV definition updates - I have killed the update service / updates are disabled. To update, I have to re-enable my updater service and do it manually. Additonally I'm running an ancient build dated back from 2010 ; has the exact heuristics that passed the previous versions of L4D2.

What worries me most is that these files are currently residing on the steam servers and being propogated all around as a game update, steam update servers pushing these suspicious files out to clients.


By the way, could I bother you to upload your files to try? I have yet to run MD5 sums on my files as they are in quarantine though logic says that the files should be scanned prior to comparing MD5 sums as those might be MD5 sums of the infected dlls themselves.

The files are :
S:\Steam\steamapps\common\left 4 dead 2\bin\stdshader_dx9.dll
S:\Steam\steamapps\common\left 4 dead 2\left4dead2\bin\server.dll
S:\Steam\steamapps\common\left 4 dead 2\left4dead2\bin\server.dll
< >
Exibindo comentários 17 de 7
Por página: 1530 50

Publicado em: 1/nov./2013 às 4:55
Mensagens: 7