Left 4 Dead 2

Left 4 Dead 2

Visa statistik:
Recent Game Update = Malware + Broken game.
I'll try and keep this short and concise as possible.

Basically, L4D2 worked fine for the last 2 years with no drama whatsoever. Yesterday when I tried to launch the game, it was broken.

Symptoms include :
- Process launching but terminating right away with no error prompt other than
- A crashdump file being genearted in the apps folder

A brief google let me to several dead end steam threads, one had an UN-VERIFIED fix that involved using the net command to add a local service?


Anyway, my Anti Virus guard fond this today :


Beginning disinfection:
S:\Steam\steamapps\common\left 4 dead 2\left4dead2\bin\
S:\Steam\steamapps\common\left 4 dead 2\left4dead2\bin\server.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '51c6301c.qua'.
S:\Steam\steamapps\common\left 4 dead 2\bin\linux32\
S:\Steam\steamapps\common\left 4 dead 2\bin\linux32\mssmp3.asi
[DETECTION] Is the TR/Crypt.EPACK.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '49521f8a.qua'.
S:\Steam\steamapps\common\left 4 dead 2\bin\
S:\Steam\steamapps\common\left 4 dead 2\bin\stdshader_dx9.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '1b3c4563.qua'.




Steam, care to explain whats going on ? Is this yet another iteration of a steam url exploit gone bad? I understand that your unwilling to admit to your steam url breach but at least, can I get some answers about L4D2 ?

Thanks in advance.
< >
Visar 1-7 av 7 kommentarer
MunkeyThrust 1 nov, 2013 @ 5:41 
Did you contact Steam support? They won't respond to this post.
those flags are for a GEN (generic) term, not specific, which is usually and mosrt probably a false positive.

look at the google result for "TR/Crypt.ZPACK.Gen2 Trojan" it is flagged as a false positive a fair amount, also if a file does have a virus whats to say it was that initial file that was infected, it could be a payload offloaded via a worm etc if it is indeed a virus at all.
Ursprungligen skrivet av Dexter Morgan:
those flags are for a GEN (generic) term, not specific, which is usually and mosrt probably a false positive.

look at the google result for "TR/Crypt.ZPACK.Gen2 Trojan" it is flagged as a false positive a fair amount, also if a file does have a virus whats to say it was that initial file that was infected, it could be a payload offloaded via a worm etc if it is indeed a virus at all.

I am well aware of what a false positive is. Having multiple experiences with malware / keygens / cracks, its almost UNHEARD of for official legimite software to trip heuristics, if your well versed with false positives that is.

What strikes me as very odd is the fact that I had no such detection for the past 2, yes TWO YEARS running this game, those files were clean - until a very recent change it seems. Steam has yet to fess up about their steam url exploit debacle, let alone admit that they have a problem, I highly doubt that a false positive is involved here.


It really makes no sense whatsoever at how multiple, clean, 2 year old files got swapped out overnight and *coincidentally* my game stopped working at the exact same time, while tripping my AV guard, all at once.
Senast ändrad av MrPEPE (NYR) ヽ(´ー`)ノ; 2 nov, 2013 @ 2:29
Rectus 2 nov, 2013 @ 2:29 
They changed the game quite a bit in the SteamPipe update, and several people have reported that same infection since then. The thing it detects is only a compression / code obfuscation tool, and not any actual malware.

To fix it you'll need to add an exeption to your virus scanner, and verify your game cache to restore the files.
Ursprungligen skrivet av Rectus:
They changed the game quite a bit in the SteamPipe update, and several people have reported that same infection since then. The thing it detects is only a compression / code obfuscation tool, and not any actual malware.

To fix it you'll need to add an exeption to your virus scanner, and verify your game cache to restore the files.

Dully noted, thanks for the input. Unfortunately adding an exception is not my defintiion of a fix, until I get some transparency on the matter. I am wondering if I can submit my files to some sort of malware lab to run an extensive investigation on the decompiled / dissembled files.

Ideally, if someone could provide me with a previous clean version of these files, that would be much appreciated!
Senast ändrad av MrPEPE (NYR) ヽ(´ー`)ノ; 2 nov, 2013 @ 2:34
They're packed binaries, that's all. Packers are known for causing false positives like that. Happens more than you think. Surprised you just ran into it now, maybe your AV updated their definitions and one of their heuristics went crazy.

The MD5 checksum for my server.dll is 4C59FE83C8D540E0195119D62A967C38 (on both my server and my client). If your MD5 checksum matches mine, then you do have 'clean' versions.

You might be waiting for a long time for a fix. Packers are a common feature in software. http://en.wikipedia.org/wiki/Executable_compression
Senast ändrad av scintillating luminescence; 2 nov, 2013 @ 11:16
Ursprungligen skrivet av AJ:
Happens more than you think. Surprised you just ran into it now, maybe your AV updated their definitions and one of their heuristics went crazy.

The MD5 checksum for my server.dll is 4C59FE83C8D540E0195119D62A967C38 (on both my server and my client). If your MD5 checksum matches mine, then you do have 'clean' versions.


Thanks for sharing your insight,


On that note regarding the occurence of false positives, I have run into numerous false positives on pirated software - but never once on legitimate software, for example out of my entire steam games library, L4D2 is the ONLY game that tripped heuristics and whats even stranger - It passed malware detection tests just fine for the past two years.

Regarding my AV definition updates - I have killed the update service / updates are disabled. To update, I have to re-enable my updater service and do it manually. Additonally I'm running an ancient build dated back from 2010 ; has the exact heuristics that passed the previous versions of L4D2.

What worries me most is that these files are currently residing on the steam servers and being propogated all around as a game update, steam update servers pushing these suspicious files out to clients.


By the way, could I bother you to upload your files to try? I have yet to run MD5 sums on my files as they are in quarantine though logic says that the files should be scanned prior to comparing MD5 sums as those might be MD5 sums of the infected dlls themselves.

The files are :
S:\Steam\steamapps\common\left 4 dead 2\bin\stdshader_dx9.dll
S:\Steam\steamapps\common\left 4 dead 2\left4dead2\bin\server.dll
S:\Steam\steamapps\common\left 4 dead 2\left4dead2\bin\server.dll
< >
Visar 1-7 av 7 kommentarer
Per sida: 1530 50

Datum skrivet: 1 nov, 2013 @ 4:55
Inlägg: 7