Hi OOTS,

Erm, last week I visited your website (and Erfworld) and got a virus. Nearly lost everything and was a nightmare to remove.

This week I got the same virus so now I know it has to be either OOTS or EW it's coming from.

I understand that not long ago the OOTS (or was it EW?) website was hacked into for a short time. It seems that whatever got in hasn't all been removed (or it invited in other stuff that hasn't been noticed).

I wish I could protect my computer but I use the library to connect to the internet (my home computer is not connected). I haven't been able to find a virus checker that works without connection to the internet. Have tried AVG, Norton and MS Security Essentials. Paying a monthly fee just to install a virus checker to protect your computer from what that same fee is paying for seems to me to be perverse. Our library's AVG license ran out a month ago and they're taking their sweet time renewing it.

Will post the same on Erfworld website.

The earlier compromise was not very sophisticated. They were simply downloading the files from our site and uploading the modified files back. We are confident that they have all been removed.

You can read about the attack and what happened here (http://www.giantitp.com/forums/showthread.php?t=285749) and here (http://www.giantitp.com/index.html#AlXaO8EiS89zOiJIQK5). There is a list of free antivirus programs here (http://www.giantitp.com/forums/showpost.php?p=15330491&postcount=1). Every single antivirus program in the world will require you to connect to the internet to get the latest definitions. But almost all of them will work while offline with older definitions.

More than likely, wherever you got the virus from, you still had the virus from your system and have been reinfected by it.

More than likely, wherever you got the virus from, you still had the virus from your system and have been reinfected by it.

Or it went dormant... computer viruses can be tricky things to fully root out.

EDIT: Wait, that's the same thing. Silly me. :smalltongue:

More than likely, wherever you got the virus from, you still had the virus from your system and have been reinfected by it.
This is not possible because I lost everything. The hard drives were formatted (including the USB stick the virus originally came in on) and Windows installed from scratch. There wasn't anything writable left for it to exist on.

I could prove to you that it is the OOTS website that is doing the infecting and also provide details of the virus name etc. Unfortunately when I got the virus today I immediately deleted it. If it happens again I will be able to prove where it came from and what it is since I know much of how it is happening.

Also, would like to point out that I am not someone who knows little about computers. I've been working with computers since before the internet existed and have a formal education and degree in Software Engineering. If I make any claim I can back it up with proof so please don't dismiss this too quickly.

My anti-virus hasn't sent out any alerts, and I trust Rawhide...

My anti-virus hasn't sent out any alerts, and I trust Rawhide...
Ok ok. I'll just have to get proof then so it doesn't become a trust issue. I'm still not sure if it's Erfworld or OOTS but it has to be one or the other.

Wait...You're using an unprotected *public* computer?

If OotS really were the source of this virus, I'd expect several people to have chimed in with "I got it too" by now. No one has, so it's probably from somewhere else.

Edit: Wait, it's only been an hour. Ok, so maybe it's too early to judge on that basis, but still.

(including the USB stick the virus originally came in on)

This here shows immediately that your computer did not get the virus from this site or any other. Your computer was infected by the USB stick. Trace that USB stick to where it has been used and trace any other devices you have connected elsewhere.


Also, can you please clarify this?


Erm, last week I visited your website (and Erfworld) and got a virus. Nearly lost everything and was a nightmare to remove.


This is not possible because I lost everything. The hard drives were formatted (including the USB stick the virus originally came in on) and Windows installed from scratch. There wasn't anything writable left for it to exist on.

Was absolutely everything 100% deleted, formatted, and wiped, or did even one single file from the old system make it back to the new?

This here shows immediately that your computer did not get the virus from this site or any other. Your computer was infected by the USB stick. Trace that USB stick to where it has been used and trace any other devices you have connected elsewhere.

From what it sounds like, the library computer got infected, and he used his USB to transfer things from the library to home, thus infecting his non connected home computer. I could be misinterpreting as well, though.

Yeah, Alowe, are you saying that you visited OOTS on a library computer, then transferred files to your home computer using the USB, and then got a virus on your home computer?

The virus is on the Library computer then, not OOTs. It's infecting the USB drive just by putting it in the computer, not by visiting OOTS.

I'm trying to piece together your actual account of the events. Is this right?

1. You accessed the OotS and Erfworld sites on an unprotected/badly protected public computer while using a USB stick with it.
2. You used this stick on an unconnected home computer which doesn't have antivirus because despite your decades of experience and education you don't know how to install it without an internet connection.
3. The virus corrupted enough stuff that you had to reformat the hard drive and USB stick.
4. You used the same USB stick at the same library a week later- that computer was apparently unaffected by the virus despite having no antivirus software.
5. You got the virus again and concluded it was OotS's fault.

I get the feeling I'm misinterpreting stuff here since this sounds wrong- please correct me if I am.

I got a virus, too, though I was able to get rid of it before it did any real damage to my computer.

Not sure if it was GiantITP related or not, though. I trust Rawhide enough that I believe it probably wasn't.

Hi, I'm still here - haven't forgotten.

I've only got 15 minutes so will come back with specific answers to the questions above.

I realised I was making an assumption that the virus was coming from the internet. As such I've had to make a complaint to the council (the only way they communicate) to ask if it's guarantied that their network isn't infected.

I only use the USB stick on the library computer. I have traced back the source of the virus and the only common actions I took on both occasions were visiting OOTS and EW. I've discounted visiting google, gmail, Microsoft and Major Geek cause either they're too big and we would have heard about it or I didn't visit them both times.

I did format everything except for a partition that had data files on it. But I managed to do a full scan of that drive before and after. Only executables were infected and these had all been deleted anyway. By data I mean family photos, letters etc. Personal stuff I'm not willing to delete and couldn't be infected anyway. This drive was not the source anyway - I've been using it for about 5 years without any problems. The only executables on it were programs I'd written which are now all gone, but the infection happened again.

Yes they are public computers that have no protection, but as far as I can see Windows is dumped to the terminal every time you log on, meaning that even if your session was infected it shouldn't infect anyone else’s. The security is quite tight (apart from lack of virus checking).

I've managed to find a virus checker that's up-to-date and doesn't require the internet. MS Security Essentials - their definitions page is here:
https://www.microsoft.com/security/portal/definitions/adl.aspx

So it is now possible for me to protect my computer - I hope. The reason why maybe not many people may have reported it is because if they have virus protection installed it shouldn't happen. Since this is easy to have for anyone directly connected to the internet I can understand why a virus wouldn't flag up even if it was there. I'm not convinced it's OOTS or EW cause Edinburgh Council are being so evasive about the whole thing.

Just popping in here to say that there are a lot of ways for a computer to become infected beyond simply visiting a website. If you have no security software no a computer, especially no firewall, you can receive an infection just by being on and connected.

Viruses can be in more than just .exe files. If you want to save some files currently on your computer, then I would recommend getting a clean USB stick and putting those files onto it, then running a full format with your entire hard drive. It is most likely that the current infection is simply the previous infection, and was not remove with your partial format.

After that, install and update your security software. Then run a scan on that USB stick, to ensure your files are clean. I would also recommend against putting any device connected to your public library to your computer until you are 100% sure your computer is secure and not infected.


I've managed to find a virus checker that's up-to-date and doesn't require the internet. MS Security Essentials - their definitions page is here:
https://www.microsoft.com/security/portal/definitions/adl.aspx
Microsoft Security Essentials requires you to connect to the internet to get the most recent updates. That is a fact. The only way you're going to get MS Essentials onto your computer is to install it with a purchased CD (which is not going to be up to date) or to download it from another computer and transfer it, such as my USB stick (which has the same problems you've been seeing).

I don't know where you got the idea that MS Security Essentials doesn't require updates from the internet; the webpage you linked includes a link to download necessary updates over the internet.

Yes they are public computers that have no protection, but as far as I can see Windows is dumped to the terminal every time you log on, meaning that even if your session was infected it shouldn't infect anyone else’s. The security is quite tight (apart from lack of virus checking).

This doesn't work this way. Our local library's computers do a hard reset every time a patron logs off, but every time I've installed MalwareBytes on them to chek when I was downloading something (<also free, HIGHGLY reccomended, a perfect compliment to MSSE) it would always come up with the same five keylogger-trojan-things on the hard drive (since the reset made them come back after every time I had MBAM quarantine them when I used it).

So it is now possible for me to protect my computer - I hope. The reason why maybe not many people may have reported it is because if they have virus protection installed it shouldn't happen. Since this is easy to have for anyone directly connected to the internet I can understand why a virus wouldn't flag up even if it was there. I'm not convinced it's OOTS or EW cause Edinburgh Council are being so evasive about the whole thing.

Virus scanners notify the user when a virus tries to get through, even when it's successful in preventing it. The most likely source of your infection is that other people have gone to dodgy sites on the library computer, infected the library computer, then the library computer infected your usb drive, and your usb drive infected your home computer. Just because your usb drive has been clean for 5 years doesn't mean it can't get infected now.

Yes they are public computers that have no protection, but as far as I can see Windows is dumped to the terminal every time you log on, meaning that even if your session was infected it shouldn't infect anyone else’s. The security is quite tight (apart from lack of virus checking).


There is no protection on the computer. That is bad. You do not have to actively run a file for a virus to infect the USB stick, and then infect your home PC. Please read up on how trojans and rootkits work. They also do not have to be on your profile. They can be in the Windows system files. Dumping to terminal every time you log in does not help if the main Windows system is comprimised, which it most likely is.

The sites you went to have nothing to do with where the virus came from. The virus most likely exists on the Windows server at the library. Someone could have gotten it while browsing porn a year ago, and it just keeps being reloaded every time.

Yes they are public computers that have no protection, but as far as I can see Windows is dumped to the terminal every time you log on, meaning that even if your session was infected it shouldn't infect anyone else’s. The security is quite tight (apart from lack of virus checking).

Dumped to the terminal? Confining infection to a single session? Not quite sure what you're saying, but I don't think those are things Windows can normally do usefully.

Mind you, if we were talking about a capability-based secure OS, or one with built-in sandboxing, then I might be able to accept it, but not bog-standard Windows.

Hmm, maybe you're indicating that they're thin clients which discard all changes to the VM image? That would prevent new infections from lingering, but wouldn't prevent sufficiently old and persistent infections (i.e., before the image was created) from staying around and causing havoc, nor would they prevent new infections from simply copying over to USB drives, which they have long been known to do.

Finally, I'd like to note that a great many file types that you would never expect to be infect-able (Word documents, WMF pictures, and lots of others) have been known to house exploit code of various sorts, so your personal files are not safe merely by virtue of not being directly executable. (My "favorite" is probably the WMF files; no one expects an image to throw viruses around.)

A wee update - haven't been online for a week.

The council haven't come back yet. Often complaints are ignored so that isn't unusual. Their AVG license is still not renewed.

I tried out MS Security Essentials but unfortunately after that the computer would BSOD every 5 minutes so had to uninstall it.

As far as I can tell my computer hasn't got another virus. Maybe the second infection was caused by the first one but it's hard to see how, since I either wiped everything or deleted all executables (not just .EXEs) and did multiple full virus scans. Who knows. One precaution I've been using it not to use the USB stick when visiting OOTS or EW.

erikun:
Microsoft Security Essentials does not require you to connect to the internet from the computer you wish to install it on. You can download the most recent install and virus database from the link I posted. This is unlike AVG and Norton for example. Even if you download their standalone installers they won't install and/or run without connection to the internet. MS SecEss does - but as I said above I can't use it anyway, so it's all moot to me now.

The Bushranger:
Every library's system is different.

happyturtle:
Many virus scanners do not notify you if they blocked a virus that could have been downloaded on the internet. They just block them silently. Try visiting wares sites which almost all have viruses and see if you get any warning. Alternatively find a known virus sight with google and visit it. You may not get a notification.

NerdyKris:
I know how viruses work. I used to study them at University. Did you know that the smallest TSR virus was written in Bulgaria and was only 42 bits large (yes bits, not bytes - figure out how that was done!). Coincidentally the smallest biological virus in the world is Hepatitis B which is 42 nanometers in diameter.

happyturtle:
Many virus scanners do not notify you if they blocked a virus that could have been downloaded on the internet. They just block them silently. Try visiting wares sites which almost all have viruses and see if you get any warning. Alternatively find a known virus sight with google and visit it. You may not get a notification.

Er, I'm going to pass on that. Really. Seriously. Why would you suggest someone go to a known virus site?! "Hey, lets see if your measles vaccine is any good. Go give a sick person a big slobbery kiss!" Kids, DON'T TRY THIS AT HOME! :smallannoyed:

I already know my virus scanner will tell me if it blocks something. It's in the options, and I've seen it happen. Not often - maybe 2 or 3 times in the last five years, because I don't go to warez sites or google known virus sites.

I absolutely agree with what Happyturtle said. All the antiviruses I have ever had notify you when they block an infection. Because at the very least you should know that the site you are trying to access is not safe.

Also, when gitp server was compromised, we had dozens of people reporting it in a matter of minutes. Given the volume of traffic this site sees, I am sure other people would have reported it by now.

What is a wares/warez site? :smallconfused:

SecEss doesn't install is probably a clue, although I wonder if OS is updated? Something like XP SP1 isn't going to cut it these days.

Reinfection can be from practically anything, depending on the sophistication of whatever you were hit with. Everything is suspect, you're not safe until you've reinstalled all device BIOS (just a wget command needed), nuked all media and checked everything you put back onto a fully updated OS (if you know someone in IT, they can get you an OS image that's up to date).

What is a wares/warez site? :smallconfused:

Software pirates, basically.

Software pirates, basically.

So he got a virus, and he's visited virus-giving sites like a warez site...
and concludes that the virus came from OOTS:smallconfused:

So he got a virus, and he's visited virus-giving sites like a warez site...
and concludes that the virus came from OOTS:smallconfused:

he suggested visitng a warez site to see if your anti-virus gives a notification about having blocked a virus.

I personally pay good money for Norton Internet Security, and it notifies me whenever it's blocked any malign activity.

he suggested visitng a warez site to see if your anti-virus gives a notification about having blocked a virus.

I personally pay good money for Norton Internet Security, and it notifies me whenever it's blocked any malign activity.

That's like testing a new can of pepper spray by walking through the darkest, dirtiest, most crime-ridden neighborhood in your city while wearing all your most expensive jewelry...

he suggested visitng a warez site to see if your anti-virus gives a notification about having blocked a virus.

I personally pay good money for Norton Internet Security, and it notifies me whenever it's blocked any malign activity.

Yea, that sort of suggested to me that he occasionally visits warez sites...
I've never visited one, so it would never have occurred to me. But it occurred to him:smalltongue:

What is a wares/warez site? :smallconfused:

Spelled in hacker l33t slang, 'software' is shortened to 'warez'. Since they think programs with DRM are unusable any software dumped there is usually DRM-free, that or another way.

Also, yeah, most of such sites are traps for unwary, naive people wanting free meal.


I personally pay good money for Norton Internet Security, and it notifies me whenever it's blocked any malign activity.

Pardon me, but aren't NIS regularly first in rankings of the worst programs, due to weak detection and system resources hogging? I think even most free programs are better in rankings, just saying. It notifies you loudly to justify its price, is all, IMHO.

Norton and MacAfee are, frankly, junk. (And at least some past versions of AVG acted like malware themselves.) Virtually all experts now reccomend a combination of Microsoft Security Essentials/Windows Defender (the latter seems to be the name it uses for Windows 8, which is ironic since "Vista Defender" et.al. are the antivirus-mimicing malware programs) and MalwareBytes AntiMalware, both of which are free.

Having the NoScript browser plugin helps too. It's..."interesting"...sometimes to check it to allow a site to load its script, and to discover that seven or more other sites are trying to load scripts on it too (from its ads).

Well, got a virus a 4th time. Panicked and deleted it again. Should have just renamed it and identified it. Oh well.

The only thing I did that day was visit OOTS and EW and stupidly left the USB stick in. On all other days I visit these sites and don't use a USB stick I don't get a virus. Same result 4 times, different result all other times. I'm satisfied that it must be one of the sites - unless the virus appears without me visiting or using the USB stick which hasn't happened yet.

So, that's the solution for me. USB +OOTS/EW = virus. Without it I can still enjoy the cartoons and use the USB beforehand to avoid infection. I think this topic is now closed as I doubt any more will be done or useful thing said. People can chat about it if they like. I'll let you know if anything new develops.

Oh, and the council did reply with a load of bull. I'll have to appeal in order to get them to listen. It's all just stalling for time and wasting people's energy - but that's what the council does anyway so no surpises there.

Let me check if I understand it right... If you visit OotS and EW and use USB, you get a virus. If you visit OotS and EW and don't use USB, you don't get a virus.
What happens when you use USB without visiting OotS and/or EW?

Well, got a virus a 4th time. Panicked and deleted it again. Should have just renamed it and identified it. Oh well.

The only thing I did that day was visit OOTS and EW and stupidly left the USB stick in.(1) On all other days I visit these sites and don't use a USB stick I don't get a virus.(2) Same result 4 times, different result all other times. I'm satisfied that it must be one of the sites (3)- unless the virus appears without me visiting or using the USB stick which hasn't happened yet.(4)

So, that's the solution for me. USB +OOTS/EW = virus.(5) Without it I can still enjoy the cartoons and use the USB beforehand to avoid infection. I think this topic is now closed as I doubt any more will be done or useful thing said. People can chat about it if they like. I'll let you know if anything new develops.

Oh, and the council did reply with a load of bull. I'll have to appeal in order to get them to listen. It's all just stalling for time and wasting people's energy - but that's what the council does anyway so no surpises there.

Can you reparse? As I'm reading it, this makes no sense (footnotes and bolding inserted to show how I see this:

1: You go to OOTS/EW, with a USB, and get a virus.

2: If you go to OOTS/EW without a USB, you don't get a virus.

3:You conclude that it is OOTS/EW bringing the virus.

4:If you got it when you didn't use a USB that would be evidence that it wasn't OOTS/EW.

5: It's OOTS/EW + USB.


Soooo... 1 and 2 are empirical. 3, however, doesn't follow. The one thing you do whether you get it or not is view OOTS/EW. The one thing that the virus always goes with is using the USB. 4 just makes no sense - that would be evidence that the USB is unrelated (also, how would something get from the library to your house without a USB?)

And then at 5 you conclude something different from 3, which equally fails to follow. Currently, from what you've said, there is no evidence that either OOTS or EW have anything to do with it - you view them every time and only sometimes get a virus afterward.

Can you reparse? As I'm reading it, this makes no sense (footnotes and bolding inserted to show how I see this:

1: You go to OOTS/EW, with a USB, and get a virus.

2: If you go to OOTS/EW without a USB, you don't get a virus.

3:You conclude that it is OOTS/EW bringing the virus.

4:If you got it when you didn't use a USB that would be evidence that it wasn't OOTS/EW.

5: It's OOTS/EW + USB.


Soooo... 1 and 2 are empirical. 3, however, doesn't follow. The one thing you do whether you get it or not is view OOTS/EW. The one thing that the virus always goes with is using the USB. 4 just makes no sense - that would be evidence that the USB is unrelated (also, how would something get from the library to your house without a USB?)

And then at 5 you conclude something different from 3, which equally fails to follow. Currently, from what you've said, there is no evidence that either OOTS or EW have anything to do with it - you view them every time and only sometimes get a virus afterward.

He was saying that if he didn't use the USB, he didn't get a virus.
If he used the USB but didn't visit OoTS/EW, he still got no virus.
Only if he used the USB and visited OoTS/EW would he get a virus.

3 was the conclusion that the websites are related to the problem, and it doesn't conflict with 5.

It does, however, point towards the USB stick being the source of the problem, since nobody else is getting a virus.

It does, however, point towards the USB stick being the source of the problem, since nobody else is getting a virus.

I know that, I was just playing devil's advocate.
Because you didn't quite get what he was saying.

It does, however, point towards the USB stick being the source of the problem, since nobody else is getting a virus.



Um, one of my antivirus software programs has been telling me that Giantitp has something malicious, and immediately closes the window if I try to go here. I haven't reported it because I am being prevented from visiting by the antivirus program, and wasn't going to risk visiting this site until I went to another computer. I am having problems visiting here.

Um, one of my antivirus software programs has been telling me that Giantitp has something malicious, and immediately closes the window if I try to go here. I haven't reported it because I am being prevented from visiting by the antivirus program, and wasn't going to risk visiting this site until I went to another computer. I am having problems visiting here.

I can assure you, there is absolutely no malicious files here. All modified files were removed, the main website is rebuilt from source files daily, I've scanned the website files looking for modifications from what they should be and found nothing, my virus scanners have failed to find and identify anything, and no one else has reported anything.

Within minutes of the earlier breach, we had multiple pages of reports on the issue from the users of this forum, including the name of the malware, the website it was being hosted on, and other details. On top of the scanners that I use, the members of this forum use a wide variety of different scanners that can catch things that one of them may miss. The fact that, in all of this time, no one else has been reporting the issue shows that the virus is absolutely, positively not coming from here.

While I can't unequivocally state that this alleged virus isn't coming from Erfworld, as I don't have access to the maintenance side of things as I do here, I can state that I strongly do not believe it is coming from there either. I've visited the site and found no virus there, nor any reports of a virus.

I can only suggest that you clean your cache, delete your cookies, update your scanner, and try again.

Um, one of my antivirus software programs has been telling me that Giantitp has something malicious, and immediately closes the window if I try to go here. I haven't reported it because I am being prevented from visiting by the antivirus program, and wasn't going to risk visiting this site until I went to another computer. I am having problems visiting here.

This might be a case of a user's avatar or image in their sig being hosted on a site that is a known threat. That's come up before - because the image displays here, even though it's hosted elsewhere, it triggers malware / virus checkers and flags this site as compromised.

This might be a case of a user's avatar or image in their sig being hosted on a site that is a known threat. That's come up before - because the image displays here, even though it's hosted elsewhere, it triggers malware / virus checkers and flags this site as compromised.

Yeah, that happens occasionally. Every now and then somebody has to be poked because something in their sig throws up popups; it's very rare, but it has happened.