PDA

View Full Version : Cannot run my antispyware or antivirus program



Cam
10-20-08, 07:20 PM
Hi everyone,

I have a spyware since a couple of days that I can't get rid of. It
pops up every once in a while in a bubble in the right hand corner,
the system tray, saying that my computer is infected and that I need a
spyware program to clean it... If I click on it, it will install an
antyspyware program. The usual problem that I had with other spyware
before.

But the big problem with this one is that my antispyware and my
antivirus programs will not run and the one that will run (Ad Aware),
will not update anymore using the usual Internet connection made for
that purpose in the program . Furthermore it redirects my Internet
sites whenever I want to go to a antispyware or antivirus site!

Could someone please help me?

Thank you in advance
Cam

David H. Lipman
10-20-08, 08:07 PM
From: "Cam" <cam1947@gmail.com>

| Hi everyone,

| I have a spyware since a couple of days that I can't get rid of. It
| pops up every once in a while in a bubble in the right hand corner,
| the system tray, saying that my computer is infected and that I need a
| spyware program to clean it... If I click on it, it will install an
| antyspyware program. The usual problem that I had with other spyware
| before.

| But the big problem with this one is that my antispyware and my
| antivirus programs will not run and the one that will run (Ad Aware),
| will not update anymore using the usual Internet connection made for
| that purpose in the program . Furthermore it redirects my Internet
| sites whenever I want to go to a antispyware or antivirus site!

| Could someone please help me?

| Thank you in advance
| Cam

Cam:

Please don't MultiPost.
Please learn to Cross-Post to pertinent, On Topic, NewsGroups instead.

Additionally, you were replied to by a fake MS MVP, software plagiarizer and malicious
actor by the 'nym of PCBUTTS1.
Please stear clear of his web site and any offereings "he" has provided you.

I suggest you use the following...
Malwarebytes Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

If that does not work (and I am sure it will)...



Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

Then post the contents of the HJT log in your post in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Cam
10-21-08, 10:15 AM
On Oct 20, 9:07*pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "Cam" <cam1...@gmail.com>
>
> | Hi everyone,
>
> | I have a spyware since a couple of days that I can't get rid of. It
> | pops up every once in a while in a bubble in the right hand corner,
> | the system tray, saying that my computer is infected and that I need a
> | spyware program to clean it... If I click on it, it will install an
> | antyspyware program. The usual problem that I had with other spyware
> | before.
>
> | But the big problem with this one is that my antispyware and my
> | antivirus programs will not run and the one that will run (Ad Aware),
> | will not update anymore using the usual Internet connection made for
> | that purpose in the program . Furthermore it redirects my Internet
> | sites whenever I want to go to a antispyware or antivirus site!
>
> | Could someone please help me?
>
> | Thank you in advance
> | Cam
>
> Cam:
>
> Please don't MultiPost.
> Please learn to Cross-Post to pertinent, On Topic, NewsGroups instead.
>
> Additionally, you were replied to by a fake MS MVP, software plagiarizer and malicious
> actor by the 'nym of PCBUTTS1.
> Please stear clear of his web site and any offereings "he" has provided you.
>
> I suggest you use the following...
> Malwarebytes Anti-Malwarehttp://www.malwarebytes.org/mbam/program/mbam-setup.exe
>
> If that does not work (and I am sure it will)...
>
> Download and execute HiJack This! (HJT)http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
>
> Then post the contents of the HJT log in your post in one of the below expert forums...
>
> { Please - Do NOT post the HJT Log here ! }
>
> Forums where you can get expert advice for HiJack This! (HJT) Logs.
>
> NOTE: Registration is REQUIRED in any of the below before posting a log
>
> Suggested primary:http://www.thespykiller.co.uk/index.php?board=3.0
>
> Suggested secondary:http://www.bleepingcomputer.com/forums/forum22.htmlhttp://castlecops.com/forum67.htmlhttp://www.malwarebytes.org/forums/index.php?showforum=7
>
> Suggested tertiary:http://www.dslreports.com/forum/cleanuphttp://www.cybertechhelp.com/forums/forumdisplay.php?f=25http://www.atribune.org/forums/index.php?showforum=9http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Her...http://gladiator-antivirus.com/forum/index.php?showforum=170http://forum.networktechs.com/forumdisplay.php?f=130http://forums.maddoktor2.com/index.php?showforum=17http://www.spywarewarrior.com/viewforum.php?f=5http://forums.spywareinfo.com/index.php?showforum=18http://forums.techguy.org/f54-s.htmlhttp://forums.tomcoyote.org/index.php?showforum=27http://forums.subratam.org/index.php?showforum=7http://www.5starsupport.com/ipboard/index.php?showforum=18http://aumha.net/viewforum.php?f=30http://makephpbb.com/phpbb/viewforum.php?f=2http://forums.techguy.org/54-security/http://forums.security-central.us/forumdisplay.php?f=13
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

Thanks for your info concerning multi posting, sorry I did not know.
Also thanks for the info concerning the fake MS MVP, when I saw that I
thought that it was indeed a fake.

Now, concerning the sites you gave me, I tried to go on these site
but, I guess, the malicious spyware that I have on my PC will not let
me go there, I get a "page load error" whenever I try to open any of
the sites you gave me. It seems to be that a cannot open any sites
about spyware or viruses. Any other sites will open properly... I
guess my PC is badly infected!

Any other idea of what I could do? My spyware and antivirus programs
will not work and/or update and cannot go on security sites, I either
get an error message or I am redirected to other sites.

Thaks again,
Cam

David H. Lipman
10-21-08, 12:00 PM
From: "Cam" <cam1947@gmail.com>


| Thanks for your info concerning multi posting, sorry I did not know.
| Also thanks for the info concerning the fake MS MVP, when I saw that I
| thought that it was indeed a fake.

| Now, concerning the sites you gave me, I tried to go on these site
| but, I guess, the malicious spyware that I have on my PC will not let
| me go there, I get a "page load error" whenever I try to open any of
| the sites you gave me. It seems to be that a cannot open any sites
| about spyware or viruses. Any other sites will open properly... I
| guess my PC is badly infected!

| Any other idea of what I could do? My spyware and antivirus programs
| will not work and/or update and cannot go on security sites, I either
| get an error message or I am redirected to other sites.

| Thaks again,
| Cam

Sorry to hear that.
Then your *best* option would be to wipe the PC and resinstall the OS from scratch after
backing up your data.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Suggs
10-21-08, 02:28 PM
I had this problem, with the AntiVirus2008 virus a week ago. What saved me was that I had another user account on start up and luckly I could still download Anti-Malware into that one. After a weekend of doing scan after scan I think its finally clear.

Good luck!

Todd H.
10-22-08, 10:58 AM
"David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

> From: "Cam" <cam1947@gmail.com>
>
>
> | Thanks for your info concerning multi posting, sorry I did not know.
> | Also thanks for the info concerning the fake MS MVP, when I saw that I
> | thought that it was indeed a fake.
>
> | Now, concerning the sites you gave me, I tried to go on these site
> | but, I guess, the malicious spyware that I have on my PC will not let
> | me go there, I get a "page load error" whenever I try to open any of
> | the sites you gave me. It seems to be that a cannot open any sites
> | about spyware or viruses. Any other sites will open properly... I
> | guess my PC is badly infected!
>
> | Any other idea of what I could do? My spyware and antivirus programs
> | will not work and/or update and cannot go on security sites, I either
> | get an error message or I am redirected to other sites.
>
> | Thaks again,
> | Cam
>
> Sorry to hear that.
> Then your *best* option would be to wipe the PC and resinstall the OS from scratch after
> backing up your data.

Cam,

I strongly second this advice from David.


--
Todd H.
http://www.toddh.net/

Ari
11-06-08, 05:07 PM
On Tue, 4 Nov 2008 13:02:44 -0000, Trespasser wrote:

> --
> Regards
> Trespasser
> ----------------------------
> I try to take one day at a time, but sometimes two or three gang up on me.
>
> I'm not paranoid, I know your watching me. (o-o)
>
> Show me a wireless network, I'll show you free broadband.
>
> So you think this sigantures bad ? You should see my handwriting
> ----------------------------
> "Ari" <DROPTheJooseIsLoose@gmail.comCAPITALLETTERS> wrote in message
> news:6na09rFkk1n9U1@mid.individual.net...
>> On Tue, 4 Nov 2008 01:20:08 -0000, Trespasser wrote:
>>
>>> I do find though that those people who's first action is to reach for the
>>> windows cd to perform a format either have the attitude that they do not
>>> have the ability to cleanse a system manually, they just dont have the
>>> time,
>>> or they are far too interested in making quick money. I myself have
>>> taken
>>> time to find a handfull of tools (all of them free) and there a very few
>>> machines I see that actually need formatting, after spending an hour
>>> running
>>> a couple of programs.
>>
>> Heh, you're clueless.
>
> #############
>
> Yeah your right. Tell that to my boss who pays me 15 p/h

Two idiots don't make either of you less clueless.

Ari
11-06-08, 05:08 PM
On Wed, 05 Nov 2008 13:48:06 -0600, Moe Trin wrote:

>>Yes, I use other other ways to detect malware rather than rely on AV-
>>type software. When rootkits are involved you need to compare things
>>like the in-memory image of the system service despatch table against
>>the original executable code.
>
> A problem there is that you are relying on the existing O/S to read
> the O/S memory, and some kind of comparison mechanism. How do you know
> that the memory you are examining is actually what is being used, and
> isn't something that is patched around.

The ***** is either clean or dirty, never in between.

Moe Trin
11-06-08, 09:50 PM
On Thu, 06 Nov 2008, in the Usenet newsgroup alt.computer.security, in article
<op.uj7pqmu66vfhnv@thecomputer.gha.chartermi.net>, chame1eon wrote:

> I think your right that malware could be a lot more sophisticated,
>but because a large number of users don't take countermeasures, it
>doesn't need to be.

Depends on the target. Most of the malware targets one version or
another of windoze. The reasons are a rather poor coding standard,
user demand for eleventy-zillion "features" to make things more
useful, and the absolute refusal of users to learn anything about
the computer (never mind the operating system or applications) which
means everything is enabled, but in the default settings. The result
is that it's a very easy target to crack, and because it's widely
used, the main problem for the bad guys is figuring out which
system to take over.

None the less, it is relatively easy to harden windoze so that it
becomes much more difficult to crack. The result is that the bad guy
moves on, and picks one of the jillion other easier targets.

>So when it comes to things I think I'm likely to encounter on
>my home pc convienience can take precidence.

Convenience doesn't have to take precedence over security.

> I'm trying to get a degree for something computer related, so
>depending on what I end up doing, knowledge about tighter security
>could become an issue.

Knowledge of security comes from knowledge of the protocols, and what
the application is doing. An example is "sharing". Do you really
want to share everything with everyone? An exaggeration, but do you
think it's a good idea to share your printer with the world? How do
they pick up the hard copies? Do they stop by the house, or do you
mail them out?

>I still want to see what aide does though, so thank you.

Results 1 - 10 of about 316,000,000 for aide [definition]. (0.18
seconds)

AIDE - Advanced Intrusion Detection Environment
AIDE is a file integrity checker that supports regular expressions.
Licensed with GPL.
www.cs.tut.fi/~rammer/aide.html - 6k - Cached - Similar pages

Aide - Wikipedia, the free encyclopedia
AIDE (software), (Advanced Intrusion Detection Environment). An open
source host -based intrusion ... Retrieved from
"http://en.wikipedia.org/wiki/Aide" ...
en.wikipedia.org/wiki/Aide - 18k - Cached - Similar pages

First two hits. Tripwire was the gold standard for a long time,
created by two of the better security programmers (Spafford and Kim at
Purdue University). It's been made into a commercial product, which
was part of the incentive for aide (the GPL means it's free, AND you
get the source).

>I would switch out disks, but I don't even have a good way to back up
>the stuff I have untill I get more money :( Most people who's pcs
>I've cleaned don't have spares either.

No backups is an invitation for disaster. Disk drives are _relatively_
inexpensive, assuming a "modern" computer. It's a gamble, and you
need to figure the costs both ways.

Old guy

Ant
11-07-08, 06:47 AM
"Moe Trin" wrote:

> Ant wrote:
>>When rootkits are involved you need to compare things
>>like the in-memory image of the system service despatch table against
>>the original executable code.
>
> A problem there is that you are relying on the existing O/S to read
> the O/S memory, and some kind of comparison mechanism. How do you know
> that the memory you are examining is actually what is being used, and
> isn't something that is patched around.

In most cases those patches or hooks can be found, even when the
malware is running as a kernel driver. I've not yet seen something
that could totally subvert raw device access or be undetectable in
some way.

>>There are different ways of examining internal structures and you have
>>to know what you're looking for. Malware can't hide all the methods
>>from you.
>
> It doesn't have to. Most users are totally incapable of making ANY
> type of technical decision, because they have no idea, or any desire
> to know that the computer (or any hardware more complicated that a
> hammer) is doing.

Of course, but I'm looking at it from the perspective of a techie who
is supposed to understand something about how the system works.

The average user these days isn't interested in computing as such.
What they want is an internet/multimedia appliance, an advanced
typewriter, a virtual canvass, a recreational platform. To them, a
computer is something that assists them with their work, hobbies or
other interests.

Perhaps there's an argument to be made for a read-only OS where new
software can't be installed. One thing's certain; users are no more
likely to become technicians than most car drivers are going to become
mechanics. If a safe platform can't be found then ISPs will have to do
more about limiting malicious network traffic -- or not, and we carry
on as usual.


> (25 years ago) there were not a lot of malevolent things you could do
> with a teletype apart from ring the bell, or form feed it out of paper.

Our system was set to read from the card-reader, so when it had
finished the current task would clatter loudly and ring the bell every
few seconds saying "feed me!". This annoyance would normally get us
off our arses in the operators rest room and give it another job. When
Texas Instruments introduced the Silent 700 it only emitted a soft
beep. Consequently, when we eventually checked the computer room, half
a roll of expensive heat-sensitive paper would be piled up on the
floor.

Ari
11-07-08, 07:23 AM
On Fri, 7 Nov 2008 12:47:20 -0000, Ant wrote:

> In most cases those patches or hooks can be found, even when the
> malware is running as a kernel driver. I've not yet seen something
> that could totally subvert raw device access or be undetectable in
> some way.

I'm sure you haven't. I'm also sure that if something is not detectable
by an amateur you won't find it.

See how that works?

Moe Trin
11-07-08, 06:44 PM
On Fri, 7 Nov 2008, in the Usenet newsgroup alt.computer.security, in article
<_9mdnZNCt-SZpInUnZ2dnUVZ8srinZ2d@brightview.co.uk>, Ant wrote:

>In most cases those patches or hooks can be found, even when the
>malware is running as a kernel driver. I've not yet seen something
>that could totally subvert raw device access or be undetectable in
>some way.

Perhaps - but how much time to you spend reading Bugtraq?

>> Most users are totally incapable of making ANY type of technical
>> decision, because they have no idea, or any desire to know that the
>> computer (or any hardware more complicated that a hammer) is doing.
>
>Of course, but I'm looking at it from the perspective of a techie who
>is supposed to understand something about how the system works.

For every techie, there is a huge number of non-techies, and that's
the ones the mal-ware targets. Those users don't want to know what
the computer might be doing, but at the same time want it to do
everything without bothering them with pop-up messages.

>The average user these days isn't interested in computing as such.

and don't have any idea what is happening,

>What they want is an internet/multimedia appliance, an advanced
>typewriter, a virtual canvass, a recreational platform. To them, a
>computer is something that assists them with their work, hobbies or
>other interests.

And when it screws up, crashes, or otherwise does something that they
might eventually recognize probably wasn't the best idea, it's the
computer's fault. Could it be because they directed the computer to do
something st00pid? Silly question - why would they do that?

>Perhaps there's an argument to be made for a read-only OS where new
>software can't be installed.

Trivial - remove the hard disk, and run everything from the CD or DVD.
Log data goes over the network to a log server, or to a line printer.
We've been running our public facing systems that way for decades. The
problem for our clueless user is how to update the software to fix the
latest fiasco. "Change the CD??? That's to complicated!!! Whine,
whine, whine". And you're back to square one. You may have forgotten
about _hard_drives_ that had a 'Read Only' jumper setting (also called
'Write Protect') - jumper off, and you could load new stuff, but when
you put the jumper back on, the drive was safe from changes. This
wouldn't work for our clueless user as they'd merely leave the jumper
off for convenience (or loose the darn thing).

>One thing's certain; users are no more likely to become technicians
>than most car drivers are going to become mechanics.

If you look at the standards of car drivers, those have also been going
down-hill. What's the percentage that even know how to check the oil
level, never mind how many actually check it at all.

>If a safe platform can't be found then ISPs will have to do more about
>limiting malicious network traffic -- or not, and we carry on as usual.

Are you willing to pay more to have this happen? Some people have
suggested confiscating computers that get 0wned. This would be somewhat
similar to your automobile insurance rates going up after you caused
an accident. (I've also heard proposals to require computer users to
have insurance too.) Eventually, the costs might convince the idiots to
not have or use an Internet connected computer, or learn something
about using one safely by learning how they got screwed the last time.

>> (25 years ago) there were not a lot of malevolent things you could
>> do with a teletype apart from ring the bell, or form feed it out of
>> paper.
>
>Our system was set to read from the card-reader, so when it had
>finished the current task would clatter loudly and ring the bell every
>few seconds saying "feed me!". This annoyance would normally get us
>off our arses in the operators rest room and give it another job.

You didn't have a dedicated slave whose duty station was in the
dinosaur pit?

>When Texas Instruments introduced the Silent 700 it only emitted a
>soft beep. Consequently, when we eventually checked the computer room,
>half a roll of expensive heat-sensitive paper would be piled up on the
>floor.

Yeah - our managers used to scream about that. The 733s didn't last
very long at our place - we found them less than reliable. There was
a fix for the soft beep, although it voided the warranty. Replace the
noisemaker with a Mallory SC307N. You could hear it fifty feet away.

Old guy

Ant
11-09-08, 07:58 PM
"Moe Trin" wrote:

> Ant wrote:
>>In most cases those patches or hooks can be found, even when the
>>malware is running as a kernel driver. I've not yet seen something
>>that could totally subvert raw device access or be undetectable in
>>some way.
>
> Perhaps - but how much time to you spend reading Bugtraq?

I keep an eye on it for the latest Windows related problems. Then I
acquire malware samples to examine.


>>Perhaps there's an argument to be made for a read-only OS where new
>>software can't be installed.
>
> Trivial - remove the hard disk, and run everything from the CD or DVD.
> Log data goes over the network to a log server, or to a line printer.
> We've been running our public facing systems that way for decades.

That's ok for that type of system but the home user needs writeable
media for their gigabytes of pr0n and music downloads.

> The
> problem for our clueless user is how to update the software to fix the
> latest fiasco. "Change the CD??? That's to complicated!!! Whine,
> whine, whine". And you're back to square one.

So there really is no hope!

> You may have forgotten
> about _hard_drives_ that had a 'Read Only' jumper setting (also called
> 'Write Protect') - jumper off, and you could load new stuff, but when
> you put the jumper back on, the drive was safe from changes. This
> wouldn't work for our clueless user as they'd merely leave the jumper
> off for convenience (or loose the darn thing).

There could be some mileage in that if the jumper was a prominent
switch built in to the front of a PC, and a second writeable disk for
data only. There would have to be standard OS support for this kind of
setup -- something that 'nix systems can do now but popular consumer
OS's not so easily.

>>If a safe platform can't be found then ISPs will have to do more about
>>limiting malicious network traffic -- or not, and we carry on as usual.
>
> Are you willing to pay more to have this happen?

That's the trouble. However, some ISPs are already better (arguably)
than others; e.g. disallowing port 25 SMTP traffic except to the ISP's
mail server. That could be a nuisance for some people and I don't like
the idea of a restricted internet access (for me). I reckon many could
do a better job at stopping botnet traffic from their own network at
not too much extra cost.

> Some people have suggested confiscating computers that get 0wned.

A less severe option would be to block network access apart from HTTP
requests which would return a page informing them of the problem and
the actions required to get back online.

>>[tty] annoyance would normally get us off our arses in the operators
>>rest room and give it another job.
>
> You didn't have a dedicated slave whose duty station was in the
> dinosaur pit?

Officially, someone was supposed to be there at all times. In practice
it didn't always work like that. During the day, when many short jobs
were scheduled, it was difficult to get away from the machine. The
long jobs were usually left for the night shift and some would run for
several hours without needing attention. This gave us the chance to
catch up on other tasks like maintaining the tape library. When I say
"us", sometimes there was only one operator on the shift and at the
main site there was more than one computer room. The problem arose
when a long job had been underestimated or aborted itself a short way
in.

Ant
11-09-08, 08:31 PM
> Ant wrote:
> The problem arose when a long job had been underestimated

Duh. I mean the run time had been *over*estimated.

Moe Trin
11-10-08, 06:45 PM
On Mon, 10 Nov 2008, in the Usenet newsgroup alt.computer.security, in article
<4aOdnfJ3wuH5CIrUnZ2dnUVZ8s7inZ2d@brightview.co.uk>, Ant wrote:

>"Moe Trin" wrote:

>> Ant wrote:

>>> Perhaps there's an argument to be made for a read-only OS where new
>>> software can't be installed.
>>
>> Trivial - remove the hard disk, and run everything from the CD or DVD.
>> Log data goes over the network to a log server, or to a line printer.
>> We've been running our public facing systems that way for decades.
>
>That's ok for that type of system but the home user needs writeable
>media for their gigabytes of pr0n and music downloads.

CDs and DVDs. Many UNIX have a 'no-execute' flag in mount(8) which
helps, as does file ownership - but the DeLoader worm of 2003
demonstrated the fallacy of the permissions/ownership concept in windoze
as everyone and his dog runs as Administrator - so that they don't get
those warnings when they try to install that n33t malware helper they
found at that wonderful download server that has _everything_ for free.

>> The problem for our clueless user is how to update the software to
>> fix the latest fiasco. "Change the CD??? That's to complicated!!!
>> Whine, whine, whine". And you're back to square one.
>
>So there really is no hope!

Users don't want to do anything except click on an icon - anything else
is to hard, or complicated, and may make their brane explode. ;-)

>> You may have forgotten about _hard_drives_ that had a 'Read Only'
>> jumper setting (also called 'Write Protect') - jumper off, and you
>> could load new stuff, but when you put the jumper back on, the
>> drive was safe from changes. This wouldn't work for our clueless
>> user as they'd merely leave the jumper off for convenience (or
>> loose the darn thing).
>
>There could be some mileage in that if the jumper was a prominent
>switch built in to the front of a PC,

That used to be the case on the old washing machines - and you may
remember the plastic ring on the hubs of 9 track tapes, or the
write-protect notch/hole on floppies. Problem is, everyone would
leave the protection in the disabled position (allowing writing to
the media) because it's to much work to do otherwise.

>and a second writeable disk for data only. There would have to be
>standard OS support for this kind of setup -- something that 'nix
>systems can do now but popular consumer OS's not so easily.

Windoze already has the separate disk capability. But the drive that
contains the O/S has to be writable in order to install O/S updates
(or put the O/S on read-only media like a CD/DVD and run into the
grief noted above). Making the 'data' drive 'no-execute' is a major
complication for the users. Our users have their home directory
mounted 'exec' because many of them create useful (to them) scripts
that are stored in ~/bin/ because they are unique to the individual
(and thus not easily stored in /bin/ , /use/bin/ or even
/usr/local/bin/). Yes, windoze being a single user (in practice)
operating system could just require all executables to be stored on a
system partition, but how does that user then add/modify/replace the
extra (non-O/S supplied) tools - like the latest anti-mal-ware? If
updates are supplied as authenticated read-only CDs or DVDs, the user
will loose them between the post-box and computer room, or they'll be
damaged (the dog ate it) or they'll be screaming about the extra costs
(postal delivery charges as well as the cost of producing the media),
never mind screaming at the hell-desks because they can't figure out
how to install/upgrade.

>> Are you willing to pay more to have this happen?
>
>That's the trouble. However, some ISPs are already better (arguably)
>than others; e.g. disallowing port 25 SMTP traffic except to the ISP's
>mail server. That could be a nuisance for some people and I don't like
>the idea of a restricted internet access (for me). I reckon many could
>do a better job at stopping botnet traffic from their own network at
>not too much extra cost.

Disallowing port 25 is one or two rules on the perimeter router, and
takes seconds to implement. Blocking bots is a lot more complicated
as now you are talking about analyzing traffic. Sure, I can throttle
traffic from individual IP addresses, but differentiating legitimate
traffic (someone downloading the latest CD - or worse, a DVD load - of
their perversion of choice, verses someone clicking on a URL that loads
graphics and other crap from a dozen or so content providers, verses
someone operating a Bit-Torrent/eDonkey/Napster or equal server) is
more complicated and subject to mis-interpretation (false alarms).

>> Some people have suggested confiscating computers that get 0wned.
>
>A less severe option would be to block network access apart from HTTP
>requests which would return a page informing them of the problem and
>the actions required to get back online.

It's been tried. Unsuccessfully. Your support costs skyrocket
because you have all the users who are blocked calling the hell-desk to
have _you_ fix the problem - after all, it's YOUR fault, because YOU
are the one blocking them. To make it work, there has to be a
monetary incentive for the users to avoid getting infected/0wn3d. If
that incentive is that they _don't_ have to pay 2-3 man-hours to have
their computer cleaned up, plus fees/fines for repeats, so be it. But
this concept has to apply to all connection providers equally. It makes
no sense to drive the clueless from responsible providers (who incur
added costs to admin the program, and income loss from customers moving
away) to the irresponsible providers unless those providers are
themselves shunned by a more responsible Internet community.

>>> [tty] annoyance would normally get us off our arses in the
>>> operators rest room and give it another job.
>
>> You didn't have a dedicated slave whose duty station was in the
>> dinosaur pit?
>
>Officially, someone was supposed to be there at all times. In practice
>it didn't always work like that. During the day, when many short jobs
>were scheduled, it was difficult to get away from the machine. The
>long jobs were usually left for the night shift and some would run for
>several hours without needing attention.

The usual solution was to have adequate bods scheduled during the day
when things were jumping, less numbers on the night shift.

>This gave us the chance to catch up on other tasks like maintaining
>the tape library.

One full time librarian, and grunt hours supplied by student interns.

>When I say "us", sometimes there was only one operator on the shift
>and at the main site there was more than one computer room. The
>problem arose when a long job had been underestimated or aborted
>itself a short way in.

I don't think we ever had just one operator on duty, other than when
someone called in sick. As for overestimation or aborts - that's a
common problem even today. Experience soon trims the waste to something
tolerable, and the operators always seem to _look_ busy. ;-)

Old guy