Discussions

How do you handle dimwitted users?

+
0 Votes
Locked

How do you handle dimwitted users?

normhaga
Today I had a computer return for service; last week I did a reinstall and malware removal on this computer, as I had the week before.

Today I went further than I usually do and tracked down how the user is constantly being infected with trojan rootkits and virus.

In the past, I thought I had the problem resolved by installing that nagware SpyBot with Tea Timer. This did not work because the user is an indiscriminate "Clicker."

Why do I say that the site is installing malware? Because as soon as the logon button is clicked Windows reports that IE7 is attempting to copy to the clipboard, all USB ports loose connectivity, the CD/DVD is no longer accessible, IE refuses to shutdown and you have to do a forced powerdown. When you come up after MSconfig starting only the services Windows needs you again find the same rootkit and 65 virus you just removed. On a clean install the same thing happens as soon as you log in to the site; it does not however happen when you login with a browser other than IE.

Well, I tracked the installation of the malware down to one website that appears to be rooted. The site is: www.esp-inc.com. The malware is installed only after the user logs in (verified three times in a V.M.).

I told the user not to log into the site because it was installing the malware. Well, right in front of me the user logged into the site and immediately reinfected the box, then had the audacity to blame me.

The user needs to access this site to take some ultrasound exams, but at the time the site is unsafe.

I sent email to the site administrator informing him/her that the site appeared to be rooted and was installing malware and included logs showing this along with my bill for having to redo work.

Short of refusing to work on the users computer because of stupidity, what can I do? Report the site to ICAAN and Google as a malware purveyor? I did argue with someone who insisted that there was something installed on the computer that was installing the malware. They could not answer "What part of fresh install do you not understand."
  • +
    0 Votes
    OldER Mycroft

    Based on what it'll cost for the coming weeks / months, if this user continues to log in to the offending site.

    THAT might register with the bean-counters, and have the desired result.

    Or just set aside a certain amount of time every other day, for the work that you are certain will head your way! :)

    +
    0 Votes
    ComputerCookie

    As 'Old Mycroft' suggests there is a problem
    and excessive billing might be the go!

    However it would be better to look for alternative resouces!

    +
    0 Votes
    CharlieSpencer

    Can you block it at the client, maybe in the Hosts file? Depending on how often the user needs to access the site, it may be worth your trouble to block it for him and just pull the ultrasound results for him from a VM.

    +
    0 Votes
    jdclyde

    until they respond that their infection has been removed.

    +
    0 Votes
    CharlieSpencer

    is that will also keep normhaga from accessing it for the user from the VM.

    +
    0 Votes
    jdclyde

    allows for exceptions to the rules....

    And am I really the only one with access to a connection outside of the firewall? :0

    +
    0 Votes
    jck

    abusing your status...like a good right-winger lol

    +
    0 Votes
    jdclyde

    When I need to download a disk image, I don't hurt the network performance.

    The REAL reason I set it up for our department is so I have a connection outside the network so I can setup laptops with VPN. Can't tunnel in if you are already in, right?

    And yes, it is openly available and well known. B-)

    +
    0 Votes

    sad

    jck

    you take pride in having open access where others don't...and you could program those routers Mr. Cisco to restrict them to certain things they need outside.

    no cookies for you, Mister!!!! :^0

    (btw, did i mention i still have access to two county government networks? lol)

    +
    0 Votes
    jdclyde

    about being openly available AND well known.

    When a user has need, I set them up.

    At any point, my co-workers have access for when they need to download something.

    I also have an access point outside the network, so anyone with a laptop just has to select THAT one instead of the one inside the network. I teach them that is for when they need to work over the web, and don't need local access.

    It has made a big difference in the hits to my LAN. B-)

    Firewall is to keep people out, not to keep us in. ;\

    +
    0 Votes
    jck

    just thought you were talking about your own access to the internet, and gloating it was openly know to be open only for you :^0

    +
    0 Votes
    CharlieSpencer

    I don't have one at this location, but our HQ bypasses it for guest systems (vendors, customers, contractors, etc.)

    I used to have an analog line to test modems and dial-up connectivity, but we don't support dial-up remote access any more, so we had it taken out.

    +
    0 Votes
    jdclyde

    and just like the crappy dial-up wizard, you need to establish a connection to save the settings. X-(

    +
    0 Votes
    CharlieSpencer

    I'd love to be able to configure all dial-up connections and wireless profiles as Admin and have them apply to all users, instead of having to configure them individually each time I give someone a loaner laptop. At least I don't have to worry about dial-up any more.

    +
    0 Votes
    jdclyde

    And this is an example of why I changed all of my users from IE over to FF. I WAS spending about 60% of my time doing nothing but cleaning malware infections. Changed to FF, and not even 5% of my time is now spent on cleanups.

    When you do the paperwork for the job, make sure to point out that the user has been told where the infection comes from, and any future infections have to be seen as intentional.

    +
    0 Votes
    DadsPad

    Check to see if he is being re-directed to site that just looks like the one he wants.

    If FF does not load the malware, then make one icon that just says Internet, delete all other icons he will use to go to site. Save the site so he can get to it.

    Is this a medical site? Does his doctor recommend the site for Ultasound exams. Or is he studying (I will not go to the site, since you warned of malware) for an exam to pass?

    Of course, sometimes you just need to smile and charge to fix. :)

    +
    0 Votes
    normhaga

    and offered to rescind my bill if the malware was removed in a timely manner.

    Repaired inflicted computer and logged in about 3:00 MST; viola, no malware, no rootkits.

    For those that were asking, the site is a testing and study base for some medical procedures.

    I attempted to recover most of the users data, but he lost several in-progress tests and some other data, from the extensions, I would say spread sheets or term papers.

    Damned user, he was unhappy that I did not install Adobe reader in the re-install. He did not ask. I destroyed a flash drive recovering what I could recover, damned near destroyed an HD when I plugged it into the USB port, the malware slammed the head several times. The port is now shot. This is the cost of not listening when someone tells you in certain terms not to log on to a site. Flipping malware actually locked the users data in such a way that I could not access it from Linux or Dart and could not change the permissions nor take ownership. Had to use R-Studio's. I need to look deeper into how the directory was locked.

    +
    0 Votes
    DelbertPGH

    Honestly, without dumb screwups to fix, would you have a full-time job?

    +
    0 Votes
    dleippe

    When you say "fresh install" have you "reformatted" or "reimaged" the drive? Assuming the image is clean, the system is "fresh". If you reformat the system you have not "wiped" the drive and you do not have a "fresh" install. Formatting is not low level. It only flags all the files in the old file as deleted, not erased or wiped. Root kits and other malware can still be on the drive...

    +
    0 Votes
    pdouglas4294

    I agree with DLeippe.
    Where I work, if there is a machine that has a problem (besides the user), we use a wiping program to THOUROUGHLY wipe the disk 3 times. We will also wipe the drive before we survey a machine to ensure no "Paid For / Licensed" software or data is on the machine. One free one out there is DBAN (http://www.dban.org/). We use a paid for KillDisk (http://www.killdisk.com/).

    This is along the lines of going through your vegetable bed with a roto-tiller and spraying Roundup and Pesticide as you go.

    (Now, if we could "KillDisk" and re-format some users!!)

    +
    0 Votes
    Russell Gates

    A friend(sysadmin) had a client that couldn't help but click on that darn Snow White & The Seven Dwarves virus. Yes a long time ago. He ended setting the virus scan to run a thorough 100% slow a** scan EVERY time this guy opened ANY file!! His boss thought it was the funniest thing in the world. Guy learned his lesson.

  • +
    0 Votes
    OldER Mycroft

    Based on what it'll cost for the coming weeks / months, if this user continues to log in to the offending site.

    THAT might register with the bean-counters, and have the desired result.

    Or just set aside a certain amount of time every other day, for the work that you are certain will head your way! :)

    +
    0 Votes
    ComputerCookie

    As 'Old Mycroft' suggests there is a problem
    and excessive billing might be the go!

    However it would be better to look for alternative resouces!

    +
    0 Votes
    CharlieSpencer

    Can you block it at the client, maybe in the Hosts file? Depending on how often the user needs to access the site, it may be worth your trouble to block it for him and just pull the ultrasound results for him from a VM.

    +
    0 Votes
    jdclyde

    until they respond that their infection has been removed.

    +
    0 Votes
    CharlieSpencer

    is that will also keep normhaga from accessing it for the user from the VM.

    +
    0 Votes
    jdclyde

    allows for exceptions to the rules....

    And am I really the only one with access to a connection outside of the firewall? :0

    +
    0 Votes
    jck

    abusing your status...like a good right-winger lol

    +
    0 Votes
    jdclyde

    When I need to download a disk image, I don't hurt the network performance.

    The REAL reason I set it up for our department is so I have a connection outside the network so I can setup laptops with VPN. Can't tunnel in if you are already in, right?

    And yes, it is openly available and well known. B-)

    +
    0 Votes

    sad

    jck

    you take pride in having open access where others don't...and you could program those routers Mr. Cisco to restrict them to certain things they need outside.

    no cookies for you, Mister!!!! :^0

    (btw, did i mention i still have access to two county government networks? lol)

    +
    0 Votes
    jdclyde

    about being openly available AND well known.

    When a user has need, I set them up.

    At any point, my co-workers have access for when they need to download something.

    I also have an access point outside the network, so anyone with a laptop just has to select THAT one instead of the one inside the network. I teach them that is for when they need to work over the web, and don't need local access.

    It has made a big difference in the hits to my LAN. B-)

    Firewall is to keep people out, not to keep us in. ;\

    +
    0 Votes
    jck

    just thought you were talking about your own access to the internet, and gloating it was openly know to be open only for you :^0

    +
    0 Votes
    CharlieSpencer

    I don't have one at this location, but our HQ bypasses it for guest systems (vendors, customers, contractors, etc.)

    I used to have an analog line to test modems and dial-up connectivity, but we don't support dial-up remote access any more, so we had it taken out.

    +
    0 Votes
    jdclyde

    and just like the crappy dial-up wizard, you need to establish a connection to save the settings. X-(

    +
    0 Votes
    CharlieSpencer

    I'd love to be able to configure all dial-up connections and wireless profiles as Admin and have them apply to all users, instead of having to configure them individually each time I give someone a loaner laptop. At least I don't have to worry about dial-up any more.

    +
    0 Votes
    jdclyde

    And this is an example of why I changed all of my users from IE over to FF. I WAS spending about 60% of my time doing nothing but cleaning malware infections. Changed to FF, and not even 5% of my time is now spent on cleanups.

    When you do the paperwork for the job, make sure to point out that the user has been told where the infection comes from, and any future infections have to be seen as intentional.

    +
    0 Votes
    DadsPad

    Check to see if he is being re-directed to site that just looks like the one he wants.

    If FF does not load the malware, then make one icon that just says Internet, delete all other icons he will use to go to site. Save the site so he can get to it.

    Is this a medical site? Does his doctor recommend the site for Ultasound exams. Or is he studying (I will not go to the site, since you warned of malware) for an exam to pass?

    Of course, sometimes you just need to smile and charge to fix. :)

    +
    0 Votes
    normhaga

    and offered to rescind my bill if the malware was removed in a timely manner.

    Repaired inflicted computer and logged in about 3:00 MST; viola, no malware, no rootkits.

    For those that were asking, the site is a testing and study base for some medical procedures.

    I attempted to recover most of the users data, but he lost several in-progress tests and some other data, from the extensions, I would say spread sheets or term papers.

    Damned user, he was unhappy that I did not install Adobe reader in the re-install. He did not ask. I destroyed a flash drive recovering what I could recover, damned near destroyed an HD when I plugged it into the USB port, the malware slammed the head several times. The port is now shot. This is the cost of not listening when someone tells you in certain terms not to log on to a site. Flipping malware actually locked the users data in such a way that I could not access it from Linux or Dart and could not change the permissions nor take ownership. Had to use R-Studio's. I need to look deeper into how the directory was locked.

    +
    0 Votes
    DelbertPGH

    Honestly, without dumb screwups to fix, would you have a full-time job?

    +
    0 Votes
    dleippe

    When you say "fresh install" have you "reformatted" or "reimaged" the drive? Assuming the image is clean, the system is "fresh". If you reformat the system you have not "wiped" the drive and you do not have a "fresh" install. Formatting is not low level. It only flags all the files in the old file as deleted, not erased or wiped. Root kits and other malware can still be on the drive...

    +
    0 Votes
    pdouglas4294

    I agree with DLeippe.
    Where I work, if there is a machine that has a problem (besides the user), we use a wiping program to THOUROUGHLY wipe the disk 3 times. We will also wipe the drive before we survey a machine to ensure no "Paid For / Licensed" software or data is on the machine. One free one out there is DBAN (http://www.dban.org/). We use a paid for KillDisk (http://www.killdisk.com/).

    This is along the lines of going through your vegetable bed with a roto-tiller and spraying Roundup and Pesticide as you go.

    (Now, if we could "KillDisk" and re-format some users!!)

    +
    0 Votes
    Russell Gates

    A friend(sysadmin) had a client that couldn't help but click on that darn Snow White & The Seven Dwarves virus. Yes a long time ago. He ended setting the virus scan to run a thorough 100% slow a** scan EVERY time this guy opened ANY file!! His boss thought it was the funniest thing in the world. Guy learned his lesson.