General discussion

Locked

How do you handle dimwitted users?

By normhaga ·
Today I had a computer return for service; last week I did a reinstall and malware removal on this computer, as I had the week before.

Today I went further than I usually do and tracked down how the user is constantly being infected with trojan rootkits and virus.

In the past, I thought I had the problem resolved by installing that nagware SpyBot with Tea Timer. This did not work because the user is an indiscriminate "Clicker."

Why do I say that the site is installing malware? Because as soon as the logon button is clicked Windows reports that IE7 is attempting to copy to the clipboard, all USB ports loose connectivity, the CD/DVD is no longer accessible, IE refuses to shutdown and you have to do a forced powerdown. When you come up after MSconfig starting only the services Windows needs you again find the same rootkit and 65 virus you just removed. On a clean install the same thing happens as soon as you log in to the site; it does not however happen when you login with a browser other than IE.

Well, I tracked the installation of the malware down to one website that appears to be rooted. The site is: www.esp-inc.com. The malware is installed only after the user logs in (verified three times in a V.M.).

I told the user not to log into the site because it was installing the malware. Well, right in front of me the user logged into the site and immediately reinfected the box, then had the audacity to blame me.

The user needs to access this site to take some ultrasound exams, but at the time the site is unsafe.

I sent email to the site administrator informing him/her that the site appeared to be rooted and was installing malware and included logs showing this along with my bill for having to redo work.

Short of refusing to work on the users computer because of stupidity, what can I do? Report the site to ICAAN and Google as a malware purveyor? I did argue with someone who insisted that there was something installed on the computer that was installing the malware. They could not answer "What part of fresh install do you not understand."

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

i didn't miss it...

by jck In reply to Actually, it is work rela ...

just thought you were talking about your own access to the internet, and gloating it was openly know to be open only for you :^0

Collapse -

Nope.

by CharlieSpencer In reply to A decent firewall

I don't have one at this location, but our HQ bypasses it for guest systems (vendors, customers, contractors, etc.)

I used to have an analog line to test modems and dial-up connectivity, but we don't support dial-up remote access any more, so we had it taken out.

Collapse -

Same connection, basically

by jdclyde In reply to Nope.

and just like the crappy dial-up wizard, you need to establish a connection to save the settings. X-(

Collapse -

Don't you love that?

by CharlieSpencer In reply to Same connection, basicall ...

I'd love to be able to configure all dial-up connections and wireless profiles as Admin and have them apply to all users, instead of having to configure them individually each time I give someone a loaner laptop. At least I don't have to worry about dial-up any more.

Collapse -

You can't save people from themselves

by jdclyde In reply to How do you handle dimwitt ...

And this is an example of why I changed all of my users from IE over to FF. I WAS spending about 60% of my time doing nothing but cleaning malware infections. Changed to FF, and not even 5% of my time is now spent on cleanups.

When you do the paperwork for the job, make sure to point out that the user has been told where the infection comes from, and any future infections have to be seen as intentional.

Collapse -

Some other suggestions

by DadsPad In reply to How do you handle dimwitt ...

Check to see if he is being re-directed to site that just looks like the one he wants.

If FF does not load the malware, then make one icon that just says Internet, delete all other icons he will use to go to site. Save the site so he can get to it.

Is this a medical site? Does his doctor recommend the site for Ultasound exams. Or is he studying (I will not go to the site, since you warned of malware) for an exam to pass?

Of course, sometimes you just need to smile and charge to fix. :)

Collapse -

Sent email along with my bill...

by normhaga In reply to How do you handle dimwitt ...

and offered to rescind my bill if the malware was removed in a timely manner.

Repaired inflicted computer and logged in about 3:00 MST; viola, no malware, no rootkits.

For those that were asking, the site is a testing and study base for some medical procedures.

I attempted to recover most of the users data, but he lost several in-progress tests and some other data, from the extensions, I would say spread sheets or term papers.

Damned user, he was unhappy that I did not install Adobe reader in the re-install. He did not ask. I destroyed a flash drive recovering what I could recover, damned near destroyed an HD when I plugged it into the USB port, the malware slammed the head several times. The port is now shot. This is the cost of not listening when someone tells you in certain terms not to log on to a site. Flipping malware actually locked the users data in such a way that I could not access it from Linux or Dart and could not change the permissions nor take ownership. Had to use R-Studio's. I need to look deeper into how the directory was locked.

Collapse -

Apply a chilled paycheck to your forehead, and think how good it feels

by DelbertPGH In reply to How do you handle dimwitt ...

Honestly, without dumb screwups to fix, would you have a full-time job?

Collapse -

Fresh Install?

by dleippe In reply to How do you handle dimwitt ...

When you say "fresh install" have you "reformatted" or "reimaged" the drive? Assuming the image is clean, the system is "fresh". If you reformat the system you have not "wiped" the drive and you do not have a "fresh" install. Formatting is not low level. It only flags all the files in the old file as deleted, not erased or wiped. Root kits and other malware can still be on the drive...

Collapse -

Need 2 Wipe Out

by pdouglas4294 In reply to Fresh Install?

I agree with DLeippe.
Where I work, if there is a machine that has a problem (besides the user), we use a wiping program to THOUROUGHLY wipe the disk 3 times. We will also wipe the drive before we survey a machine to ensure no "Paid For / Licensed" software or data is on the machine. One free one out there is DBAN (http://www.dban.org/). We use a paid for KillDisk (http://www.killdisk.com/).

This is along the lines of going through your vegetable bed with a roto-tiller and spraying Roundup and Pesticide as you go.

(Now, if we could "KillDisk" and re-format some users!!)

Related Discussions

Related Forums