Happy January!

The Background:
An Employee logged onto our VPN at 6:24PM Friday, January 16th 2009.
The same employee downloaded and installed Win32/Kryptik.ET Trojan. This is a new version of the downloader trojan which tries to download a shittonne (technical term) worth of other bad programs – think of AntiVirus 2009
This new version of the Trojan was only halfway quarantined by the antivirus (only the half that was old, not the new release part)
The Trojan attempted to download another random bad program (see above) every 6 seconds
The AV caught each of these attempts and quarantined them

The Bad:
Every item quarantined sends an email to my helpdesk email box
Every 6 seconds an item was quarantined
The user was logged in from 6:24PM Friday night until manually kicked him off at 8:55 this morning (Monday).

The Math:
63 hours
3780 minutes
226800 seconds
37800 emails. Although I only had 37200 ish emails to go through.

User Conversations:
Phone Call to my Voicemail:
Hey Jason, it’s ****, Uh, gimme a call back on my cell ***-****. I think I got a virus. Bye.

Email:
Subject: VPN Connection
Body: I gots none…

Me:
You’ll have to bring in your computer for repairs.

Response:
Something happen? Eset said i had a something going on

Me:
You’ll have to bring in your computer for repairs. No VPN connection until we can repair your system.

Response:
OK, I’ll bring it in tomorrow am

Argh. The home users are the worst since they don’t view internet through our firewall with content filtering. Even if we disabled split-tunneling they would be able to connect to the internet when not VPN’d into the company network. I’m thinking about making everything run via Citrix sessions…

***UPDATE***

It is now 28 hours later.

Me: It’s actually “tomorrow pm” now.
I may or may not have time Wednesday to get to your machine.

User: Why remote trouble shooting bro. Have calls now that i have to reschedule

Me: Not quite sure what that means. If it means you’ll bring it in actually tomorrow morning, then yes.

User: No i mean why do i have to bring it in. Doh

Me: Well, technically you don’t have to bring it in. However, I can’t enable your VPN connection until it is brought it.
Not to sound like a jerk or anything, but we can’t let an infected machine on the network.

User: No worries. Whyv didnt you just say that. There is no virus though. Can you tell me how i log in by IE?

I’m actually not sure how to answer this one. So I wait, and get three phone calls from this user – all of which I decide not to answer. Oh look, a voicemail!

No ya goof, what I meant is why do I gotta bring it in? We can’t do anything remotely. Uh, gimme a call back, ***-****, thank you.

Wow. Just wow. I’m sure there will be more updates, but so far this is what I have:
User downloads virus
I receive emails
User leaves me a voicemail saying he thinks he has a virus
User accepts fate and says he’ll bring in his machine
User does not bring in his machine
User wants to know why I can’t fix it remotely
Argh.