Rebuilding vs cleaning infected computers

An archived post from my previous blog, written in 2014, but still relevant today.

Malware and malicious code are common problems for computer users.  From basic but annoying pop up adware to nation-state funded, complex attacks (a la Stuxnet) the problem exists for users of all ages, races and platform.  There's no safe haven anywhere (albeit Windows is more targeted than the other OSes) unless you want your computer off the grid with all your USB and storage connectors disabled.

When an infection is discovered the problem of what to do next begins.  A simple infection like a fake antivirus application / scareware might take 15 minutes to clean by hand (I've become quite used to neutering these) but there's no guarantee the whole infection is really gone.  Throw a root kit in there, which you might never find, and you're even more under threat (although you probably don't know it).  It's easy to say "just rebuild the machine" but there's time associated with that - first install the OS, then the applications, copy the user data from backup (you have a backup right?!) and configure the environment how you like it.  All of that can take time and it's the reason people don't rebuild after every "minor" infection.

Would I?  Probably not, depending on how confident I was that I'd really killed the thing (and even then I'd never say it was definitely gone).

I was aware of a computer recently which became infected with something.  It wasn't immediately apparent what had gone on.  The user was only aware when they attempted to use their Internet banking and later discover a fraudulent payment had been attempted.  The machine was cleaned (not by me) and the results of the scan said a key logger and various trojans had been found.  There may have been a root kit too.

Hold on - key logger?

Yeah, key logger.  Now, I don't know about you but the idea that someone can see every keystroke I enter is somewhat terrifying.  I'm not exactly finding a need to hide a government secret or a hidden lover but I still don't want my privacy invaded by someone thousands of miles away.  I'd have rebuilt that computer at the sight of the term "key logger".  The total count of infections was much higher than just what I've listed here.

Instead the computer was cleaned and given back to the user.  A few days later the user reports odd behaviour again and the machine was erased and started again.

It's a difficult decision when you're a business.  A cleanup might only take a couple of hours (at £90 an hour) so could be considered a reasonable spend if the infections can be proved to be removed.  Clearly they can't always (do you take a hash of all the OS files on your computer every hour?) so that's still a risk.  Conversely, rebuilding the unit from scratch could take half a day (4 hours, maybe) but at least you know the infection is gone.

Where am I going with this?  This isn't a rant (although I was surprised at the decision the IT professional in this case took) but aims to make you think.  How much do you value your data?  Is it really worth the risk the infection is still there?  Where finance is concerned I'd argue starting again was the best approach.