2026-06-11
The most common sentence I heard across a bench for years was some version of "I already wiped it and it came back." The owner is rarely wrong about what they observed. They're wrong about what "wiped" means. A reinstall resets the part of the machine the wizard shows you. The infection doesn't live in the part the wizard shows you. That's the whole trick.
Here's where "clean" machines stay dirty, roughly in order of how often I actually saw it — not in order of how exciting it sounds.
Not the computer. The router. Compromised home routers re-poison fresh installs by handing out a rogue DNS server with the DHCP lease, and the new OS trusts it on first boot, because why wouldn't it. The machine is clean for about four seconds. Symptom: reinstall "fails" identically every time, same redirects, same fake update prompts. If two different devices in the same house show the same symptom, stop reimaging laptops and go look at the router. Factory-reset it, update its firmware, set its DNS by hand, change the admin password to something that isn't on the sticker.
"Reinstall" for most people means the built-in reset option, which restores from a recovery image sitting on the same disk. If the malware wrote itself into that image, or into the OEM provisioning scripts that run on first boot, you have laundered the infection through the recovery process and given it a fresh certificate of cleanliness. A reinstall you didn't boot from external, known-good media is a rumor of a reinstall.
The D: drive that "just has my files on it." Scheduled tasks and startup entries are happy to point at an executable on a data partition that the reset never touched. The OS is new; the first thing it's asked to do is run last year's problem. Restored backups do the same thing with more ceremony. Wipe means every disk, and backups get scanned before they get restored, not after.
Increasingly the persistence isn't on hardware at all. Browser profile sync cheerfully restores a malicious extension onto the fresh install the moment you sign in. Mail rules forward a copy of everything somewhere quiet. OAuth grants from some app authorized in 2023 keep their access no matter how many times you reformat, because they were never on the disk to begin with. After any serious incident: review extensions, mail rules, app passwords, authorized applications, and active sessions on every account that machine touched. Sign everything out. Then change passwords, in that order, not the other way around.
Yes, EFI/firmware implants exist. Yes, malicious code can survive in the EFI system partition or in a writable firmware region, below anything a reinstall touches. No, the odds that this is what hit a random consumer laptop are not high — this tier mostly shows up where someone was worth the effort. But it's cheap to rule out: update the firmware from the vendor (a reflash overwrites most of the real estate in question), wipe the full disk including the ESP, and if the threat model genuinely warrants the word "implant," the honest answer is new hardware and a quiet conversation, not another scan.
None of this is glamorous. That's how you know it works. The reinfections I saw were almost never an exotic adversary defeating a thorough cleanup. They were a thorough adversary defeating an exotic definition of the word "clean."
leadline / TG-8191
index · last touched 2026-06-11