Most of us have faced a time when a machine gets compromised with malware. In some cases it gets to the point where cleaning the infected computer is too time consuming or too difficult to clean, so the easy option is to wipe the machine and rebuild it.
Just before the forensic community (or some of my fellow handlers) lynch me for making this over generalised, evidence eliminating statement, allow me to elaborate.
Nuke it from orbit*
The format and rebuild statement normally comes from the following groups:
Over worked IT staff
The owner whos just spent the last hour on search engines on how to fix their slow (utterly infected) PC
The security team
The first three can be grouped as those that are not interested in analysing, understanding or knowing what happened on the particular machine. They just want their machine(s) back to normal ASAP as they can go about their business.
The security team, in contrast, have made this call as part of a calculated decision, after collecting the evident they need to get the business running safely again.
The decision to rebuild is considerably easier for those with a standard operating environment (SOE) or managed operating environment (MOE). This allows for a rapid deployment of a fully functional operation system with all the previous applications. This is a thing of beauty, bringing tears of joy to the most harden PC tech, as its a fast, reliable and easy completely re-deployment with a simple press of a few buttons. The assumption is - and I want to be very clear on this - that any user data is safely saved elsewhere, not on the PC about to be formatted and rebuilt.
The problem child
So what happens when you are confronted with a machine that needs to be wiped and re-built but no-one has a clue whats on it and if its ever been backed up?
I like to call this the friend/family pc scenario or the forgotten machine, out back, that runs the company disaster-in-waiting issue.
Before even thinking about nuking this type of PC, there are normally two distinct areas to be worried about on these systems: data and applications
For the very wise or very paranoid amongst us, a full image of the troublesome system is the way to go. This provides a working image of the machine to refer back to quickly and avoids a great deal of painful conversations along the lines of but you never mention that. Tools such as Sysinternals' Disk2vhd  makes a complete on line virtual image of the problem system. For those that run other virtualisation software it the next step is to know what youre getting into.
An audit of all the known software on the machine, with first a verbal interrogation of the owner followed by a physical examination of the machine, provides a solid picture what needs to be on the clean system. This is where recording your findings, conversation with the owner and processes to rebuild the machine can help in the future, should this happen again.
Dude, wheres my data?
Losing data doesnt sound too bad until that data is someones child first steps or the company payroll. As a suggested list of files and folders to be sure you have:
Browser favourites and configuration files
Microsoft Office configuration
Email folders (.pst files and the like)
The entire My Documents folders
File and folders saved in weird location only know to the owner or application
To alleviate some of the pain of manually hunting for these files, Microsoft offers a number of tools to export data off and these are well worth reviewing:
Office Save My Settings Wizard 
File and Settings Transfer Wizard 
User State Migration Tool 
Windows Easy Transfer 
Game over man, game over
Applications are just as important for any system, so ensuring you can get copies of the installation media the license keys for software, including the original operating system is a must.
For lost license keys, software such as The Magical Jelly Bean Keyfinder  can get back most standard products keys.
For those applications which the original installation media no longer exists and the vendor cant supply a replacement copy, this may be an opportunity to upgrade or migrate to a new application.
As a final note, be aware that there may be Wacky hardware installed and the drivers for ancient ISDN/video/sound/modem/and so on cards were last seen back in the 90s. The very of best luck with that.
As always, if you have any better suggestions, insights or tips please feel free to comment.
*This frequently used phrase is taken from the movie Aliens and the actual quote from the character Ripley is: I say we take off and nuke the entire site from orbit. Its the only way to be sure.
Who knew James Cameron was really making a movie about the folly of poor incident response? Ripley is the lead incident handler dealing with this infection outbreak and she he later discovers he should have really taken Ripley expert advice to save him from, what is certainly, a very painful way to go.
Chris Mohan --- Internet Storm Center Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.