Thanks for starting the thread, very interesting discussion.
I'm no expert so I'll add my disclaimer in addition to smccain
Having a routine backup strategy is, in my opinion, the best way to maintain that "peace of mind" factor with your PC since there's no AV / anti-malware product that can provide 24/7 guaranteed protection against all malicious threats that are constantly being introduced into the cyberworld on a daily basis.
I rely on my AV & antimalware tools to alert me if something's wrong, as well as looking at CPU usage and processes in Task Manager.
If you have a proven recovery methodology that is maintained on a regular basis, you'll be able to recover from virtually any malicious intrusion into your PC.
As quietman7 provided in his posts and links, fortunately, the BIOS and firmware infection scenarios are rare. That being the case, the HDD is where I focus my backup routines.
I clone my HDD every couple of weeks in addition to having a few full-HDD images that are stored on an external HDD. My storage HDD remains disconnected to my PC except when processing an image.
I read some info about BIOS malware a while back and with quietman7's help with his info at this site, that helped ease my concerns about the topic. I've only read 1 or 2 posts on the 'net, so far, where someone had confirmed a case of their BIOS being compromised. The repair scenarios are interesting so I looked into the topic for a while and my MoBo's BIOS chip is socketed (easily replaceable) so in the event of a rare BIOS hit, I can obtain a BIOS chip replacement at an inexpensive price that comes pre-flashed with my Asus MoBo's BIOS code.
Since the BIOS Chip loads the configuration information from the on-board CMOS Ram chip on the MoBo, any malicious code that resided in the CMOS can be erased with the removal of the CMOS battery on the MoBo due to the CMOS device being a "volatile" memory component (memory is lost when power is removed).
I have a backup BIOS .ROM file stored in a disconnected Flash Drive in the event it's needed to restore the BIOS code.
In some cases, such as with polymorphic file infector, the infection may have caused so much damage, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.
↑ As quietman7 mentioned, that's the sure way to insure complete* removal of malicious intrusions from your HDD.
I delete the partitions before recloning or restoring a full-HDD image to an affected HDD. I've recovered twice from malicious infections over the last 3 years using this method.
I prefer the partition-removal method since, in rare instances, a format and OS reinstall may not remove a malicious item. Another member posted their experience about such an apparent incidence in the "Crypolocker" thread in this forum. The member's post caught my attention since they had reformatted, then re-installed the OS and the next day, the Cryptolocker "ransom" screen appeared on his PC again. The member then deleted the partitions on the infected HDD, reinstalled the OS, and all was ok.
* There are rare cases where a forensic disk-wipe may be required but I think those situations are very rare as I've not seen many incidences mentioned around the 'net where a partition-delete and a restore method or OS re-install didn't accomplish successful removal results.
The reason that in rare cases, it may be required, is that some HDD's have hidden areas that contain data, such as the HPA, or "Host Protected Area" of the HDD. That area is usually located at the end of the HDD's location, after the user partitions.
Some disk-wipe tools, such as the popular "DBAN" freeware tool, don't access the HPA. There are other tools that can access that area by unhiding the HPA.
I've read conflicting information whether malicious code can even access the HPA. According to an article I read about it, it's not possible to access Protected Service Areas, such as the HPA, without a BEER (Boot Engineering Extension Record).
In any case, as quietman7 mentioned, it's not practical for malicious code writers to use elaborate methods such as would be required to access such areas of the HDD.
Edited by Scoop8, 22 February 2014 - 11:33 AM.