Rootkit Infection Requires Windows Reinstall

CWmike writes "Microsoft is telling Windows users that they'll have to reinstall the OS if they get infected with a new rootkit. A new variant of a Trojan Microsoft calls Popureb digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog. 'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."

Boot Disc

[toastar]

um.... Why not just use a boot disc to clear the MBR/infected files?

Re:Boot Disc

[smash]

Well sure, if you have a known good checksum for every file on your machine?

Re:

[capnkr]

In all seriousness, and without much in the way of research just yet: why not preemptively install GRUB, or some other boot loader, even if the machine is only a single boot Win system? Does this thing attack/overwrite _anything_ attempting to write to the MBR, or only Windows? There is no mention of this in the linked FA's, only in their comments...

Re:Boot Disc

[sumdumass]

If the root kit works like most older boot sector virus programs, it already functions much like Grub does in the sense that it replaces the code that allows the other code to be found and run. But the code represented to the operating system would have a sector 0 in a different location then the real boot sector.

So while you would effectively have moved the first sector as far as windows is concerned, the virus infection would be able to still tank windows because it would still initially attack sector 0. And if it's the old school infection where it uses int13h calls (the bios) instead of windows and or even the old protect mode access to access the HD, it will effectively move the grub install to a new sector and make it think it is in sector 0 on subsequent boots. It will do this the same way Grub or LiLO would make windows think it was loading from the boot sector when it wasn't.

The problem with a boot sector virus is that if the disk is allowed to load any code at all which is the default in the boot process, the manipulation is already in memory and running. You would essentially need to boot from a start up floppy or CD or something without the hard disk loading at boot.

Some modern BIOS configurations allow you to lock the boot sector of the harddrive down much like they started allowing you to lock flashing the bios down. This is about the only way to preempt this as it would give off a warning about something attempting to write to the boot sector of the hard drive. However, experience tells me that when something is trying to write to the boot sector and it fails to do it, you often need to rebuild the boot sector anyways.

Now that is with the initial infection. The attacks it uses to maintain it's infection would work regardless of the operating system because once infected, it's acting as a translation between the operating system and the harddrive. This is why a restore CD is the recommendation to fixing the issues. The CD loads instead of the drive code loading. This way, you are not fixing an infected machine with infected code.

Re:

[Arker]

This is hardly the first or the last to use such tricks. This is why I cannot place any faith in any antivirus being used in the typical configuration - as part of a running Windows system. That just doesnt work.

Way back In the day you had to load your scanner on a boot floppy. These days a linux boot cd is the replacement. A bit bloated, but at least it does the job.

Re:Boot Disc

[Hylandr]

What I do is remove the drive from the system, slap it into an external enclosure and scan from a clean machine after unplugging that machine from the network.

If it kills system files then I replace or repair it once I boot from the recently cleaned hdd. Also, delete the swap file before you plug it back in. hasn't failed me yet.

- Dan.

Re:Boot Disc

[Joce640k]

Yep...once the virus is in the antivirus is useless. The virus will have no problem setting permissions, etc. so your antivirus can't touch it. And...given that most antivirus programs take a week or so to respond to new viruses, it makes them mostly useless.

If somebody's the sort of person who gets viruses an antivirus won't save them.

Re:

[node 3]

Yep...once the virus is in the antivirus is useless. The virus will have no problem setting permissions, etc. so your antivirus can't touch it. And...given that most antivirus programs take a week or so to respond to new viruses, it makes them mostly useless.

If somebody's the sort of person who gets viruses an antivirus won't save them.

This is so untrue, I have to believe I'm missing something here. Antivirus software can often remove infections after the fact, and is also very useful in stopping infections from occurring in the first place. Sure, it's not 100% foolproof, but calling it "mostly useless" and saying it "won't save them" is completely untrue.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Boot Disc

[smash]

We really need to go back to a simple (so it can be bug free) boot ROM that is proper ROM, not read/write flash. Hold key sequence to select boot media, and then boot from known-clean media. Anything that is read/write and involved in the boot process can potentially be fucked with to own your box. In the past, there have been BIOS viruses which were extremely difficult to remove - essentially as soon as the machine powers up it is owned and ready to infect whatever media you give it or intercept the operation of AV programs.

Its really only because the extra effort isn't worth it that we don't have far more serious viruses out there that are infecting EFI boot partitions, BIOS and other bits of firmware that Windows and its virus scanner software can't fix, these days.

Re:

[Eggplant62]

It's obvious that many posting here don't know the first thing about how Windows works or why it gets infected. The problem isn't in the boot loader. The MBR is just one place that an attacker can find space to store a bootstrap program that will launch his infecting executable from a file on disk, and then, since that area is read and executed each time the PC is started, it writes to so many critical OS files that removing them from the system or disinfecting them becomes impossible without rendering the

Re:Boot Disc

[TheLink]

a complete wipe and reinstall is the only way you're going to be certain you have a clean system. And this is one of the many reasons you can't get me to run Windows as my primary OS. Sure, I'll run it in a VM hosted on Linux, but no way would I rely on it for my every day computing needs on the bare metal. Fucking garbage without any kind of cogent security system is what Windows is.

Uh. How's that different from a root kit infection on Linux? AFAIK standard practice is if your machine (whether linux or windows) gets infected by a rootkit, you're supposed to reinstall. If you don't then you're just betting/assuming that the attack wasn't so serious. In most cases it isn't, and that's the same for Windows.

The problem is not restricted to Windows. There's a reason why rootkits are called rootkits after all, and not "NT Authority\SystemKits" :).

Re:

[fuzzyfuzzyfungus]

Good policy, if a bit upkeep-heavy for your average desktop system. AIDE, Tripwire, Samhain, OSSEC, and quite possibly others will do it for you(at the cost of some administration and system resources) if you have a sufficiently static configuration that it won't drive you to madness...

Re:Boot Disc

[tverbeek]

Wouldn't a Linux or BSD or Haiku or Hack OS X install fix this too? This headline reads a bit like "Flooding requires rebuilding the exact same structure in the annual floodplain",

Re:

[ghmh]

Sigh. It would 'fix' the potential for getting infected by that particular rootkit on that particular O/S. All those other things are built on floodplains too, it's just that some flood more often than others. Extrapolating future floods based on the past is only going to work until it doesn't.

Re:Boot Disc

[RobbieThe1st]

To continue your flood analogy, you have three options:
1. Build out of so ething floodproof, like concrete. The *entire* house. When a flood happens, no big deal... but making changes to the house would be a big problem. This is the ChromeOS or DeepFreeze aproach: Read-only filesystem and checksums.

2. Build dams, canals and build a few feet into the air. This works for small floods, but if you get something new, it might still wipe you out. This is the Linux aproach: Try to secure things, deal with the few issues as they come up.

3. Build cheaply, and rebuild after each flood. This is the Windows re-image approach: Just assume it's going to get hit, and have a plan to rebuild afterwards.

Just my 2c.

Re:

[artor3]

So your response to flooding is to rebuild in the desert?

Re:

[w0mprat]

I don't see how this infection is not possible to clean. All that would be necessary is to boot another OS and overwrite MBR and clean any infected binaries. Perhaps overwrite Windows binaries with the genunine article from an install CD (downloadable version if updated since disc went RTM) if it's not cleanable.

I'd do this from a Linux live USB and have a Windows install on another partition as source. Linux generally ignores NTFS security should be able to overwrite all necessary files on the Windows i

So

[Anonymous Coward]

You always do an OSRI if you get infected by any rootkit.

Reinstall, but not Windows

[gstrickler]

Right advice, wrong OS.

Re:

[interval1066]

"The only purpose it serves is to save the geek the trouble of trying to understand why Linux as a client OS is on life support.

I hear this argument every year against Linux as a desktop os. Yet me and my friends continue to chug along quite nicely with our Gnome or KDE desktops and doing quite nicely.

Re:Reinstall, but not Windows

[ColdWetDog]

The only purpose it serves is to save the geek the trouble of trying to understand why Linux as a client OS is on life support. StatCounter Global Stats [statcounter.com]

Hey, don't count Linux out just yet. It's making progress in some parts of the world..

Like Norfolk Island [statcounter.com]. Next year: Some other isolated bit of humanity. You might think it a hopeless endevour, but when the world goes to hell in a handbasket, who's going to be left holding the keys to mankind's future: Isolated tiny islands in the middle of nowhere.

Face it, you just don't understand the Linux world-domination strategy.

Re:

[mug funky]

of course it can't. i forgot.

*switches off hackintoshed eeepc*

Re:

[techno-vampire]

I do know that Linux now has proper read/write drivers for NTFS partitions, and has had for at least two years. I also know that Wine comes with its own copy of RegEdit, but I don't know if that can be pointed to the regular Windows Registry or if it's just for editing its own registry. And, of course, booting from Linux disables the Windows drivers because Linux doesn't use them.

duh

[smash]

The only way a machine can be trusted after ANY infection is an OS reinstall.

Or as ripley said - nuke it from orbit, its the only way to be sure.

Re:

[Anonymous Coward]

Even that isn't 100% true with rootkits that can attach themselves to your PCI devices...

Re:

[smash]

True. But thankfully these are few and far between these days.

Re:

[Requiem18th]

What? Are you trying to give me a hearth attack? How is that even possible?

Re:Yawn, says OSX.

[dexomn]

You must live in a VERY small basement.

Re:

[Rik Rohl]

People still use Windows?

Yeah, about 90% of the computer users in the world still do.

Re:

[Bert64]

Even if the virus was stored in the bios, or in a flash rom on some kind of pci device... Would it necessarily be able to function if you were to run a completely different OS on the system?

time to re-think OS architecture

[Anonymous Coward]

We all need a major re-think of how OS is installed on the computer, how it is architected, etc.

Seems to me that a low-level kernel in FLASH, which can only be upgraded with a hardware key inserted (e.g., the kernel FLASH blocks can only be written when there is a physical device plugged into the system), which then supports a number of different OS images using virtual machine concept, is the way to go. I the image of any VM gets rooted, you just toss it and revert to last backup. The flash is immune to tricks, because you must insert a hardware key to upgrade it, so trojans could not over-write the FLASH-based kernel, the worst that can happen is that one of the OS images get corrupted, then you just revert to saved.

Re:

[smash]

Its called a boot ROM. For all intents and purposes, with a boot ROM physical OS installs are no different from VM installs in your above scenario.

Re:

[GigaplexNZ]

Sure. Let's just employ an army of minions to carry these dongles around to every workstation on the corporate domain so certain Windows Updates can be applied.

Re:

[fuzzyfuzzyfungus]

I hate to be the one to break this to you; but did you remember to tell the minions that, for security reasons, every dongle is paired at the factory with the computer whose flash sector it unlocks, and the TPM won't accept any unlock dongle that wasn't signed with its internal private key?

Just be sure they don't lose any of them...

Re:

[sumdumass]

Well, I guess the unemployment issues might be fixed if that happened.

Re:

[Skarecrow77]

good idea, but there will always be a backdoor, even to the hardware key, because coders ALWAYS write themselves a back door, and then one day the hackers find it.

Witness the PS3. reverse engineer the service mode dongle, use that to find the backdoor (master key).

Re:

[CharlyFoxtrot]

That's the smart phone model. Fully sandboxed, system can only be written after a cryptographic key is obtained from a trusted source (the vendor) and all files synced to another device or the cloud. Get pwned and flash the device with a system image and sync files/settings to get back the exact system state.

Re:

[WaffleMonster]

Seems to me that a low-level kernel in FLASH, which can only be upgraded with a hardware key inserted (e.g., the kernel FLASH blocks can only be written when there is a physical device plugged into the system), which then supports a number of different OS images using virtual machine concept, is the way to go.

I don't like it because it makes patching more difficult and does nothing to protect the end users data due to ownage of the guest.

I believe a better policy would just be to not allow untrusted execution of code on lower protection rings even for administrators/root.

Windows CE had a scheme like you describe. When you messed up your PDA you could instantly restore to factory default.

And of course we can't forget AIX which existed on RS6000 with its hardware key at a time when the rest of us were "smart littl

Re:

[smash]

You mean like a trusted platform module?

Wait... wasn't that a bad idea? Or at least thats what the nerds were crying about back in 2005.

Re:

[IgnoramusMaximus]

TPM was (and is) a disastrous idea from the point of view of freedom of choice for users of general purpose computers.

TPM (or similar systems) are on the other hand a key element in "walled garden" proprietary environments, such as mobile devices and other embedded systems.

Universal adoption of TPM on PCs would inevitably change them from a "general purpose" into a "walled garden" proprietary environment. Microsoft one. There is not even a faintest doubt about that.

Fortunately a mere "read only" copy of

Re:

[The Master Control P]

Except you and I both know that the idiots who get infected by the new virus every single time, who do the same things we tell them not to every time, will happily open any physical lock because the popup box says to.

Not until they are made to face major financial penalties for repeated stupidity will they stop being stupid. That means NOT repairing their box that they broke by being Fucking Retarded(tm) for the 1000th time.

Re:

[exomondo]

Except you and I both know that the idiots who get infected by the new virus every single time, who do the same things we tell them not to every time, will happily open any physical lock because the popup box says to.

Exactly! The only reason people's systems are getting infected by this is because they gave the software privileges even after being warned it was a security risk. It doesn't matter what you do, if you give them the option to bypass security then they voluntarily will.

Re:

[Datamonstar]

While you're right, it would help to cut down on the drive-by installs and the occasional power users that run into a bit of bad luck. And I also think that system owners should be responsible for their systems. Perhaps not so many home users, but definitely web server operators with unpatched systems. If you maintain a system that is capable of causing loss of life or doing significant financial harm then you should share responsibility for the damage done if not properly maintained. I do believe in this.

Re:

[Belial6]

No, I don't. I know that someone will do it, but most people would be in way better shape if they had to insert a key to install an update.

Re:

[mlts]

Physical locks don't help with the dancing bunnies attack.

This is why places are moving towards solutions that combine the physical security with taking root/Administrator/QSECOFR authority away from the end user. It stops Joe Sixpack from installing yet another Trojanized "pr0n viewer".

Recovery CD?

[grolschie]

Do all Windows PCs ship with a CD? What about retrieving the user's data?

Re:

[smash]

The data is easily restored from your backup media. Oh what you weren't backing your shit up? Bad luck.

Re:

[grolschie]

I suspect that many Joe Sixpack's don't know about backups, or if they have, haven't set some backup system/process/plan up. I guess it's good that Windows 7 Action Center warns about backups.

Re:

[smash]

Agreed. However if you're not backing your data up, its obviously not important enough for you to consider loss due to theft, hardware failure, etc either.

Re:

[Belial6]

That's funny because I was going through and updating the backup system in our house, and asked my wife what she wanted backed up. Her response was "Nothing". She stores everything she wants to keep in a Lotus Notes Database, and that replicates to our server. She was absolutely adamant that she would have no problem if I did a factory reset on her laptop on any random night. Go figure. I guess sometimes people don't need backups. I just never expected it in my own home.

Re:

[smellotron]

Solution: wipe both. Then you will see how much she remembers.

Yeah, then push your kid down the stairs next time you see him walking around without a helmet on. And kick the dog to teach it not to run in front of you! Your friends and family will love you for imparting your wisdom on them as painfully as possible!

Re:

[spire3661]

Any true backup plan will have archived, off-site, off-line historic versions.

Re:

[v1]

User DATA, provided it's not the "intelligent" sort like MS Word documents that can have macros in them, should be safe. Nothing executable should be trusted.

You COULD try to checksum all system files, but it's so easy to miss something that seems innocuous that is infected and will just use a zeroday to jimmy its way back into restored binaries when you reboot. You really have to nuke and pave it if it's bad enough, the odds of missing something are just too high.

And with joys like windows registry, that

Re:

[Anonymous Coward]

Mod parent up. PC's commonly shipped with recovery disks ten years ago, but most OEM vendors have discontinued the practice so they can pass along the savings to the consumer (OK, I just made up the last part).

So unless you were anal enough to make one yourself then if you get an irrecoverable malware like this, you are SOL. Remember to thank the CEOs.

Re:

[Belial6]

That is one thing that really bugs me. They want me to make a restore CD at 5 times the price with a 10 times shorter lifespan over a $0.10 piece of plastic.

Re:

[juventasone]

Not recently. Instead they prompt you to create your own. If you failed to do this, and you only needed to access the System Recovery Options mentioned in the TechNet blog, you could use a disc from any PC with the same version of Windows.

Re:

[mark-t]

No. Systems these days ship with a facility to create a recovery DVD in the even of a system failure. They do not ship with original disks because most consumers don't need or want them... the customers that do want them have to pay a (not expensive, but not negligible either) fee for them.

Re:

[CAIMLAS]

No. And No. The former is uncommon at best; the later is frustrating difficult if there's a possibility that the user profile is infected (due to the 'store shit everywhere, lots of binary files' nature of a profile).

Windows PCs are disposable. If it's important, assume that the PC is a kiosk. It's not such the case now as in later years, thank god, but it used to be that a Windows reinstall was more time and effort to get 'back up to snuff' as a Gentoo build.

wait.... what?

[smash]

Malware like Popureb overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to both the operating system and security software.

When the fuck did AV software stop scanning the boot sector?

Re:

[smash]

No, but the article made it sound like AV software wasn't paying attention to changes to the MBR *before* the infection takes place.

Item Misquotes MS - Reinstall not required

[NZKiwi]

Hmm, the MS Blog doesn't say you need to do an OS reinstall; only replace the MBR with a clean one; then do a system restore to a point in time PRIOR to the infection - entirely different to a reinstall

Re:

[JoelKatz]

I agree. That's the only sensible interpretation of what MS is saying. If you're going to do a complete system restore, why go to the trouble of fixing the MBR first?

Bad headline, bad article

[juventasone]

The Microsoft engineer is quoted as saying, "restore your system to a pre-infected state". The article then says, "a recovery disc returns Windows to its factory settings". This is entirely false. The engineer is not saying to do a factory restore. For the layman using 7: use F8 or a 7 disc and choose "repair your computer", run the command prompt, run fixmbr, run system recovery and go back a day.

Re:

[juventasone]

The "F8" method might not be available because of the broken MBR, so you would have to use a disc. Also, "system recovery" should read "system restore". Going back a day doesn't loose files, it just reverts to previous versions of system files and the registry.

Re:

[sumdumass]

This is all incidental to the problem of the boot sector code. It changes write functions to read functions so the disk will return a response and windows will believe everything worked. IT does this because it infects the boot sector which loads code into memory before windows even thinks about loading anything into memory. It then hides and stops itself from being removed while hiding and running other code from windows.

Using system restore will not address this in the least. You will still be infected, y

Re:

[amicusNYCL]

I suspected as much when the phrase "a pre-infected state" was used, but it still raises an interesting point that there's not a reliable disinfection procedure. I've worked on some pretty horrendous machines for "friends" (friendly when they need computer help) where I've often wanted to just reinstall and be done with it. I've always managed to track down a disinfection procedure online for the specific things the machines were infected with (often with help from people like the folks at the dlsreports.

Dunno about anyone else...

[TheRedDuke]

But if I knew one of my systems is victim to a rootkit, I'd reinstall the OS without thinking twice - otherwise I'd be looking over my shoulder at every executable on that system until the end of time.

Uh, RTFA?

[toygeek]

Requires a system *restore* not *recovery* and fixmbr. SHOCKING. I do this multiple times a week in my role as a computer fix-it guy. Grandma can't afford to spend the cash to have her system reloaded just because some virus got in there. I've cleaned out some pretty nasty rootkits and virii that only took me a few minutes with a Linux boot CD and then fixmbr. It doesn't take long if you've done it a million times.

Re:

[sumdumass]

lol.. lets don't pretend he's got something going right either. He fixes Grandma's computer multiple times a week. There has to be a reason why grandma keeps screwing her computer up so often and I don't think it's him using it as an excuse to come over for cookies and milk 3 times a week.

I have 15 accounts with 20-50 users in each and I barely have any issues outside of checking logs, fixing hardware issues and making sure no one decided they didn't need to run the nightly backups because we never need the

Knoppix

[ltwally]

Simply boot from another OS. Knoppix is an excellent choice: it can read/write NTFS partitions, and provides you with a nice GUI to move/rename/delete files.

This is my method of choice for removing Windows viruses.

The final step for this virus would be to afterwards use the `fixmbr` tool.

Piece of cake. No reformatting necessary.

Re:

[juventasone]

What? So you can't use rstrui (system restore) or fixmbr with Knoppix, but you figure this is the best way to do both of these things?

Re:

[smash]

If you have an MS volume license, the Win7 DaRT is pretty decent, too.

Summary and TFA incorrect

[Torodung]

If you read the TFA's FBE (F-ing Blog Entry), you'll find that you just use a recovery console, run FIXMBR, and then run a system restore to a date before your system became infected.

Hardly intractable. Not a reinstall. If it goes unnoticed for a very long time, you might not have a restore point early enough, but that goes for any malware.

*nix is more secure!!!!

[metalmaster]

Anyone who believes this, much less preaches it, is an absolute moron. There are vulnerabilities in any working system. There always have been and there always will be. Consumer distributions of Linux might not have the same holes that Windows has, but that doesnt mean there are none. It may be harder to achieve process escalation, but that doesnt mean its impossible. After all, a dumb user is still the weakest link in a security system.

No data loss necessarily,with that type of restore

[wherrera]

This is the Windows 7 System restore option, which is as follows according to MS:
see: System Restore [microsoft.com]

---
Restores your computer's system files to an earlier point in time without affecting your files, such as email, documents, or photos.

If you use System Restore from the System Recovery Options menu, you cannot undo the restore operation. However, you can run System Restore again and choose a different restore point, if one exists. For more information, see What is System Restore? and System Restore: frequ

So how does one avoid it?

[mark-t]

I've seen junk get onto a computer with all the latest windows updates where the infected user never intentionally ran a single program they downloaded from the web. However the infection happened, it happened without prompting the user to run any install program..

When I disinfected the computer, I could not for the life of me figure out how the infection was actually obtained... if the user had been an administrator, I suspect that the damage would have been more widespread than just that one account.

Re:So system restore points don't work?

[smash]

Any virus can potentially do anything to your machine, including system restore points. If the machine is owned, it is owned and everything on it should be considered as suspect.

Back in the day there were a couple of BIOS viruses, which were even worse.

Re:So system restore points don't work?

[smash]

And that's regardless of OS. Any root-kitted linux box should be treated with exactly the same level of quarantine.

Re:

[RobbieThe1st]

Of course, you could always get a (mostly)Desktop Linux-based phone, like the N900. Near as I can see, it has just about 0 viruses, due to being A, Linux and B, ARM(which isn't that popular compared to x86).

Re:Norton Ghost

[countertrolling]

You work for Symantec?... use ntfsclone or partimage from a live CD instead

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Norton Ghost

[fuzzyfuzzyfungus]

In what is probably not the world's best news for Symantec, even Microsoft has gotten around to developing a Windows imaging tool that(mostly) works. The "Windows Automated Installation Kit" is something of a baroque monstrosity; but it exists and is offered at no additional cost to Windows customers.

It took 20 years and alarming complexity increases; but it's almost like being able to tar your OS install and then untar it onto a newly created filesystem!

Re:

[couchslug]

"You work for Symantec?"

It's been faster to download Ghost boot discs than install Ghost since the late 1990s.

Re:

[Lehk228]

Assuming ghost works properly, which is a big assumption

Re:

[fuzzyfuzzyfungus]

At least that requires much more platform-specific knowledge(more comforting on some platforms than others, admittedly...)

Some standardized mechanism for offline inspection of a machine's entire nonvolatile storage space by an outside probe, without requiring the cooperation of any of the firmware or programmable embedded hardware would be nice, if probably Not Going To Happen.

Re:

[Anonymous Coward]

Don't act the fool my boy..... it is called a "boot rom" for historial reasons, but these days, they are all FLASH based, ain't no real mask-programmed ROMs any more, these days they are al FLASH based and on most mottherboards can easily be written if you simply toggle the correct bits in the hardware control registers.

Re:Always wise anyway

[Alex Belits]

NICs & VGA cards have stopped having flash ever since they moved from ISA to PCI: at that point, in order to cut costs, they moved their firmware storage to the motherboard BIOS flash.

Wrong. All graphics cards have traditional CGA/EGA/VGA BIOS interface implemented for their hardware in their flash. They wouldn't initialize properly without it.

Wise grammar Nazi

[Datamonstar]

And you don't seem to know that punctuation goes inside quotations. Sentence capitalization not withstanding.

Re:

[dakameleon]

Logical or British punctuation [wikipedia.org] deems otherwise.

Re:

[hitmark]

turtles all the way down...

Btw, this may be the oldest trick in the book. Boot viruses are as old as the x86 IBM compatible.

Feeding the Troll

[scrib]

So they get to choose between a system that is unusable from malware or a system that is unusable because it won't run their Windows applications?

Oh, quit whining and start WINEing.

Re:

[RobbieThe1st]

Hey, it's got a web browser, and email, so it's already more productive than the malware infected machine.

Re:

[juventasone]

Right. They prompt you to make one. If you consider yourself the type to want to fix your PC, you would of done this, or already have one.

Re:

[pecosdave]

As a tech who no longer does PC's full time (I haven't in about six years) I don't have a boat load of restore media like I used to. What I get now is a bunch of individual users (friends, families, small jobs) with crashed HDD's and no restore CD's for me to fix their machines with. I've tried searching the less reputable sites for OEM ISO's so I can do legitimate restores, but I haven't had a lot of luck.

My own personal machine that came with Windows 7 on the other hand is good to go. I used Clonezilla

Re:

[juventasone]

Here you go. [mydigitallife.info] Use the product key attached to the machine.

Re:

[pecosdave]

That's awesome if you're a reasonable tech. On the other hand most home users just ignore it and call their pal pecosdave when they need it fixed, and of course I don't do Windows and I don't the old stack of Dell OEM disk of their OS like I used to in the XP days either.

Re:

[juventasone]

If you buy Windows (whether OEM or retail) you get a disc. If you buy a brand-name PC with Windows, you get prompted to make a disc.

Re:

[Datamonstar]

What happens when you get rooted while on a 5-day vacation? Does it maintain weekly backups, or just overwrite the last one?