Sophisticated malware could do that. How sophisticated? I don't know but some possibilities makes sense. 1- I remember I've read somewhere that your BIOS could get infected, that way the malware would persist thru Windows installations. Do you have any idea on how BIOS could infect the OS? 2- You have an external or internal HDD with programs/movies/songs in it. If that drive was infected, it could infect the OS. Question is; Can the malware jump out without even opening an exe or movie? Just by being connected... I think big players like states can create such sophisticated malware. I'd imagine most governments would go any length for consolidation of power and controlling of the masses.
I suspect that they have got a vested interest of using UEFI; this whole story I linked seems to imply it needs an usb-stick to infect the machine, That means they need to have physical acces to it. But I have my doubts about that. I read a lot about malware infections, and I think i saw some story somewhere where a mere malware infection could flash an infected UEFI, just I do not remember where I saw that, maybe after the Snowden/ NSA scare. All I know that states cannot be bothered to get physical acces to many machines. I suppose that we should be reasonably safe as long as there can be none of that. The most recent machine that had an `old-fashioned`bios that I ever got my claws on to fix was an I3 lappy. If i ever find one again [ unlikely..]I will buy it like a shot. The Eset scanner is advertised to be able to scan UEFI, but doubt if it can find anything. Or even fix it.
Some motherboard manufacturers have software which allows you to flash your BIOS within Windows. So it's totally possible that some malware can do the same. I'm also wondering if it's possible to infect the system drive by just connecting another HDD to the computer (without running any program within that HDD). I believe they could do that with autorun.inf but there could be more sophisticated methods.
thanks, saved link for further reading.. I seem to remember reading that `something`went wrong in Iranian nuclear centrals, after their systems got infected by Israel..