It had inserted itself into a file that was saved, and later, reinstalled.
Likely culprit a Flash vid, or a JavaScript in an html file that was causing the difficluties.
I would look at PartImage as a Rescue Enabler, and then disable all flash and java-whatever after a reinstall from a known clean backup occurred -especially before going online or reading an email on an html or script-enabled email reader -or web browser, at the very least.
No, that wasn’t possible. The system was not exposed to any of the old data files or the Internet. We suspect a hidden area on the hard drive in one instance and the system AMI BIOS in another instance.
MSI is now providing system boards with two EUFI on firmware, and then followed up with the ability to restore a EUFI from a USB flash drive. This was done in part to defeat the efforts of malware to infect and/or brick the system board by attacking the BIOS/EUFI.
When we used Malwarebytes and other anti-malware software to repair a couple of FBI ransomware hijackings, we found variants of the malware were systematically digging itself ever deeper into the system as we defeated the earlier efforts. It finally got down to the point where a Dell Optiplex 755 system would no longer enter the firmware setup. These variants were doing things the anti-malware software sources were saying weren’t possible, but they were possible and real.