In general and at the moment (2016), wipe and reinstall is usually enough for an ordinary user. But notice the qualifiers; malware authors are often quite clever and adapt quickly to new ideas.
The issue underlying the question is, where can code that runs automatically, exist on a computer. The current answer to that is, in any device or component that has firmware (or has circuitry that facilitates secret firmware or code) - and unfortunately that's almost all of them. Most viruses are stored in normal disk spaces that antivirus programs routinely check. But beyond this is a realm of other locations, often completely uncheckable at the moment. Some are known to have been exploited but only by nation-states (NSA etc) and others have been demoed by security researchers (bad-usb is one). The good thing is that at present these aren't common vectors for malware for ordinary users.
That said, here are some examples of malware vectors and snooping/logging abilities that won't be fixed by reinstalling or wiping, to give you nightmares.......
Computer bios (or uefi) - the main computer firmware
In the hard drive firmware (and hidden sections of the HD accessible to it) - what can't be seen can't be wiped and the HD firmware has total control over what data is sent to the computer when a disk read is requested, and whetherthe real data is modified or not. This ones been used by NSA etc already.
In input devices or devices used to connect input devices - keyboard dongles, mouse dongles, hardware keyloggers, USB and Bluetooth devices that silently present themselves as a fake mouse/keyboard to execute commands, touchscreen devices that log or fake input by the user,...
Cards and other pluggable devices (graphics, network, WiFi, you name it) which present interfaces at a hardware or software level or have direct access to ram, in their firmware.
Potentially the CPU itself, in its microcode.
Output devices (a dongle or fake ferrite core on a monitor cable that can log the rgb signal and decode or onward transmit the screen elsewhere).
Hidden network connections - devices that contain a secret networking capability that isn't a virus but can be used to get covert access....
Malicious accessories - fake apple chargers at one time contained a malwaring capability.
in the OS itself (bad or faked install media, covert code in the source code or added to it in an unauthorised manner by an insider, third party or distributor, unknown to the authors).
In trusted code you redownload or reinstall almost "as standard" after wiping the disk (think Microsoft office or MySQL offline media, or web download installers)...
In standard libraries and trusted software "hidden in plain view". Google the competitions for the underhanded C and underhanded crypto competitions where apparently clean code must secretly achieve a malicious outcome.
Yes its scary, and no nobody is really clear what to do about protecting against it, except to trust that its rare and targeted. Which, so far, it is.