[link|http://www.ewido.net/en/|Ewido] is not free, per se, but they have a free download that you can use for 2 weeks. Long enough to do the job.
One of my wife's friends relies on me to get her out of PC troubles now and then and so I spent a couple of days trying to fix her system. This was my first attempt to clean out a badly compromised system.
The lady uses a dial-up connection to the Internet on Win-XP Home system. I helped her pick it out years ago. Her symptoms were that after booting up the system, the only thing she could do was move the mouse and watch the cursor move. Nothing else would function.
I will spare you my agonies (with much help gleaned from [link|http://www.majorgeeks.com/downloads29.html|MajorGeeks]) but the machine had 15 variations of Bagle, 3 variations of Backdoor and other stuff as well. Her Zone Alarm was borked and at least at one point AdAware zipped through tests in no time finding nothing. Obviously rigged. After cleaning out some stuff, I got to see 60 instances of IE trying to go to various sites.
At least a couple of the problems were that the system was pre-SP2 (Service Pack 2) which being ~300 MB is not exactly something one downloads on a dial-up connection and the other is she uses OE with the "preview" mode ON. She claimed that she never opened strange attachments, but who knows.
Anyways, while in Safe mode and disconnected from any network, I ran Ewido from a CD and cleaned out about 1100 "objects" i.e. files, registry settings, etc. Some of the files were system files. I was then able to connect the machine to my network (with the other Windows machines OFF) and get System updates from Microsoft, AdAware, and install Search and Destroy. Search and Destroy did find a Registry entry for Bagle that Ewido missed.
The machine seems OK now and is back in service. I wouldn't bet my life on it being clean though.
As far as BIOS attacks are concerned, look [link|http://adventuresinsecurity.com/blog/?p=28|here]. It can be done. When in doubt, get a BIOS update diskette for the motherboard. I suppose even that could be anticipated by the root kit. But, I'm guessing the root kits can't be generic for all motherboards without getting huge. If the BIOS chip is removable, as some are, one can always have a back-up copy.
As a side note, a removable BIOS chip, should be a requirement for motherboards you buy. I once unintentionally "updated" the BIOS on a mobo with a diskette intended for a different mobo. The BIOS chip was soldered in and so the mobo had to be put in the trash. I did save the battery! :)