thirteentwentyIn this thread benny claims that there are a couple of event id's to watch out for, and that they are tell tales to whether or not the machine is infected with the rootkit.
I've deployed the event sets on a bunch of machines but they've come back nill so I cannot say for sure that it works. SMason has had positive results with this method.
thirteentwentyAs it stands now, I've got the eventset deployed and am working on a script to run the rootkit revealer based on that alert. To me that should be the sure fire way for detection. I did read in brief on how to get rid of it, I have the link bookmarked on my other install so I dont have it handy. If its a scriptable fix I hope to get a script done for it.