That rootkit is pe386 and some variants use ADS to hide their rootkit driver on (NTFS file systems) in the system32 folder. It uses a SYSENTER hook, and does not hook the SSDT, IceSword, AVG Anti-Rootkit Beta, GMER, DarkSpy, Sophos AR - all detect it. With IceSword you must use the registry funtion to see the service autostart. CombFix detects it but cannot remove it.

The AVG Anti-Rootkit Beta is probably the easiest way to remove it. Sophos can detect it but it will crash the system if removal is attempted. (they warn you not to remove it). Merjin's ADS Spy can also remove the ADS streams once the pe386 driver is uncloaked, by removing the service autostart and rebooting.

Check this GMER video out:
http://www.gmer.net/pe386.wmv

ADS were used by CWS in Their Home Search Asst. variant about three years ago. But this new threat combines ADS and a rootkit.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008