I've found there's no one tool that's completely effective.
However,
F-Secure Blacklight is a good place to start, provided the bastarding thing hasn't edited the local policies on the machine to deny even members of the Administrator's group the SeAdminDebug privlege. If that's happened then even it won't work.
My advice, initially, boot from a CD, or mount the drive in another machine, go into \Windows\System32, order by date, and start deleting the dozens of suspiciously named DLLs that will be in there. You can spot them a mile off, recent dates, garbage names, and if you check their properties, they won't have any of the proper version information that all legitimate Windows system files have.
I suspect you'll also find, if you boot the machine outside of the host OS, that the rootkit will have created itself an invisible working directory somewhere, C:\Program Files seems to be favourite for some of the more common ones. Of course this folder is completely transparent when Windows (and the rootkit) are running, because it will be intercepting the output of Explorer.
Get yourself a copy of Process Explorer from MS too, you're going to need it.
I suspect the rootkit has listed itself in the Winlogon autorun sections of the registry, and its probably registered under AppInitDlls too. Some of the ****ers even associate themselves with Autoplay extensions, so they get called again and again when any USB or drive with removable media is accessed, right pain in the hole.
