I haven't had a chance to look at it yet, but the good folks at sysinternals have released a tool named RootkitRevealer. It looks like it works by comparing two scans, one very low-level and one high-level which will include the bogus results intercepted by the rootkit. Any diff means the rootkit is present and hiding/changing data.