Of course, now that he has told us what to look for, it makes things a lot easier for us. I'd strongly recommend getting a knoppix boot disk and use that to look for directories or files that start with $sys$. That's the easiest thing you can do IMO, though I can't really call myself any kind of windows guru anymore because I avoid it like the plague.
Automated tools to find this particular corporate back door are going to be moderately problematic, as the rootkit hides itself by modifying windows APIs. You have to be able to boot from a known good kernel to check things out. Virus scanners aren't going to be able to do this unless they load before the targeted APIs.
Simple solution: dump windows. Unfortunately, that's the only way to be reasonably safe from this stuff.
Wouldn't it actually be very easy to test for? Something like:
I haven't used any Sony CD's, so I can't test the above, but based on the descriptions it would seem like it should work.
@echo off echo Hey >c:\$sys$zzz.txt if not exist (c:\$sys$zzz.*) echo Uh oh... del c:\$sys$zzz.txt