Per Mark Russinovich's Sysinternals site who discovered all this:
Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit.
Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality.
Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash.
While they post disclaimers on their web sites to that effect, they should use the safe alternative that I described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots:
1. Open the Run dialog from the Start menu
2. Enter “cmd /k sc delete $sys$aries”
3. Reboot
Much more detail at his site here.
OK. He doesn't mention Sophos specifically, but presumably their tool was one that he looked at. Hmm.
Well, in that case, maybe the thing to do is to use Sophos to detect whether you have the Sony Rootkit, but then don't try to remove it until this issue is completely resolved.
Microsoft is now making noises about adding Sony Rootkit to the things their antispyware will detect. But there, again, I don't know if they will safely remove it or only detect it.