I'v taken appart a fair few rootkits, and they are by no means simple, thought most of them these days tend to use the NET command to overwrite certain boot hooks to allow the rootkit to be run at start as a network service instead of the standard windows messenger forexample, which shuts down on execution if you have MSN so most people won't notice the difference.

rootkits have a nasty way of being composed of several smaller components, all of which are 'ligitimate' as far as any antivirus program is concerned, often made from freeely available software components which in and of themselves are not harmful.

I normaly find it easier to simply wipe the machine rather than try to save it when it comes to rootkits, there are simply too many undocumented versions out there..