A news fwiw, there is a great analysis and commentary on a  rootkit made to run in safemode today at Mark's Sysinternals Blog today. Thanks very much for the great rootkit detection work and writing Mark!

F-Secure is also covering this in their blog.