I took a look at the pass/fail logic in mpsyscheck.exe. The pseudocode for the function that makes the PASS or FAIL decision is below. It looks like the decision point is whether or not two 4 byte values at offsets 0x7FFE0308 and 0x7FFE030C in the in-memory copy of process mpsyscheck.exe can be read successfully or not. I do not know enough about this problem to say whether this is enough detection or not. If mpsyschk.exe thinks the machine is infected, it also appears to write a "Timestamp" value under HKLM\Software\Microsoft\MPSystemStateCheck.
email: david @ sharpesecurity.com