This one is not TDL. It looks like new version of Black Energy 2.
It patches ServiceTable pointer for every new thread to point to rootkit prealloacted fake service table + splice hook to get this work. Rootkit code relocated to memory allocated pool. New fake table contains copy of original service table with few replaced by rootkit handlers. This help it to hide user mode thread, registry entries.
NtOpenThread and others (I'm lazy to write whole list).
Most antirootkits will not work with this rootkit, they simple dying at start. You need to remove notify routines set by rootkit (CreateProcess, CreateThread, LoadImage) to get them work.
Rootkit driver and data files are hidden from enumeration.