unknown rootkit

We found what seems to be a rootkit on a customer system which was windows 2000 sp4.
It is a kernel resident infector as it installs itself as hidden device driver operating in kernel level
to hide its directories and programs aswell as network connections.

For our research we named it Win32/McSport-A.

Here are the notes we saved along with our own removal strategy, which is not a clean way, but does work.

(The following notes are from our researcher who removed it)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCSPORT
this entry points to /winnt/system32/drivers/usb42prt.sys on windows 2000.

$programs directory/Padgvox is hidden.
in that directory is a subdirectory called "Cache" which had 1,6 GB
of files which seemed to be sniffer logs.

Files in this directory:
AI_11-11-2005.log
AI_13-11-2005.log
AI_15-11-2005.log
AI_17-11-2005.log
WinGenerics.dll
data.bin
iesmpapi.exe
AI_12-11-2005.log
AI_14-11-2005.log
AI_16-11-2005.log
ace.dll
hidrfnet.exe

(if you boot into recovery console from windows cd, you wont be able to access it)

on startup ntvdm.exe is launched and right after that, iesmpapi.exe
and pmsledit.exe which are hidden from the process list.
pmsledit was in /winnt/system32.

in device manager, even if hidden devices are made visible, the
device mcsport is hidden and could only be seen after all the launch programs
couldnt be started anymore.

removal:

after messing around with some software trying to remove the rootkit,
i decided to get a linux livecd (i used linuxdefender live as it has ntfs write support)
and delete the files from there. after doing that and rebooting into windows strangely
the files appeard again, so i went back into linux and just shredded the files with the
"shred" command. after booting into windows once again it couldnt launch anymore and i
was able to view the hidden device, deaktivate and remove it.

i should also note that i disabled the usb controller as i suspected it may have injected
itself there somehow. i couldnt confirm that as i'm not much into windows low level operations.
just thought i'd leave a note as it *may* be of use. as i only have this one infected test
system i could not verify it on other computers.

all that couldnt be removed still was the registry entry. updates may follow on that.

hope this helps the people that are infected till the AV vendors catch up on this.
Nothing detected it Panda titanium AV 2006 and McAfee didnt detect it nor Microsoft AntiSpyware etc.
UnHackMe detected it as HackerDefender Rootkit but was unable to remove it, so it might be
a mutation.