NTOSKRNL-HOOK & USB port not recognize any Ext storage

Mcafee (Last updated) detect a Trojan name: NTOSKRNL-HOOK, it says it is clean every time, but it appear again!
I tried in the safe mode also.

Also when I restart my laptop I have a message about a BO Heap pop up.
C:\WINDOWS\System32\services.exe:WS_32.socket
C:\WINDOWS\System32\services.exe:ADVAPI32:RegOpenKeyA

The first thing I discover that all my USB port not showing a flash or Ext hard disk when it connected, it appear in the usb try (Safetly Removal Hardware) but not in windows Explorer, and the mouse working good on all the ports.

I have DELL - Latitude D620

I use ComboFIX and this is the result from the log


ComboFix 09-04-03.01 - MShafik 2009-04-04 5:20:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1256.20.1033.18.1022.527 [GMT 2:00]
Running from: c:\downloads\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\oeminfo.ini
c:\windows\system32\lsprst7.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\pcs
c:\windows\system32\pcs\est\est04028_exe.exe
c:\windows\system32\pcs\est\est04028_results.xml
c:\windows\system32\pcs\est\est04028_xml.xml
c:\windows\system32\pcs\est\est05022_exe.exe
c:\windows\system32\pcs\est\est05022_results.xml
c:\windows\system32\pcs\est\est05022_xml.xml
c:\windows\system32\pcs\mbsacli2.exe
c:\windows\system32\pcs\PCS.vbs
c:\windows\system32\pcs\WindowsUpdateAgent20-x86.exe
c:\windows\system32\pcs\wsusscan.cab
c:\windows\system32\pcs\wsusscn2.cab
c:\windows\system32\pcs\wusscan.dll
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.

2009-04-04 05:24 . 2009-04-04 05:24 53,248 --a------ c:\temp\catchme.dll
2009-04-04 05:08 . 2009-04-04 05:08 <DIR> d-------- c:\temp\WPDNSE
2009-04-04 04:20 . 2009-04-04 04:20 <DIR> d-------- c:\windows\system32\NtmsData
2009-04-04 03:05 . 2009-04-04 03:34 60,131 --a------ C:\VirusePhoto.JPG
2009-04-04 03:03 . 2009-04-04 05:06 12 --a------ c:\windows\bthservsdp.dat
2009-04-03 18:12 . 2009-04-04 05:24 105,170 --a------ c:\windows\system32\drivers\7c496f5c.sys
2009-04-02 06:08 . 2009-04-02 06:10 <DIR> d-------- c:\documents and settings\mshafik\Application Data\PersonalBrain
2009-04-02 06:08 . 2009-04-02 06:08 103 --a------ c:\documents and settings\EditLiveForJava.ini
2009-03-30 05:31 . 2009-03-30 05:31 <DIR> d-------- c:\program files\Common Files\xing shared
2009-03-29 08:59 . 2009-03-29 08:59 <DIR> d-------- c:\program files\SeaCOM
2009-03-29 08:58 . 2009-03-29 08:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\pdf995
2009-03-29 08:58 . 2009-03-29 08:58 249,856 --a------ c:\windows\system32\pdfmona.dll
2009-03-29 08:58 . 2009-03-29 08:58 51,716 --a------ c:\windows\system32\pdf995mon.dll
2009-03-29 08:58 . 2009-03-29 08:58 121 --a------ c:\windows\wpd99.drv
2009-03-29 08:57 . 2009-03-29 08:57 <DIR> d-------- c:\program files\TextPad 4
2009-03-29 08:57 . 2009-03-29 08:58 <DIR> d-------- C:\pdf995
2009-03-29 08:57 . 2008-10-08 00:46 131,072 --a------ c:\windows\system32\tsimcomm.dll
2009-03-29 08:57 . 2003-08-18 10:03 118,507 --a------ c:\windows\system32\drivers\SeaCOM2k.sys
2009-03-29 08:57 . 2008-10-08 00:46 98,304 --a------ c:\windows\system32\asapcomm.dll
2009-03-29 08:57 . 2008-10-08 02:09 18,048 --a------ c:\windows\system32\drivers\tsim1394.sys
2009-03-29 08:57 . 2008-10-08 00:54 18,048 --a------ c:\windows\system32\drivers\asap1394.sys
2009-03-29 08:54 . 2009-03-29 08:54 <DIR> d-------- C:\dotnet
2009-03-29 08:54 . 2009-03-29 08:55 <DIR> d-------- C:\common_install
2009-03-22 05:56 . 2009-03-22 05:56 0 --a------ c:\windows\depth.INI
2009-03-20 07:01 . 2009-03-20 07:00 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-20 07:01 . 2009-03-20 07:00 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-18 01:26 . 2009-03-18 01:28 275,456 --a------ c:\windows\system32\gfbaksm.dat
2009-03-18 01:25 . 2009-03-23 02:47 <DIR> d-------- c:\program files\GetFLV
2009-03-18 01:25 . 2009-03-10 06:43 1,064,960 --a------ c:\windows\system32\vbsgf.dll
2009-03-18 01:25 . 2009-03-04 23:59 275,456 --a------ c:\windows\system32\gfkernel.dll
2009-03-18 00:22 . 2009-03-18 00:47 <DIR> d-------- c:\windows\system32\Adobe
2009-03-18 00:13 . 2009-04-04 03:06 <DIR> d-------- c:\program files\Save Flash
2009-03-12 12:09 . 2009-03-12 12:09 1,440,056 --a------ c:\windows\system32\IADC_Splashscreen.bmp
2009-03-12 11:43 . 2008-06-17 21:02 8,461,312 -----c--- c:\windows\system32\dllcache\shell32.dll
2009-03-11 02:51 . 2009-03-11 02:54 <DIR> d-------- c:\documents and settings\mshafik\Phone Browser
2009-03-11 02:51 . 2009-03-11 02:51 <DIR> d-------- c:\documents and settings\mshafik\Application Data\DataLayer
2009-03-11 02:51 . 2008-04-14 00:24 22,016 --a------ c:\windows\system32\drivers\MSIRCOMM.sys
2009-03-11 02:51 . 2008-04-14 00:24 22,016 --a--c--- c:\windows\system32\dllcache\msircomm.sys
2009-03-11 02:50 . 2009-03-11 02:51 <DIR> d-------- c:\documents and settings\mshafik\Application Data\Nokia
2009-03-11 02:49 . 2009-03-11 02:49 <DIR> d-------- c:\documents and settings\mshafik\Application Data\PC Suite
2009-03-11 02:48 . 2009-03-11 02:48 <DIR> d-------- c:\program files\Common Files\PCSuite
2009-03-11 02:48 . 2009-03-11 02:48 <DIR> d-------- c:\program files\Common Files\Nokia
2009-03-09 11:58 . 2009-03-09 11:58 332 --a------ c:\windows\system32\DM_bg.cfg
2009-03-05 16:54 . 2009-03-05 16:54 19 --a------ c:\windows\system32\mms.cfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 03:24 --------- d-----w c:\documents and settings\mshafik\Application Data\DMCache
2009-04-04 03:23 --------- d-----w c:\program files\Novadigm
2009-04-04 02:21 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2009-04-04 02:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-04 00:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-30 06:16 --------- d-----w c:\program files\Connected
2009-03-30 03:31 --------- d-----w c:\program files\Common Files\Real
2009-03-29 06:59 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-29 06:57 --------- d-----w c:\program files\Schlumberger
2009-03-20 05:00 --------- d-----w c:\program files\Java
2009-03-11 00:49 --------- d-----w c:\program files\Nokia
2009-03-09 23:27 --------- d-----w c:\documents and settings\mshafik\Application Data\uTorrent
2009-02-18 22:08 --------- d-----w c:\program files\temp
2009-02-17 02:06 --------- d-----w c:\program files\1-Click YouTube Downloader
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-05 18:32 --------- d-----w c:\program files\K-Lite Codec Pack
2009-02-05 15:21 --------- d-----w c:\program files\Real_SC
2009-02-05 11:28 --------- d-----w c:\documents and settings\mshafik\Application Data\DivX
2009-02-05 11:27 --------- d-----w c:\program files\DivX
2009-02-05 10:07 --------- d-----w c:\documents and settings\mshafik\Application Data\USBSafelyRemove
2009-02-05 10:06 --------- d-----w c:\documents and settings\mshafik\Application Data\USB Safely Remove
2008-11-24 04:42 58,432 ----a-w c:\documents and settings\mshafik\Application Data\GDIPFONTCACHEV1.DAT
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-11-30 4662776]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\isuspm.exe" [2007-03-29 222128]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-01-27 2745776]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 1306624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"RUNRADTRAY"="c:\progra~1\Novadigm\radtray.exe" [2007-02-20 463022]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-16 111952]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2005-12-13 217088]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-10 136512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-20 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-30 198160]
"nwiz"="nwiz.exe" [2006-05-01 c:\windows\system32\nwiz.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]
"NVHotkey"="nvHotkey.dll" [2006-05-01 c:\windows\system32\nvhotkey.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-01-09 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\slbScCertProp]
2003-12-20 02:44 34304 c:\windows\system32\ScCertProp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2006-07-18 22:22 81973 c:\program files\Timbuktu Pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\J:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=localadminou.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=bannerlogic.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\2]
"Script"=EnterpriseAuditors.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-654312360-1642211789-1793223425-25858\Scripts\Logon\0\0]
"Script"=changeprofile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-654312360-1642211789-1793223425-25858\Scripts\Logon\0\1]
"Script"=BESProcessLow.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Connected TaskBar Icon.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Connected TaskBar Icon.LNK
backup=c:\windows\pss\Connected TaskBar Icon.LNKCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^connected taskbar icon.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Connected TaskBar Icon.LNK.disabled
backup=c:\windows\pss\Connected TaskBar Icon.LNK.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Entrust.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Entrust.lnk
backup=c:\windows\pss\Entrust.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^mshafik^Start Menu^Programs^Startup^YPOPs.lnk]
path=c:\documents and settings\mshafik\Start Menu\Programs\Startup\YPOPs.lnk
backup=c:\windows\pss\YPOPs.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FTL Connected Agent]
--a------ 2008-08-08 19:21 331776 d:\program files\FTL\FTLAgent.Net.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FTL Email Agent]
--a------ 2008-08-08 19:21 194192 d:\program files\FTL\FTLAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 14:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\orderreminder]
-ra------ 2006-01-30 18:00 98304 c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-03-30 05:30 198160 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TLogonPath]
--a------ 2006-07-18 22:22 151552 c:\program files\Timbuktu Pro\tb2logon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AtlasDailyPacketService"=2 (0x2)
"AgentSrv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\#Media\QuickTime Alternative\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Novadigm\\radtray.exe"=
"c:\\Program Files\\Novadigm\\raduishell.exe"=
"c:\\Program Files\\Novadigm\\radexecd.exe"=
"c:\\Program Files\\Connected\\COBackup.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"d:\\Program Files\\FTL\\FTL.exe"=
"d:\\Program Files\\FTL\\FTLAgent.Net.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Schlumberger\\WITS Server\\bin\\wits.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Timbuktu Pro\\tb2pro.exe"=
"c:\\Program Files\\Timbuktu Pro\\MiniTB2.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\HSPM\\hspmdllcomp.exe"=
"c:\\HSPM\\profibus\\witssender.exe"=
"c:\\HSPM\\profibus\\ProfibusGateway.exe"=
"c:\\HSPM\\hvss.exe"=
"c:\\HSPM\\witssimulator.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:IKE (TCP 139)HKLM
"445:TCP"= 445:TCP:IKE (TCP 445)
"137:UDP"= 137:UDP:IKE (UDP 137)
"138:UDP"= 138:UDP:IKE (UDP 138)
"81:TCP"= 81:TCP:(TCP 81)
"8080:TCP"= 8080:TCP:(TCP 8080)
"8081:TCP"= 8081:TCP:(TCP 8081)
"8082:TCP"= 8082:TCP:(TCP 8082)
"8443:TCP"= 8443:TCP:(TCP 8443)
"8444:TCP"= 8444:TCP:(TCP 8444)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5742:TCP"= 5742:TCP:TransAct
"135:TCP"= 135:TCP:HSPM DCOM
"52311:UDP"= 52311:UDP:BES Client

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2006-07-19 204800]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [2006-07-19 17664]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [2008-04-30 64160]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2006-10-04 33664]
R2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [2006-07-18 52432]
R2 MSSQL$RTGS_INSTANCE;MSSQL$RTGS_INSTANCE;c:\program files\Microsoft SQL Server\MSSQL$RTGS_INSTANCE\Binn\sqlservr.exe -sRTGS_INSTANCE --> c:\program files\Microsoft SQL Server\MSSQL$RTGS_INSTANCE\Binn\sqlservr.exe -sRTGS_INSTANCE [?]
R2 OracleOraHome817TNSListener;OracleOraHome817TNSListener;c:\oracle\Ora817\BIN\TNSLSNR --> c:\oracle\Ora817\BIN\TNSLSNR [?]
R2 OracleServicegfpc8;OracleServicegfpc8;c:\oracle\ora817\bin\ORACLE.EXE gfpc8 --> c:\oracle\ora817\bin\ORACLE.EXE gfpc8 [?]
R2 radexecd;HP OVCM Notify Daemon;c:\progra~1\Novadigm\radexecd.exe [2007-02-20 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\progra~1\Novadigm\radsched.exe [2007-03-22 172205]
R2 Radstgms;HP OVCM MSI Redirector;c:\progra~1\Novadigm\Radstgms.exe [2007-03-20 315570]
R2 vddidecr;Digital Delivery Decrypting Device;c:\windows\system32\drivers\vddidecr.sys [2006-07-18 109312]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [2005-03-01 11264]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [2005-03-01 10752]
S2 R72_NT4;R72_NT4;c:\windows\system32\drivers\R72_NT4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S2 R72V2NT4;R72V2NT4; [x]
S2 TrueTime;TrueTime; [x]
S3 ASAP_AA;Advanced Signal Acquisition Processor (ASAP-AA);c:\windows\system32\drivers\asap1394.sys [2009-03-29 18048]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [2004-10-14 10240]
S3 Mp3Drv;Digital Audio Player Driver;c:\windows\system32\drivers\Mp3Drv.sys [2007-04-13 34706]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 OracleOraHome817Agent;OracleOraHome817Agent;c:\oracle\Ora817\bin\dbsnmp.exe [2000-11-11 246332]
S3 OracleOraHome817ClientCache;OracleOraHome817ClientCache;c:\oracle\Ora817\bin\ONRSD.EXE [2000-10-19 411244]
S3 OracleOraHome817DataGatherer;OracleOraHome817DataGatherer;c:\oracle\Ora817\bin\vppdc.exe [2000-11-11 170724]
S3 OracleOraHome817HTTPServer;OracleOraHome817HTTPServer;c:\oracle\Ora817\Apache\Apache\Apache.exe [2000-11-09 3584]
S3 OracleOraHome817PagingServer;OracleOraHome817PagingServer;c:\oracle\Ora817\bin\pagntsrv.exe [2008-04-30 52224]
S3 ParadigmVScanner;USB Scanner Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [2007-06-08 15104]
S3 R20_W2K;Reflex 20 Smart card reader;c:\windows\system32\drivers\R20_W2K.sys [2002-09-27 16969]
S3 SCM488C;SCM Microsystems SCR120 PCMCIA Smart Card Reader;c:\windows\system32\drivers\pscr.sys [2006-07-18 16128]
S3 SQLAgent$RTGS_INSTANCE;SQLAgent$RTGS_INSTANCE;c:\program files\Microsoft SQL Server\MSSQL$RTGS_INSTANCE\Binn\sqlagent.EXE -i RTGS_INSTANCE --> c:\program files\Microsoft SQL Server\MSSQL$RTGS_INSTANCE\Binn\sqlagent.EXE -i RTGS_INSTANCE [?]
S3 StScsi;StScsi;c:\windows\system32\drivers\StScsi.sys [2007-08-19 48397]
S3 TSIM2_AA;Tool System Interface Module (TSIM2-AA);c:\windows\system32\drivers\tsim1394.sys [2009-03-29 18048]
S4 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2006-07-19 218112]
S4 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [2006-07-19 48140]
S4 AtlasDailyPacketService;AtlasDailyPacketService;d:\program files\Schlumberger\AtlasDailyPacketService\AtlasDailyPacketService.exe [2008-03-18 36864]
S4 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2006-07-19 11029]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09cfb517-cd83-11dd-98d3-0015c55a5e38}]
\Shell\AutoRun\command - h:\e2e2~1\e2e2~1\pal.exe
\Shell\explore\Command - h:\e2e2~1\e2e2~1\pal.exe
\Shell\open\Command - h:\e2e2~1\e2e2~1\pal.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09cfb519-cd83-11dd-98d3-0015c55a5e38}]
\Shell\AutoRun\command - f:\e2e2~1\e2e2~1\pal.exe
\Shell\explore\Command - f:\e2e2~1\e2e2~1\pal.exe
\Shell\open\Command - f:\e2e2~1\e2e2~1\pal.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09cfb52a-cd83-11dd-98d3-0015c55a5e38}]
\Shell\AutoRun\command - ''??~1\''??~1\pal.exe
\Shell\explore\Command - ''??~1\''??~1\pal.exe
\Shell\open\Command - ''??~1\''??~1\pal.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09cfb52b-cd83-11dd-98d3-0015c55a5e38}]
\Shell\AutoRun\command - ''??~1\''??~1\pal.exe
\Shell\explore\Command - ''??~1\''??~1\pal.exe
\Shell\open\Command - ''??~1\''??~1\pal.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09cfb52c-cd83-11dd-98d3-0015c55a5e38}]
\Shell\AutoRun\command - ''??~1\''??~1\pal.exe
\Shell\explore\Command - ''??~1\''??~1\pal.exe
\Shell\open\Command - ''??~1\''??~1\pal.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0bfb00cd-f6e8-11db-bc82-0015c55a5e38}]
\Shell\Auto\command - OSO.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0bfb00ce-f6e8-11db-bc82-0015c55a5e38}]
\Shell\Auto\command - OSO.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14f449e1-fe10-11dd-98e2-0015c55a5e38}]
\Shell\AutoRun\command - ''??~1\''??~1\pal.exe
\Shell\explore\Command - ''??~1\''??~1\pal.exe
\Shell\open\Command - ''??~1\''??~1\pal.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ce3341d-ef81-11db-bc7b-0015c55a5e38}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dd1d81c-4f14-11dc-bcb0-0015c55a5e38}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dd1d81d-4f14-11dc-bcb0-0015c55a5e38}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e33ca32-5c4b-11dc-bcb8-0015c55a5e38}]
\Shell\AutoRun\command - f:\.\Autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{423c2fae-7277-11dc-bcbf-0015c55a5e38}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a1ef378-f3b3-11dd-98e0-0015c55a5e38}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AutoRun\Autorun.exe
\Shell\´ٍ؟ھ(&O)\command - autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a78b245-54b9-11dc-bcb4-0015c55a5e38}]
\Shell\Auto\command - OSO.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a78b246-54b9-11dc-bcb4-0015c55a5e38}]
\Shell\Auto\command - OSO.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78a28362-1cac-11de-98e9-0015c55a5e38}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AutoRun\Autorun.exe
\Shell\´ٍ؟ھ(&O)\command - f:\autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0818df-8314-11dd-98c1-0015c55a5e38}]
\Shell\Auto\command - mshta.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL mshta.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{826312a6-5352-11dd-98b1-0015c55a5e38}]
\Shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{826312a7-5352-11dd-98b1-0015c55a5e38}]
\Shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{826312e6-5352-11dd-98b1-0015c55a5e38}]
\Shell\AutoRun\command - f:\e2e2~1\e2e2~1\pal.exe
\Shell\explore\Command - f:\e2e2~1\e2e2~1\pal.exe
\Shell\open\Command - f:\e2e2~1\e2e2~1\pal.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bc45148-3483-11dc-bca2-0015c55a5e38}]
\Shell\Auto\command - sxs2.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cd17774-e811-11db-bc77-0015c55a5e38}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97454c00-fc14-11dc-989b-0015c55a5e38}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad790bab-1ffc-11dd-98a6-0015c55a5e38}]
\Shell\AutoRun\command - F:\
\Shell\open\Command - rundll32.exe .\\kbdit1e2.dll,InstallM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0b3bb01-ca43-11db-bc6b-0015c55a5e38}]
\Shell\AutoRun\command - e9ehn1m8.com
\Shell\explore\Command - e9ehn1m8.com
\Shell\open\Command - e9ehn1m8.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4d0d55e-a8d9-11dd-98c6-0015c55a5e38}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL chkdisk.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be4c0aba-06db-11dc-bc86-fea56890b2e9}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4f6f9c6-5ef6-11dd-98b5-0015c55a5e38}]
\Shell\AutoRun\command - F:\e.com
\Shell\explore\Command - F:\e.com
\Shell\open\Command - F:\e.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c651ad22-4791-11dc-bcac-0015c55a5e38}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c651ad2f-4791-11dc-bcac-0015c55a5e38}]
\Shell\AutoRun\command - F:\krg62.cmd
\Shell\explore\Command - F:\krg62.cmd
\Shell\open\Command - F:\krg62.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb783146-0c5e-11dd-98a0-0015c55a5e38}]
\Shell\AutoRun\command - ermvu8.cmd
\Shell\explore\Command - ermvu8.cmd
\Shell\open\Command - ermvu8.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\At2.job
- c:\windows\System32\RadiaVeri.vbs [2008-11-22 10:55]

2009-04-03 c:\windows\Tasks\User_Feed_Synchronization-{59FC6E3B-7BB6-4E28-A1F2-0B3AB57C5A9D}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-GetInfo - c:\program files\McAfee\Common Framework\GetInfo.exe
MSConfigStartUp-KEWelcomeReBoot - d:\#notupdated\Software\Driver\STMP-3410USBMemory\Welcome.exe
MSConfigStartUp-RealPlayer - c:\program files\#Media\Realplayer\realplay.exe
MSConfigStartUp-SwiftToDoListLite - c:\program files\Swift To-Do List\Swift To-Do List Lite.exe
MSConfigStartUp-usb safely remove - c:\program files\USB Safely Remove\USBSafelyRemove.exe
MSConfigStartUp-Password Reminder - remind.vbs


.
------- Supplementary Scan -------
.
uStart Page = hxxp://hub.slb.com
mStart Page = hxxp://www.hub.slb.com/
uInternet Connection Wizard,ShellNext = hxxp://hub.slb.com/
uInternet Settings,ProxyOverride = <local>
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with GetRight Pro - c:\program files\GetRight\GRdownload.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\ART\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:\program files\GetRight\GRbrowse.htm
Trusted Zone: abbeyinternational.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: citibank.com
Trusted Zone: etrade.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: microsoft.com
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: skillport.com
Trusted Zone: skillport.com\slb
Trusted Zone: slb.com\*.aodc
Trusted Zone: smartforce.com
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: mydexa.com
Trusted Zone: slb.com
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
TCP: {6C58B8E2-2CD3-4476-A104-2A51CFDD3EB1} = 213.131.64.2,213.131.64.3
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4409A1D5-C9D3-4DC0-98FE-126B08435A9A} - hxxps://interact.slb.com/webdd/LgWrapper2.CAB
DPF: {E399A0AF-72FA-4D8F-927F-28856D6B4E36} - hxxps://interact.slb.com/webdd/LgWrapper.CAB
FF - ProfilePath - c:\documents and settings\mshafik\Application Data\Mozilla\Firefox\Profiles\teo2ehxx.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\mshafik\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 05:24:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ovfsthxfihafkmfjjlypyubayuhxmalvbodlnq]
"imagepath"="\systemroot\system32\drivers\ovfsthuquyagrkkxcobvtadjribxxgicmdmuyx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\OracleOraHome817PagingServer]
"ImagePath"="c:\oracle\Ora817/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\OracleOraHome817TNSListener]
"ImagePath"="c:\oracle\Ora817\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\7c496f5c]
"ImagePath"="\SystemRoot\System32\drivers\7c496f5c.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):19,f9,a5,14,35,2f,50,e6,a5,b2,ab,71,b5,a9,f5,68,1a,52,11,01,98,
e9,46,f9,0f,1f,3a,92,25,a4,fe,62,ff,e6,11,40,64,6e,75,f0,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{d0a485ab-0b51-4f7c-ad63-ab40e1f5d6dc}]
@Denied: (Full) (Everyone)
"Model"=dword:0000005c
"Therad"=dword:00000006
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,b4,5b,3d,61,
a2,2d,9f,05,98,32,02,34,2b,da,61,ed,aa,60,f6,02,d0,63,37,d3,79,22,18,3a,ef,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ط•€|ےےےے•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1052)
c:\windows\system32\ScCertProp.dll
.
Completion time: 2009-04-04 5:25:53
ComboFix-quarantined-files.txt 2009-04-04 03:25:50

Pre-Run: 3,254,915,072 bytes free
Post-Run: 3,708,981,248 bytes free

Current=4 Default=4 Failed=1 LastKnownGood=2 Sets=1,2,3,4
489




Please Advice & HELP