Something strange is lurking

Hi,
This is my first post. Something weird is occuring on my Windows XP Pro machine. Everytime I start up my PC, McAfee 8 "Enable on-access scan" is disabled. The McAfee Framework service and Network Associates McShield and Network Associates Task manager services are also disabled. I noticed a folder called C:\WINDOWS\exefld has been created and a file named 138531.exe created.
I have used SpyBot, McAfee and LavaSoft; but know known problems were found. I understand from similar searches on Google that this may be a Trojan.
Any help would be appreciated.

 

Hi TimW,
Email 1 of 3
Thanks for the reply, followed your instructions. I couldn't boot up in safe mode. I had a blue screen, asking me to check for a virus, remove hd and do a chkdsk etc.
I ran CounterSpy twice the first time I asked for the trojan to be removed: there is a difference between the two; the second mentions a Worm. I will attach both logs + the Bitdefender One (renamed ext to txt from html; couldn't upload an html file).
My McAfee services are still being disabled.
Thanks for your help.

 

Hi,
Part 2 of 3

 

Hi,
Part 3 0f 3
Thanks Again.

 

Hi TimW,
Part 1 of 2
Again thanks for your reply. I have attached the three logs as requested.
Things that stood out for me on the RegRunRun - anti-Spyware wizard were:


1). Bootexecute Value=autocheck autochk *\n Default Value=autochk* (there were two of these) both marked as suspicious

2). Drivers mc21D.tmp Value=C:\DOCUME~1\<MYUSERNAME>\LOCALS~1\TEMP\MC21D.TMP - marked as a warning

3). There was one item that was listed as Dangerous by RegRun:
%UserProfile%\Application Data\hidires\hidr.exe. I looked it up at Symatec
http://www.symantec.com/security_response/writeup.jsp?docid=2006-032316-2221-99&tabid=3 and asked RegRun to fix it.

I have noticed in my registry I still have the key HKCU-Software-FirstRRRun | Name = FirstRR23232Run Type = REG_DWORD Data = 0x00000001(1); I understand this may be part of my problem; there is also a key FirtR, I wondered if this is OK. The folder C:\WINDOWS\exefld is still present but empty.

 

Hi TimW,
Part 2 of 2
I won't be around after today until Monday.
Thanks for your help.

 

Hi TimW,
Just found this hidden folder on my network profile \\ihaa.local\users\profile\<myname>\appdata\hidires
it contains the files
flec003.exe
hidr.exe
m_hook.sys

 

Hi TimW,
Here are the reports. Just to note I manually deleted the three files from the folder \\ihaa.local\users\profile\<myname>\appdata\hidires and I returned to a previous Win XP Restore point. So far nothing suspicious appears to be happening. I have also turned off the Restore function; should I turn it back on? Next week I intend to go thru the Read & Run Me First procedure again to double check.
Thanks again for taking the time and energy to help.