Virus using Norton AV 2009 as an integral part of its infection scheme

I have a nasty infection that actually seems to be using Norton AV 2009 as part of its infection scheme.  I am looking for some help in removing it. Norton AV does not prevent the infection and cannot identify it or remove it.

 

I have a Compaq Presario with XP Home, SP3.  It has Norton AV 2009, version 16.0.0.125 installed an running before the computer was ever put online. Updates have been automatic and current.  Norton AV is the only real-time anti-virus software installed.

 

The PC became erratic and started generated fake virus warnings.  The task manager, and many other programs were disabled.  It will not reboot in Safe mode as it crashes and then starts the boot process over again. 

 

I ran Norton AV full scan which did not find any problems.  However, a while later Norton reported blocking a virus that appeared (I lost the name of the virus in the logs when I reinstalled Norton AV later).

 

I ran Malwarebyte’s Anti-Malware program (log attached – mbam-log-2009-08-12 (23-55-56).txt).  It removed several items and stopped the fake virus warnings, but the computer would still crash often (quietly, no blue screen and no re-boot), after a period of idle time.  Safe mode still does not work.

 

I ran GMER (log attached = gmer.log) and found unknown code hooking Norton SYMEVENTS.sys and SYMEFA.sys in the SSTD.  The  SYMEFA.sys call was now redirected to a non-existent file.  Evidently the computer crashed when the idle scan was about to start.  I turned off Norton Idle scan (Norton AV is stil enabled) and the computer stabilized. It hasn’t crashed during a system idle in many hours now.

 

I uninstalled Norton AV 2009 and reinstalled.  Ran GMER again (log attached – gmer2-3.log <first part of the file>). The SSTD hooks appeared to have been removed.  But still could not re-boot in safe mode.

 

Rebooted and ran GMER (log attached – gmer2-3.log <second part of the file>) again.  The SSDT hooks returned.  The computer is stable (as long as Idle-time scan is disabled). Likely there is a device driver that is re-hooking the SSTD on Boot-up.  I ran RootRepeal (log attached – RootRepeal report 08-13-09 (13-53-11).txt).

 

Any suggestions as to how to proceed to identify and nullify the software that is infecting this computer?

 

Thanks.