Possible rootkit - tcmsetupa.exe?

Hello-

Our computer (running Windows XP) is showing some signs of having a rootkit, but the various detection programs are giving ambiguous signs.
1 - Last night I was gaming (offline) and was interrupted by a "send error report" pop-up. I clicked "Don't Send" quickly, but noted it had to do with svchost.exe.

2 - When the game (StarCraft II) stalled again, we pulled the ethernet cable out and ran MalWareBytes. It found 6 Rootkit.Dropper files in the C:\Windows\Temp\ directory. I checked Properties and they were each dated (date modified) as 9PM nightly for the last 6 nights. I told it to remove them.

3 - After keeping the ethernet cable out all day, I came home and ran Rootkit Buster, which found nothing.

4 - I checked the Norton Internet Security history for the last 6 days, looking specifically around 9PM each day. There was an entry on the 4th labeled as "High Severity," "tcmsetupa.exe detected by SONAR" and Norton tagged it as "quarantined."

5 - At 9PM on the 5th, Norton has (among other things) 2 "Low Severity" entries. One says "choicea.exe made 13 modifications to your computer" and the next one says "changeb.exe made 97 modifications to your computer." Both are then tagged as "Detected."

6 - At 8:30PM on the 6th, Norton has an entry marked "Info" that says "IP address has disappeared from adapter Realtek RTL8139/810x Family Fast Ethernet NIC-packet Scheduler Miniport and is no longer being protected (IP address..." (I have the IP address but am not sure I should post it here.)

7 - We Googled changeb.exe, choicea.exe, and tcmsetupa.exe and the first two found no results (except for change.exe and choice.exe hits that were benign.) For tcmsetupa.exe, however, I found a zonealarms forum entry that directed the poster here for help.

8 - I have a HiJackThis scan log, but will refrain from posting it here until someone says it's worthwhile.

Based on this, I assume we do have a rootkit that's allowing these Dropper files in. Is it worth using HiJackThis to try to find it, or will the PC still be suspect? Should we just reformat and take this "opportunity" to go to Windows 7?

Thanks for any guidance or help. I can post the log for HiJackThis, if that's worthwhile.

Hello, yes it looks like it is.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.

Alright. I've posted a thread with the logs here.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.