HJT, BD, PAS logs

I've been through the steps. Just not sure if computer is cleaned of Trojan, so I didn't run "Step 1" yet (Disable Restore). So far nothing bad happening (was getting lots of NAV scanning windows popping up). Logs attached. All except HJT run in safe mode, should I run anything more in normal mode?

Thanks for the help! This site is fantastic!
Tom

 

After reviewing and searching for info, the items that look suspicious to me on the above HJT log are (should I hit "fix" in HJT?):

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0C1A0FB-B5F2-4108-9E3D-968F013C7ED3}: NameServer = 209.116.241.10,216.99.225.31,216.99.233.253
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

Thanks,
Tom