I don't recognise the "XE" mentioned. If it's a typo for XP, then some drive activity is probably normal. I can't comment if it's "CE."
Among other things, any user who has set up for automatic updates will see automatic downloads of OS patches and/or AV updates at random times. XP also does things like automatic compression of files that haven't been used recently, along with a number of other "bookkeeping" activities.
The most disturbing comment is about inability to access Norton. Many currently active "worms" and other malware attempt to destroy AV protections. There are also a number of worms extant that attempt to connect to their "source" sites to download additional malware.
Your friend should immediately go to Norton Security Check and run the "Scan for Viruses" there.
If he is using an OS (mainly WinME or WinXP) that has an automatic "System Restore" he should turn that off to delete any old and possibly infected backups of the Registry before running the AV scan. (If concerned about losing "restore" capability, he can make a manual backup of the Registry somewhere where the automatic System Restore can't put it back without his permission.)
Immediately after getting a clean report for viral infection, he should run the "Scan for Security Risks" at the same site. If he has a firewall, he will be asked for permission to penetrate it and should give the necessary permission.
In case he can't visit here to use the link, it's:
It can be accessed from the http://security.symantec.com home page, but takes a little "digging around."
If his Norton has been disabled by a malware infection, the scan direct from the Symantec web site will be able to find any VIRAL infection. There are a number of malware infections currently in circulation that are not viral and cannot be detected by basic AV programs. The "Scan for Security Risks" will tell him if he has unexpected "open ports" that may have been opened by malware to communicate with a "home site" and/or if he's just got a sloppy setup that can be better protected by adjusting his setup.
If the Norton web scan finds a virus, it should give him a link to instructions for removal of anything it can't clean up immediately. It may or may not find non-viral malware, but will refer to instructions for any that are found.
There are several non-viral malware instances in circulation now. These are not generally detected by basic AV programs, since they download as "programs" that through some trickery manage to claim that you "asked for the program." The most prevalent are the "Search Engine Hijack" worms that change your default search page to something else. They may also install a "search toolbar." The "search engine" gets paid for every "hit" that's made from their "searches." Most such searches are just canned lists of people who have agreed to pay them. Unfortunately most include people who pay them to send you to sites where they can download other malware.
The most "insidious" malware probably is the group of "zombie" worms that download a program that opens ports that someone else can use to make your machine send spam, spread their worm, or do other things you don't want it doing. In most cases, simple AV will NOT DETECT these. A common "first clue" is when one of the "zombies" downloads a virus that they intend to use your machine to spread. The downloaded virus may be detected. The "home sites" for these are generally disabled fairly quickly, so your system may just "fall apart" due to attempts by the worm to contact a site that doesn't exist.
The most accepted programs for finding if you've been infected by one of the non-viral malware components are probably Spybot and Ad-Aware, and one or both of these should be obtained and run with current search definitions if there is any reason to suspect something is wrong.
As of a few days ago, there were only three "exploits" in known circulation that do not use "holes" in Windows for which patches are available. Those three are now on the "critical list" and patches should be available soon. The infections using the unpatched holes are not (yet) in wide circulation, so it's unlikely anyone here has seen them. Get current, by getting available updates from Microsoft. (WinXP users who are still concerned can get most updates without installing SP2.)
And hang up your cell phone. Source code for the cell-phone worm, previously able to infect only one particular kind of phone, was "leaked" on the internet last week. It is expected that new versions will be capable of infecting all web capable cell phones within a couple of weeks. Sorry, I can't help there.