After running Webroot Spysweeper (updated) and SmitFix (for SmitFraud threat) all virus/spyware symptoms are gone. But then I install Norton Avtivirus 2006 (updated) and it's AutoProtect program finds Windows/system32/l*.tmp (many variations) where * is 3 or 4 mixed characters and numbers. It says they are all generic Trojan Horse threats and cannot be removed because they are being accessed.
WHAT IS THE CORRECT THREAT NAME? Have you ever seen this? If so, how was it resolved.
Overnight my customer is running NAV 2006 scan and maybe it will remove all during a reboot after scan (which gets around the "being accessed" error). And maybe not. He will call me tomorrow to let me know.
Windows XP Home SP2. Also a HJT log exists and is being analyzed by a Security expert but I did not see anything that stands out in the log. A partial Panda scan log is also being examined,