I have been fighting an infection and found a bit of information that wasn't in the symantec removal information. Perhaps it is only applicable to this PC but here is the information. I will add the information surrounded by *s
In safe mode I followed the instructions but each time I restarted in safe mode and looked at the location the infected files existed in they were recreated. So there was still something in the registry that was re-creating them on login. I searched and found the registry key that I've added, once I removed it the files didn't re-appear.
Excerpt from Symantec's information, edited to remove links
4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only.
- Click Start > Run.
- Type regedit
- Click OK.
- Restore the following registry entries to their previous values, if required:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "[RANDOM CHARACTERS].exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"Notification Packages" = "scecli [RANDOM CHARACTERS].dll"
ADDITIONS * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"Authentication Packages" refrence to [RANDOM CHARACTERS]" *
- Exit the Registry Editor.