here is my 2ยข...
I have been studying this trojan and I have noticed:
PendingFileRenames value is monitored, if this value contains the name of the dll that is the carrier, it is overwritten with random characters. This pretty much negates any attempt by antivirus to remove the DLL.
Several have commented on how the file does not exist after a reboot to safe mode. It seems like the virus is renaming itself and loading itself into the PendingFileRenames value. Note the date/time stamp and the exact size of the file and search based on this instead of the name only.
Possible remedy: (not for the technically challenged...)
Close all apps.
Delete the PendingFileRenames value (reg_multi_sz) not the hive.
Power the machine off. (Yank the power cord on the newer boxes as pressing the power button will initiate a shutdown.) This should not hurt a NT/W2K/XP box.
ENABLE BOOT SECTOR WRITE PROTECTION IN THE BIOS.
Reboot to safe mode or preferably, reboot using the recovery console.
Search for the file, or any file that fits the description. (date/time or size...)
Run chkdsk /f from cmd prompt and delete any recovered files.
Check the PendingFileRenames value (reg_multi_sz) and verify any entries.
Let us know if this works...