I am looking at this post mortem so I can't tell you what malware was removed.
What I can say is that it sounds similar to the ACCDFISA malware described here:
Files (pdf, jpg, doc, rtf, etc) are appended with new extension .html, new headers are added into the code itself (see below), and the file data is encrypted and commented out in the "html file". I'd imagine the encryption occurs prior to the headers getting added, but that's of minor concern. I am pretty sure the files are encrypted because file sizes seem accurate and of different lengths, and an RTF file was not plain text.
I have two questions:
1. does anyone have any ideas how to fix this
2. if not, could you at least be able to tell how the file was encrypted if an example file was given and some thoughts on how best (if possible) to decrypt the file
ta http-equiv='refresh' content='0; url=http://mblblock.in/i.php?uid=
and ends with
Thanks for any help that can be provided.