XP Total Security 2011

- infects .exe file association in registry
- does not show up as an image hijack in autoruns!

1. determine random executable name it chose for itself by looking at registry
2. use process explorer to suspend the process (easier than killing it, since
it respawns)
3. rename the exe file to .disabled
4. kill the process
5. clean all mentions of it out of the registry
6. search the entire filesystem for duplicate copies of the exe. its sums are:


(note: it may have mutated, so get the md5sum of your version from the .disabled file)

7. disable/uninstall java, because that's how it got aboard (browser security is irrelevant)