SYSINFO.WMP (JXJ) Malware Removal

Recently I got infected with this but I could find no reference to
it on the internet. So I thought I would post my findings on this
forum to make the malware removal community aware. I should point
out that I am not a malware expert. This posting needs no response.

The malware hooks into the startup sequence using the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
It adds a value:
{08315c1A-9BA9-4B7C-A432-26885F78DF28}

This links accross to the CLSID key:
HKEY_CLASSES_ROOT\CLSID\{08315C1A-9BA9-4B7C-A432-26885F78DF28}\InProcServer32
and maybe also:
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{08315C1A-9BA9-4B7C-A432-26885F78DF28}\InProcServer32

In the key there is a value
Name = (Default)
Data = C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\SYSINFO.WMP

The file C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\SYSINFO.WMP
has hidden and system attributes and is held open by windows (Explorer).

The fact that it is opened by explorer means (I believe) that it
can't be removed even when in safe mode.

You have to stop the Explorer task and quickly remove the
attributes and delete SYSINFO.WMP Then remove
{08315c1A-9BA9-4B7C-A432-26885F78DF28} from the ShellExecuteHooks
key. This permanently stops the malware from functioning.

I believe that the way it works (once it has hooked itself in) is
as follows. At startup explorer starts. Via the hook, it starts up
SYSINFO.WMP. This modifies explorer operation so that every few
minutes, explorer writes and launches a new executable.
I guess that this executable would carry out the main malware
function of keystroke spying or whatever (although with me
it "jxj" causes a error in kernel.exe and aborts). This executable
(jxj.css.exe appears in c:\windows\temp). Alternatively it may be
named nnnjxj.css.exe where nnn is a random number. A batch
file _xr.bat also appears in c:\windows\temp that cleans out
the exe file and also itself.

I hope this helps someone.