I successfully beat this twice in work by dropping into Safe Mode and doing a search for all files with a modified date around the time the problems began.
IIRC it gets into the user profiles so every time anyone logs in it makes a new copy of itself. I never quite worked out exactly how it kept doing this but killing the files (including a file that appeared in %systemroot%\system32\drivers, eep) stopped it dead.
Even if you're having a hard time figuring it out, sometimes the simplest things will work. Removing all NTFS security permissions from the "visible" executable (I say "visible" because in this case there's something you won't see that will keep creating this file) will prevent it from being ran or modified so it will be similarly knackered. Note that this trick doesn't always work against things that randomly generate filenames, it'll just pick another.