Source- Some web tech forums.
Okay, this is what I've found using advice from here, fark.com, and my own poking around.
The file name IS randomly generated, it will be located in your "Windows\system32" directory.
The easiest way to locate which file it is, is to open Task Manager while the pop-up is displayed, under "applications" in Task Manager, select the pop-up window, right click and select "go to process". You know know the file name so that you can delete it from the directory.
Now the fun really begins. Using msconfig, look under "Startup", and you should find a couple of registry keys for the file. Mine were in
"HKEY_USERS\S-1-5-21-1390067357-813497703-1343024091-1003\SOFTWARE\MICROSOFT\W INDOWS\ShellNoRoam\MUICache"
and
"hkey_local_machine\software\microsoft\windows\cur rentversion\run".
I think that somewhere in the system, is another file or DLL that is going out and pulling down a replacement exe, but I haven't been able to locate it yet. I have my eye on a service called NICIDATTTNWP, but I'm still looking.
I hope that this helps, and that we can finally beat this thing.