The invading dll loads via the registry entry:
This causes it to attach to every application at startup.
If there is a dll specified, like c:windows\system32\wini.dll, don't bother looking for it in that folder. As long as the intruder is active, it will hide the filename in any folder or directory listing.
YOU MUST DELETE THE REGISTRY KEY! (even if there is no dll listed in it)
However, if you delete it, the intruder will put it back since it is currently running.
1. in regedit, this key is in the Windows "folder" that you see in the left part of the window. Change the name of this folder to "Windows2".
2. Then delete the AppInit_DLLS key.
3. Then change the name of the folder back to "Windows"
Do this in safe mode, but I don't know if that is required.
Run the various anti-hijack programs to clean up whatever they find.
Then reboot and run the anti-hijack programs again to be sure.