This was written by Mosaic 1, a security expert on another forum. Follow instuctions exactly. At the moment there is no easy way.

Get the latest CWShredder from this page. Do not run it yet:
CWShredder

Download TheKillbox from this link: here.
------------------
Sign off the internet.
Run CWShredder and press the fix Button to clean.


Stay off the internet!
Step Two:
Remove the reinstaller:
Go to start>Run and type regedit. Press enter.

Navigate to:
Open the registry and navigate here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Highlight Windows in the left pane.

Look in the right pane for this value:
AppInit_Dlls

You won't see any data there.

But if you right click on that and choose Modify Binary Data you will.

If nothing is there it should just show a few 0's.

But if they are hiding a dll they load to reinstall, it will show a path to it.


----------------------------
This is how one looks when there is only one file loading.
0000 00 00 3A 00 5C 00 77 00 ..:.\.w.
0008 69 00 6E 00 64 00 6F 00 i.n.d.o.
0010 77 00 73 00 5C 00 73 00 w.s.\.s.
0018 79 00 73 00 74 00 65 00 y.s.t.e.
0020 6D 00 33 00 32 00 5C 00 m.3.2.\.
0028 6D 00 73 00 6B 00 6B 00 m.s.k.k.
0030 67 00 2E 00 64 00 6C 00 g...d.l.
0038 6C 00 00 00 l...

Notice on the far right. You want to look there. It looks funny because all of the periods.

Look closely and you'll see the path and file name here was:
Windows\system32\mskkg.dll

This was the example. Yours will have its own file name. This is not the same file as you are seeing in your HijackThis log. Get its name the same as I just described.
--------------

Once you have the filename unzip TheKillBox and run it.

In the "Paste Full Path of File to Delete" box, copy and paste the following:

c:\windows\system32\filename Where filename is what you found as the filename in the appinit_dlls key in the registry.

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The c:\Windows\system32\filename listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot. Restart the Computer.

When you get back into Windows reset your Search and Home pages.

Look in the registry and remove the entry which should now be clearly visible and no longer hidden.


This last part and removing the AppInit_Dlls entry and its corresponding file is removing the reinstaller. So you do not get reinfected. Do not go on the internet until you have performed all of the steps.
--------------------------------

Ok, I'm having the problem too. Im not good with computers AT ALL. but I managed to get up to the part with the "few 0's." I just dont know what to do from there. Like I said, computers arent my best area so any help would be welcomed with open arms.