These entries below are definitely bad which you can fix, the 017 entrie are hijackers.
O4 - HKCU\..\Run: [RegCom32] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\stl web dl-crypt.exe
O4 - HKUS\S-1-5-21-602162358-1123561945-839522115-500\..\Run: [RegCom32] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\stl web dl-crypt.exe (User '?')
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B470882-3A89-4AD7-861B-9F57D4A094C7}: NameServer = 85.255.112.89,85.255.112.201
O17 - HKLM\System\CCS\Services\Tcpip\..\{F414626D-5639-4D60-85DF-30989F7CA767}: NameServer = 85.255.112.89,85.255.112.201
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.89,85.255.112.201
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.89,85.255.112.201

After that run MalwareBytes and or Combofix as already suggested and show us the log.

rpggamergirl

3/15/2009

OR, you can look for any of these FAKE files(Search engine hijackers) and delete them if present.(delete only files located in the system32 folder)

C:\Windows\system32\wdmaud.sys <-- bad
C:\Windows\system32\sysaudio.sys <-- bad
c:\windows\system32\ntnet.drv <-- bad

If the above files are not found in the system, also check the registry key below and check the values of "aux, aux1, aux2, aux3, aux4" to make sure there are no values pointing to random filenames(similar to the ones below)

Start > Run > type in

regedit

Enter and navigate to this subkey:below (look for the aux values and let us know if it's similar to the ones below)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="C:\\WINDOWS\\system32\\..\\jjmviih.nkt"
"aux"="C:\WINDOWS\system32\..\sjkemx.iqd"
"aux2"= "C:\WINDOWS\system32\..\kvlhurx.niq"
"aux4"="c:\docume~1\%username%\LOCALS~1\Temp\..\herlppj.sna"

teelions920

3/16/2009

ASKER

hotelgroup.com is my company. either the VPN or the online CMS. Don't know which that refers to.

Don't have any of these:
C:\Windows\system32\wdmaud.sys
C:\Windows\system32\sysaudio.sys
c:\windows\system32\ntnet.drv

or these:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="C:\\WINDOWS\\system32\\..\\jjmviih.nkt"
"aux"="C:\WINDOWS\system32\..\sjkemx.iqd"
"aux2"= "C:\WINDOWS\system32\..\kvlhurx.niq"
"aux4"="c:\docume~1\%username%\LOCALS~1\Temp\..\herlppj.sna"

The Combo + Malwarebytes may have done it. Would love to blow up that Ruski Starbucks.

hijackthis.log
Combo-log.txt
mbam-log-2009-03-16--09-28-25-.txt

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!

James Murphy

torimar

3/16/2009

All this looks to me like the work is done.

Just one side note: although I don't really expect it to find anything else, you seem to have run only a Quick Scan with MBAM. Whenever you have the time, please update it, boot into Safe Mode, and run a complete scan - be it just for the good feeling ;)