Internet Explorer, browser opens to http://www.qdentica.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
startpage

also get bho demon
BHO demon
http://www.definitivesolutions.com/bhodemon.htm

The home page is ok, the site pops up upon reboot and when I kill it I never see it again.

The regedit shows the homepage set as msn.com just as it should be.

Working with BHODemon now.

I'll post my results shortly.

Search your computer for your HOSTS file.  Open it up, aside from the comments it should be blank.

If not, delete the contents of the file.

actually the hosts file should have
127.0.0.1    localhost

try an easy solution if you haven't already, download ad-aware se from www.download.com, if you've already tried this then google search for a program called hijack this.  It will scan your computer and using the website, you can copy and paste the scan finding and it will tell you which ones to delete.  

usually with hijack this delete the any that start with an R such as R1, R2, R3, ext.

the website is www.hijackthis.de once you get the .exe file

I noticed you're also a couple of service packs behind, too.  While this probably won't help you out of your current problem, you should apply SP4 and the hotfixes that have come out since it.  MS seems to have abandoned plans to bring out SP5 for W2K.

You might also want to investigate the software (much of it free) to shield your system from problems caused by malware.  Personally, I use ZoneAlarm (free version), AVG (free version), and AdAware SE (free version) but there are lots of others available.  I'm also running behind a router in "stealth" mode.  I've not had any problems (except for a few I made for myself by downloading some files from a site I shouldn't have trusted) since I installed these... and my broadband connection is on pretty much full time.

Good luck!

you dont need that many tools, that would be like killing an ant 5 times each with a different hamer, use the ad-aware, the hijack this, and either norton or McAfee to scan for viruses, some viruses have a download stream of adware.

I suggested 4 tools, you suggested 3, are my 4 hammers going to take much longer then your 3?   What is the 3 dont catch them all?  You have to keep in mind that NONE of these options are doing the same types of scans, and NONE of them find 100% of them out there.   I also mentioned that hijack this is a last resort.   There have been countless comparisons published that will back me up here.   None catch everything, so you need a safety net.  

you don't need that many, and you failed to mention that a virus scan is needed to insure that a virus is not brining in either more viruses or more adware and spyware

At the top of my list is what?
Let me refresh your memory.  

MCAFEE ANTIVIRUS!
THEN
Adaware.  
Spybot
Hijack this!

You need to read my post a little closer before you start discarding my advice.   I ABSOLUTELY DID NOT "FAIL TO MENTION THAT A VIRUS SCAN IS NEEDED TO ENSURE..."!  The very first thing listed in the list is antivirus!  And the very first thing I instruct him to do is ensure Mcafee is running!   I have had to clean countless machine where just using 1-2 programs does not finish the job.   So, you says to use Adaware and Hijack this, in addition to antivirus!   You backed me up, but I simply stated one more.  

Do I need to show you test results that show spybot is actually the MOST EFFEICENT at catching these things?
http://www.pcworld.com/news/article/0,aid,118362,00.asp
http://spywarewarrior.com/asw-test-guide.htm  < -----  This one is particularly enlightening.   The quote here rings so true...  "No single anti-spyware scanner removes everything. (1) Even the best-performing anti-spyware scanner in these tests missed fully one quarter of the "critical" files and Registry entries."

If you do the math,  you have even the best of them missing 1/4 of all the spyware on any given machine, you would need 3 to get down to missing a total of 1/8th of the potential spyware on any given machine.   (Ok maybe that math is not too accurate, but I think I am making my point here.)

I make a lot of money removing spyware/viruses/malware for companies, I have seen this stuff over and over again. I have also heard a lot of bad advice out there.   I am NOT claiming that any bad advice is being given here, but I am trying to make the point that there is a lot of confusion out here.   Spyware (I like the term Malware - Malicious Software) defense is like the wild west.  It's relatively new territory that is reinventing it self constantly, depending on 1-2 tools may not be enough.  

Its a spyware included in InternetExplorer Toolbar - there are two soulutions;

1. If you have SP2 Go to Tools>Add-ons Manager... And disable the Toolbar...
2. Remove all toolbars in IE or Reinstall it...

                                                           Philip "pips" Seyfi, FavoritSoft

Sorry for getting back to you all so late, I've been glued to the keyboard offsite and because of the problems listed in my original post we took the server offline and did some work.

To add insult to injury the server has never been managed, it was handled by another department and all of a sudden something went wrong and we were called in.  I have run McAfee Enterprise Edition 8.0 and I'm scanning and blocking spyware/malware.  I've also run spybot and adaware and they found a few things.  At some point in time it looks like somebody downloaded and saved some compressed files that were completley made up of infected files or better said the actuall virus itself.  

It's been a nightmare getting these things cleaned up and I'm not there yet.  I found that qdentica downloads a item called SIDEBAR and I guess the script on Qdentica just calls it up.  Sidebar is a nasty one, lots of work to get rid of it.  I'm going get a complete image of the machine before I do anywork I think that is about the best I can do at this point.

Wreneau, heed my advice.   It will work, it just takes time.   Sounds like it's time for spybot then hijack this.  

Thanks very much for all the advice, I had done most of it already and it removed bits and pieces.  What I found was that bat files called other apps then those apps called other services to begin.  

Essentially it was this, on bootup a bat file named X.bat was ran, it called a program called wininstall.html that file had a javascript that called up www.qdentical.com on that site it called up a toolbar named sidebar.  The people who intertwine these things worked hard at it.  In addition to that there were other programs installed, IST, WinServe Ad, and a host of others all buried in different places.  

My biggest hurdle was that I didnt know what services were doing what, if I killed this and uninstalled (deleted it) would I get the service to run that the machine was designed to do?  It's like going to a friends house and not knowing where the glasses are in the cabinet, open them all and look around untill you find what youre looking for.  I reviewed almost every service running and pinpointed what was legit and what was not.

BHODemon actually gave me some insight that I did not have it would disable somethings for me that I didnt want to remove on my own and if I screwed up I could re-enable it.  

All said and done, the problem was poor management, or should I say NO management.  For long term safety I'm going to pull the machine out of production and format it, that way I'll know notihing is haning around.

Again, thanks for all the help!

I sugest you adaware  freeversion  run  it  and it should fix you right up.


Good Luck

Jesse C. Whittington

get regcleaner you will have to search for it but,  its free.