Hello,
It seems you have a bunch of script kiddies at school. I bet they got all that crap of some "HACKERS ONLY" website. Laf. Anyways, pop open command.com, type netstat -a. Check if theres a Netbios port open. This could be how they're spreading throught the school. I snicker to myself at the thought of these "hackers" installing sub7 on the computers your talking about. With that in mind, they are probably far more concerned with being cool than covering their tracks. _Just another assumption im going to make_ If I was seeing the kiddies issue these attacks on computers. I'd just look for the date the trojan was installed. MSREXE.exe i think is sub7, if it were sub7. The virus scans eliminated the trojan, however covered the kiddies tracks. Try and run a scan on the sub7 port. Look for a fresh infected computer, and check for logins to the system at that time. If theres a third party network software, like Novell, you'll find logs.

I hope this helps you.

Originally posted here by crazyrugby
Have you tried a firewall like BlackIce or norton internet security. This will also log their ip addresses and what types of tools they are using to get into the systems. Also, if you have an old version of VNC there is an option to hide the icon in the system tray.
I dont know that Win98 machines allow background passes. You can use the good old temp2.exe which has been used for years to hide GT - Global Threat. BlackIce is the most retarted "firewall" I've ever seen, however It will do a good job of logging internet/intranet activity, if thats what you want to do.

PHP Code:
system ("uptime); echo "uh":