Robin,
I would spend some time locating my data files, if you haven't got them all in one place already. As long as you can reinstall the application from the original CDs, you don't need anything but the files you created using the applications.

Remember to look for pictures, music and such too. Once you have that located, even if you just write the path on a list, you can copy them to some other media. I would scan them with any AV/ Anti-Malware scanners you can before and after you move them just to be sure. usually you will be ok with these files. there are some exploits that can be carred in MS Office files but you should be able to catch those with the scans, if any.

A real issue may be your address book and mail files from outlook. If you really have a worm, this is where you may find it . Usually they are located in the C:\Windows\Local Settings\Applications Data\Microsoft\Outlook folder. All ofyour mail is usually in a file ending in .pst . There may be a couple of these if you are in the habit of archiving your old mail. One will be "Archive.pst" and the other "Outlook.pst". The address book is a .PAB file, usually named "mailbox.PAB". I'd look at the file size to make sure you have room where it is going. The "pst" file can be huge if you get a lot of mail and never pitch any of it. I've personally seen some that were several hundred megabytes.

I would move these files to a folder of their own and scan them on the new system after I had everything else working. If they are infected, you may not be able to use them again. In fact, I might not be too bad an idea to clean them out before you move them.

One trick you might try is running any mail you really want to keep through a Gmail account. Their scanner is excellent and they may clear any problems. You can always forward them back to your desktop if you need to and you won't run out of space up there very quickly.

One more issue to consider are the drivers for the system. I always try to make sure that I have all of the updates to drivers that I might need and any downloaded software available before I wipe a drive. This usually allows me to reconnect to the Internet with a protected system. At the very least, you should have up to date file for your AV/AM and a firewall between you and the internet before connecting.

ZZ

Nosirrah,
I've seen drives like that too but I've also seen lots of drives that work just fine with a few bad clusters. I would assume that a system running '98 is fairly old. The cost of a new drive could easily be more that the system is worth. Even an "cheap " drive runs close to a quarter the cost of a low end, but new computer. Without more info, I would make sure that my critical files were backed up, make a note to scan once a week or so and keep my old drive. If/when the bad clusters start to mount up, I'd consider my options them.

A Bit of dust can cause a head crash but the HD is sealed and it contains a filter. I don't think its really all that common to see an actual head crash anymore unless someone dropped the drive/computer. Then "head slap" can cause problems without a particle of dust. (Actually, we used to do this with the old conner 20 and 40 mb drives sometimes. If they sat around too long in a system that was out of use for a while, the heads would stick to the disks. I didn't actually drop them, I thumped them on their side on the desk.)

Most of the drive failures that I see now are either, weak/ bad electronic components on the board/interior controler, bad bearings or a "weak" low level format. If Robin's is getting bad, I guessing the last one.

ZZ

The culprit was definitely the dl.exe file that came attached to a file downloaded from the internet. Trend Micro is the only one who actually had any decent information on it. I was infected with Tenga,Gael,Stanit aka Licum which came from the Lycos website. They only report 178 incidents of it in the US. Since I was not on a network at home the file I infected my work computer with may not have infected the network (yet). 699 files were affected (out of 1100 exe files) - it changed the date and time on them so they were easy to locate. I have not noticed any more changes to any EXE files after that date/time. I used TM's Sysclean to fix the files on my flash drive and it worked. So now I want to try it at work.

Since the dl.exe file only calls on the website (as the agent) - I am guessing starting the system without the DSL connected would be a good idea and probably disconnect the network LAN too just in case. Sysclean works as a standalone program so I should be able to run it from a CD without it being intercepted. I am not all that confident in how these things work - does anyone have any advice on what else I might do before I try and clean it out? I don't know if running any EXE that has been infected may activate the virus/worm. Should I reinstall Windows when I am done do you think? It definitely affects Internet Explorer and Outlook, so it is probably some sort of emailer. TM says to get a utility that will allow me to see all the processes currently running so I can shut them down before running the scan. Does anyone know of a *free* program that does this? Or is HijackThis adequate?

I am guessing that I need to run this scan on each computer in the Network individually - including the 2003 Server. I am using a Sonic Firewall - what do I need to do with that? It turns out that the IT who installed the Server sold me 10 licenses for Trend Micro but did not install it! Go figure on that one! Somewhere I should have the CD, I hope.

Process Explorer.
http://www.sysinternals.com/Utilities/ProcessExplorer.html

Rex

_________________
I'm a reasonable person just ask Eeyore or Christopher R.

Robin,
Starting the system without the Lan Cable connected would be a start. I also recommend using "safe mode' to do the scans. Don't assume that the dl.exe file hasn't already "phoned home". You said that it replicated when you tried to remove it before.

I think that you should scan all of the computers on the network anyway. As for using the .exe files. I would try them on a system that is disconnected from the network and then rescan for the trojan.

I can't say about reinstalling Windows. It may come to that if the O.S. is too broken or you keep reinfecting but I don't have that information. You will just have to jump though the hoops and see what happens.

As I said before, be very careful with the contents of the mail file. You might consider switching to Firefox as a browser and maybe Thunderbird for your mail. Both are excellent and are not so subject to exploits.

If you don't already have an A/V package for the server you should do this ASAP. With most business, this is critical. Talk to the guy that built the server, he may beable to help you locate the cd for your A/V.

ZZ

I just thought I should follow up on how this went in case of future
reference. Sysclean does a good job but I was having some trouble
beating the infected exe files that autostart with the system. In particular
RPCSS, DDHELP and WMIEXE. Sysclean cannot clean a running file. I
was able to shut them down during boot but still was reinfecting 200 files
with each boot. (Thanks Rex for the link - which I only just now saw!).

So I copied these files into a temp directory and had Sysclean clean them.
Then I booted in DOS mode and deleted the system files and copied over
the clean ones. However, I made the mistake (once) of rebooting instead
of shutting down and the mouse files created the same problem in DOS.

So it took several scans to get them all clean and I ended up only having
12 files I had to delete that could not be moved or cleaned. Nine of those
were from the Net framework update so I should be able to uninstall and
reinstall those. The other 3 were related to installers used for video
drivers which I can probably do without. So all in all it went pretty well. I
did not need to do anything drastic.

I still need to check the other computers and install some AV on the
network. However, I do not think this would have prevented my problem
since I brought in the file with a download from my Flash drive. In the
future I will perform all downloads to the flash drive where I can scan
them before installing. I think I will stick to zip files as much as possible
or else do a test extraction on the flash so I can scan the archive before
installing any programs.

Hi Robin,
Sounds like a lot of work but in the end you got it. Thank for posting a breakdown on what you had to do. A lot of times, we don't get a post with the "final" fix. I'm sure that it will help others.

Since this appears to complete this system, I'm going to mark this thread as "Done" so a Mod can close it. Any issues with the other PCs should go on another thread.
Thanks,

ZZ