From: John Beckett 

Antii,

A couple more things ... you could take the hard drive out of the computer
and make it an additional drive on a known-good computer. Boot the good
software and use it to scan the suspect drive.

Naturally you would be very careful to not execute or copy any programs
from the suspect drive. You could copy data files.

One problem is that you have no clue what has infected you. All you know is
that VNC was installed, almost certainly as a backdoor. So, searching for
information or anti-virus scans regarding VNC is not necessarily going to
help.

Regarding the issue of you can't see how the software starts, following is
some boilerplate from winnt regarding where programs can be set to
repeatedly start:

- In the Startup folder for the current user and for All Users.
- In the registry:
 HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
 HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows,
  the "run" and "Load" keys.
You may want to use freeware Startup Control Panel from here:
   http://www.mlin.net/StartupCPL.shtml

However, if you have been lucky enough to be infected with one of the
newish trojans, they can hide themselves from searches of the registry and
file system. Try the Safe Mode boot, but more reliable would be to take the
drive to a known-good computer. You can Load Hive to inspect the registry
from your install, after booting the good system.

John

--- BBBS/NT v4.01 Flag-4