From: John Beckett 

"Antti Kurenniemi"  wrote in
message news::
> looks like I had (have) a virus on my system, or someone's trying to get
> into my computer: when I start the system, I get a WinVNC dialog

Looks bad Antti! It may be time to panic.

Go to Google Groups, Advanced Search, and search for VNC backdoor
since, say, 1 March 2003. I have also seen a reference to a hack with
winvnc in October 2002. Apparently, once you have cracked a system, it is
pretty easy to install VNC as a comfortable way to come back.

Someone recently posted a question in the Compuserve winnt forum about this
(he also gets a prompt for a VNC password but has never heard of VNC).
There was no helpful response.

Judging by a very quick look at the CERT advisory (see above Google), you
may have open shares or a weak admin password, and an infected system on
your network may have cracked you.

I'm sorry to be brutal, but I would backup data and do a NEW INSTALL,
starting by deleting all partitions. You would have to find a way to be
DISCONNECTED from a network where there may be hack attempts, until  AFTER
you have installed the current service pack and all hot fixes! Tricky...

Presumably, you would first do a bit more checking to confirm an intrusion,
but with the DLL you found, I would say you are toast. You could look at
the output of 'netstat -an' run at command prompt, but it is not
conclusive.

There was an article somewhere recently about how breakins are getting much
more sophisticated. Apparently there are many examples, although mostly
theoretical at this stage, of cracks that install hooks at a very deep
level in the operating system. It is impossible to detect some of them.
However, doing a Safe Mode boot MAY allow you to investigate without some
malicious software hiding what is in the file system.

Good luck, and please keep us posted.

John

--- BBBS/NT v4.01 Flag-4