AVG says it was a PDF exploit

[tom_]

http://esli.tw/1/pdf.php

Can't tell what this one did.  It removed "View" from the browser menu bar (IE 7) so I couldn't ask to view source.

And from the same folks that brought you that one there was

http://metromasschoir.org/systems.html

which I did not click, having wasted half a day already undoing the first and warning everyone else on two Yahoo groups to avoid them.  I also set my firewall (Sygate) to block 91.212.65.0 - 91.212.65.255 hereafter.

If anyone knows what damage the first one accomplished between acquisition and removal, please reply.  Especially if you think there are additional steps I should be taking, e.g., changing dozens of passwords, etc.

[SysAdMini]

the payload of this

pdf exploit
http://wepawet.cs.ucsb.edu/view.php?hash=46e9aed463da40f4046b5c763c5b8593&t=1247168793&type=js

is detected a password stealing trojan. Anubis report shows installation of a browser helper object.

payload url is

Code: [Select]

esli.tw/1/getexe.php
http://www.virustotal.com/analisis/1fb49013edfaef4f52125be63b9e27c422bbdec83c085fe049c6c501d1d49475-1247168813 3/41