Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
1 reply to this topic

#1 junebaby


  • Members
  • 1 posts
  • Local time:02:15 AM

Posted 17 March 2008 - 08:31 PM

Mod edit: Moved to more appropriate forum. --PK

Does anyone have any information on this trojan? I have AVG Antivirus Free Version and it caught it today and sent it to the virus vault. I am not very educated when it comes to figuring out where to find out about these bots nor am I educated in regard where it set up house on my computer...which is...D:\i386\apps\App27205\mpf\mpfplus\mpfmain.cab

Thanks ahead of time to anyone who can give me any information. It sounds as if this bot came from using an IRC chat...could that be correct? Thanks for the assistance.

Edited by Papakid, 17 March 2008 - 09:38 PM.

BC AdBot (Login to Remove)


#2 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,649 posts
  • Gender:Male
  • Local time:03:15 AM

Posted 18 March 2008 - 09:38 AM

Any time you see "bot" in the name of an infection it simply means that the purpose, or "paylod" of the malware is to install a bot on your computer in order to make it a zombie on a Botnet. Unlike in years past, when viruses and other threats were mostly for hacker bragging rights and did little more than vandalize a system, this type of threat has been taken over by cyber criminals and become very sophisticated and has a purpose--to make money in various ways. Not the least of which is identity theft. Wikipedia has a pretty good description of Botnet's that I suggest you read very carefully: http://en.wikipedia.org/wiki/Botnet

To show how pervasive this has become and some additional information, see their description of the Storm worm botnet: http://en.wikipedia.org/wiki/Storm_botnet

It sounds as if this bot came from using an IRC chat...could that be correct?

Although malware does get distributed through IRC and Instant Messaging, this name that AVG gives to the threat really means that you are dealing with an IRC bot, as described in the Wikipedia articles. An IRC client is usually installed on infected computers and used for communication to accomplish whatever purpose the botmaster has in mind.

I am not very educated when it comes to figuring out where to find out about these bots nor am I educated in regard where it set up house on my computer...which is...D:\i386\apps\App27205\mpf\mpfplus\mpfmain.cab

The main thing is that AVG found the location, there is not much more that you need to know about it other than how to get rid of it. But to get an idea of where it came from, doing a Google search for the .cab file mentioned shows a bunch of torrent sites listing illegal downloads of McAfee. Cracks distributed thru P2P programs are a prime avenue of infection, or entry point, to your system.

I would suggest you be much more concerned about your system having been compromised and the possible loss of personal sensitive information and how to correct that situation. Antivirus programs typically can't deal with these bots effectively, most likely removing the one archive file (.cab) will not rid you of the active infection, so without more information it would be best to assume you are infected. Which means you should immediately take your computer offline and get to a known clean computer and change all passwords, paying particular attention to financial institutions (online banks, eBay, online shopping) and then post a HijackThis log so we can see what else needs to be done.

Please see the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.)

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, DO NOT post your log in this thread, for assistance by the HJT Team. A member of the Team will walk you through, step by step, on how to clean your computer.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. [i]Please include the top portion of the HijackThis log that lists version information
. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

[color="green"]Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team.

As mentioned in the Wiki, there are many variants of these bots and they get configured once on a particular machine so it is essential to see details of what is specific to your computer. Such infections are also the epitome of the word "compromised" and are nothing to fool around with. Many in the security field feel such compromised computers should be reformatted. Without more information it is too early to recommend that yet, just bear it in mind and refer to the following:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

The thing about people

is they change

when they walk away.--Mipso

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users