Beta Bot on Windows

Thank goodness for OpenDNS.  I have to admit I am more adept at managing Macintosh systems.  I do managed an Active Directory based Windows setup.  I have endpoint security with Sophos and have installed CryptoPrevent and GPO's to prevent Crypto Locker.

I have installed the Umbrella client on all my desktop and laptops under management both Mac's and Windows systems.  I noticed a Windows 7 system trying to phone home to these web addresses: fapncam.com, frizzcams.com and update-silo.com.  Googling these sites didn't show much but pointed me to a trojan called BetaBot as being the culprit.  In particular it pointed to safpdndnn.exe being installed.  

Neither Malware Bytes or Sophos detected it.  I used SpyHunter to find it but I wouldn't recommend that program.  It wants to mess with your systems DNS settings.

Here's how I removed it:
1. Use PartedMagic (or you could use any Linux Live Distro) and boot into it.  (Try this article on how to do this if you need help.)
2. Navigate to C:\ProgramData\\m9dt73hfbjh\safpdndnn.exe and delete the file.

The kicker is after giving the user a new clean system the infection showed up again.  I had never gotten to the bottom of what caused the original infection.  My bad for sure.  It turned out to be a resume downloaded from Craig's List.  How fun.  

Not to hate on Microsoft products but how frustrating.  Yes,  the end user shouldn't have downloaded .doc files from questionable sources.  Macros should be locked down.   For whatever feelings you have about Google Docs at least for the time being,  they are not an infection vector.