Noticed virulent activity after Python install, injects HKCU...Run

Several days ago installed

Python 3.10.1 (32-bit)
by
Python Software Foundation
v. 3.10.1150.0

and

Python Launcher
by
Python Software Foundation
v. 3.10.7644.0

from installer python-3.10.1.exe, signed, downloaded from
this page
https://www.python.org/downloads/windows/
directly from here
https://www.python.org/ftp/python/3.10.1/python-3.10.1.exe

Signed installer.
Key id
fc 2a bf 7e d4 be ac f3 82 9c a4 cf 7b 22 01 3b b8 8f 07 f2
fingerprint
‎c9 1d ce cb 3a 92 a1 7b 06 30 59 20 0b 20 f5 ce 25 1b 5a 95

and got this in win registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Philips”=“explorer.exe http://sd-steam.info

(Philips is username, probably mimicing entry)

Which causes unwanted page to open at startup.

Tested two times.

Python forums thread with some details.
https://python-forum.io/thread-35791-post-150798.html

Installer file caused malicious entry adding
https://file.io/lcxuNemYirJQ

Some of additional options was ‘Install Launcher’, ‘Associate files’

Thread on forum page at Python.org
https://python-forum.io/thread-35791.html


And what I got now:
Injecting “explorer.exe http://sd-steam.info” to registry happens time to time. With some console activation.
Intercepted registry change being done by C:\Windows\System32\reg.exe

Any ideas how to track which application starts reg.exe?

Could anyone help, please?

So, what I found

It’s run from win scheduler, task named with %username%
(That was ‘Philips’ in partucular case)
which runs cmd.exe
with command line
/c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Philips /t REG_SZ /d “explorer.exe http://sd-steam.info
15 min after user logon.

Task was located at
i.e. root of task scheduler library.

Hi sapphire.gorgious.2012,

Did you use tor to download? Then it is part of that problem *

Problem probably stems at Cloudfront AmazonS3 server → https://www.virustotal.com/gui/url/8be19e2bf14a38cc4ac028b25cd44094a8b6d1132b5a37f9aa64e207a6013e6c/details

And here is the malicious part of the upload, before being so redirected: https://www.virustotal.com/gui/url/ddfc5776534bc61f1b21375786e2defa0acbe379ace8780e7faa8c0c72cce2e2

This is a known infection source according to Dr. Web’s and 5 other av-vendors. *
Re: -htxp://forlumineontor dot com/afu.php?zoneid=2655877

See: https://www.virustotal.com/gui/url/07c21d24483da2f26fddc16bea092e00c84246b3111282e64088896e1d4ea342 (found to be malicious and some say suspicious) This was where you were being redirected.

Thanks for dissecting this threat scheme and for alerting us all to it.

So heads up, folks,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

For cleansing forlumineontor from your computer make use of Malwarebytes to cleanse.
Then quarantine and then reboot Windows.

You may have landed there via pop-up ads or in your case it came in via redirects.

Verify all listed extensions in your browser as well for a malicious one.

In the browser.
Remove forluminetor from your search settings.

Then reset your browser settings: chrome://settings/resetProfileSettings
Reset your browser settings completely and then reboot Windows.

polonus

L.S.

Re: https://www.virustotal.com/gui/file/58749a63b25cd1f19ea783c9e16c10b6901f56013d63ffce311d8066e88226dd/detection

So as we find information from Python forum…

Then this computer has been infested well before this Python download and install through visiting and redirects of a hacked server at -http://sd-steaminfo, redirecting to other hacked servers downloading malcode (mal-ads) may have brought this in.

Or more recently - log4j-related. Did you for instance have minecraft etc. on that device, was it infested? So mitigate Java edition a.s.a.p. The Apache Log4j exploit may have impacted many an app. (thanks to Pondus for additional cleansing info).

pol

All of this malcode came inter-connected → https://sitecheck.sucuri.net/results/sd-steam.info
redirecting to: htxp://forlumineontor.com/afu.php?zoneid=2655877
Redirects:
Redirects to -http://smartlink.name/trafficback.html see: → https://www.virustotal.com/gui/url/deb020c438ded2d82b86b787d802decc5f9f2df171259779fbc2ec5b051784b5/details
Redirects to inal URL = hxtp://forlumineontor.com/afu.php?zoneid=2655877

Automatically remove, then make use of Malwarebytes.

No how to manually uninstall sd-steaminfo.[/b] (info source: Alex Nightwatcher)
Step A → H.

A. Check all shortcuts of your browsers on your desktop, taskbar and in the Start menu.
Right click on your shortcut and change it’s properties.
You can see SD-STEAM INFO at the end of shortcut target (command line).
Remove it and save changes.

In addition, check this command line for fake browser’s trick.
For example, if a shortcut points to Google Chrome, it must have the path:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe.
Fake browser may be: …\Appdata\Roaming\HPReyos\ReyosStarter3.exe etc.
Also the file name may be: “chromium.exe” instead of chrome.exe.

B. Investigate the list of installed programs and uninstall all unknown recently installed programs.

C. Open Task Manager and close all processes, related to SD-STEAM INFO in their description.
Discover the directories where such processes start. Search for random or strange file names.

D. Inspect the Windows services. Press Win+R, type in: services.msc and press OK.
Disable the services with random names or contains SD-STEAM INFO in it’s name or description.

E. After that press Win+R, type in: taskschd.msc and press OK to open Windows Task Scheduler.

F. Delete any task related to SD-STEAM INFO. Disable unknown tasks with random names.

G. Clear the Windows registry from SD-STEAM INFO virus.
Press Win+R, type in: regedit.exe and press OK.
Find and delete all keys/values contains SD-STEAM INFO.

H. STEP 7: Remove SD-STEAM INFO from Google Chrome. (e.g. Extensions - also in developer mode).
Delete malicious extensions from Google Chrome:

Open Google Chrome, click on the Menu (three vertical dots at the top-right corner)
and select More tools > Extensions.
In the newly opened window, you will see all the installed extensions. Uninstall all the suspicious plugins that might be related to the unwanted program by clicking Remove.

Clear cookies and other browser data:

  1. Click on the Menu (three horizontal dots at the top-right of the browser window),
    and select Privacy & security.
  2. Under Clear browsing data, pick Choose what to clear.
  3. Select everything (apart from passwords, although you might want to include Media licenses as well, if applicable) and click on Clear.

Clear cache and web data from Chrome:

Click on Menu and pick Settings.

  1. Under Privacy and security, select Clear browsing data.
  2. Select Browsing history, Cookies and other site data, as well as Cached images and files.
  3. Click Clear data.

Change your homepage:

Click menu and choose Settings.
Look for a suspicious site in the On startup section.
Click on Open a specific or set of pages and click on three dots to find the Remove option.
Reset Google Chrome:

If the previous methods did not help you, reset Google Chrome to eliminate all the unwanted components:

  1. Click on Menu and select Settings.
    2.In the Settings, scroll down and click Advanced.
    3.Scroll down and locate Reset and clean up section.
    4.Now click Restore settings to their original defaults.
  2. Confirm with Reset settings.

if you miss any of these steps and only one part of pup-virus remains – it will come back again immediately or after reboot.

pol