Hacked with a virus

Hello

Reaching out for assistance ASAP if possible ! 

3 Computers now that are infected with some sort of virus that scans never picked up

Malwarebytes

Spybot 

Norton 360 

 

Evidence of Microsoft edge causing a LOT of this 

I isolated a few thing on one pc 

Possible HXoutlook.exe or something to do with Microsoft edge

Every PC I logged into before  I caught this has this virus or whatever 

All my log ins rights etc. keep changing by someone 

I found some warnings about these IP Addresses which came up on the netstat -f and tcp tools 

20.25.241.18

13.107.136.254

Every time I scrub an area it goes right back as One pc someone is downloading files 

I see processes running that I am unable to stop

I ran netstat -f and found these addresses

DNS names  

Ran Microsoft process tool and saw a TON of stuff running as well 

 

@merlin02131 Following up with the thread to ask if we can assist further.

SA

Merlin. Replacing your ISP device and a factory reset of any other router you are using should be the next steps. That being said. The main crux I see in your last posting is MyHp trash running in the background. My suggestion is remove it, as its nothing more than HP bloatware. I've done so with all my Dell and HP machines right out of the box. Please also consider the articles below with HP vulnerability listings and how they may be applicable on your end. Please note that all entries marked with [::]:0 indicate the local computer you are logging into at the present time. 

Additionally, ExpressVPN also shows connectivity. The IP's related to that connection will be masked when that VPN is active on the computer. If you are loading Norton 360 at boot with its VPN enabled alongside Norton VPN there is a larger part of your IP ghosting issues. Disable one or the other to load at boot.

https://support.hp.com/us-en/security-bulletins

https://support.hp.com/us-en/document/ish_5950417-5950443-16/hpsbpi03781

The protocol RpcSs on port 135 is RDC remote desktop. If you are working from home or connections are being made to an outside server that what you are seeing. If you want to track down the actual processes running at a given time use SysInternals from Microsoft. There are great tools that will provide tons of information in real time.

SA

 

PS C:\WINDOWS\system32> netstat -abn

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING
  CDPSvc
 [svchost.exe]
  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING
 [lsass.exe]
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING
  EventLog
 [svchost.exe]
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING
 [spoolsv.exe]
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:58082          0.0.0.0:0              LISTENING
 [NortonSecurity.exe]
  TCP    0.0.0.0:58083          0.0.0.0:0              LISTENING
 [NortonSecurity.exe]
  TCP    127.0.0.1:2015         0.0.0.0:0              LISTENING
 [expressvpnd.exe]
  TCP    127.0.0.1:5354         0.0.0.0:0              LISTENING
 [mDNSResponder.exe]
  TCP    127.0.0.1:58742        0.0.0.0:0              LISTENING
 [ExpressVPNNotificationService.exe]
  TCP    127.0.0.1:58742        127.0.0.1:58744        ESTABLISHED
 [ExpressVPNNotificationService.exe]
  TCP    127.0.0.1:58744        127.0.0.1:58742        ESTABLISHED
 [expressvpnd.exe]
  TCP    192.168.200.3:139      0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    192.168.200.3:58523    20.25.241.18:443       ESTABLISHED
  WpnService
 [svchost.exe]
  TCP    192.168.200.3:58693    52.218.234.57:443      CLOSE_WAIT
 [HP.myHP.exe]
  TCP    192.168.200.3:58701    52.218.234.57:443      CLOSE_WAIT
 [HP.myHP.exe]
  TCP    192.168.200.3:58706    74.201.179.42:443      CLOSE_WAIT
 [HP.myHP.exe]
  TCP    192.168.200.3:58707    74.201.179.42:443      CLOSE_WAIT
 [HP.myHP.exe]
  TCP    192.168.200.3:58708    74.201.179.42:443      CLOSE_WAIT
 [HP.myHP.exe]
  TCP    192.168.200.3:58709    74.201.179.42:443      CLOSE_WAIT
 [HP.myHP.exe]
  TCP    192.168.200.3:58710    74.201.179.42:443      CLOSE_WAIT
 [HP.myHP.exe]
  TCP    192.168.200.3:58713    104.77.233.204:443     CLOSE_WAIT
 [HP.myHP.exe]
  TCP    192.168.200.3:58714    104.77.233.204:443     CLOSE_WAIT
 [HP.myHP.exe]
  TCP    192.168.200.3:58715    104.77.233.204:443     CLOSE_WAIT
 [HP.myHP.exe]
  TCP    192.168.200.3:58716    104.77.233.204:443     CLOSE_WAIT
 [HP.myHP.exe]
  TCP    192.168.200.3:58717    104.77.233.204:443     CLOSE_WAIT
 [HP.myHP.exe]
  TCP    192.168.200.3:58718    104.77.233.204:443     CLOSE_WAIT
 [HP.myHP.exe]
  TCP    192.168.200.3:59135    104.42.50.130:443      ESTABLISHED
 [NortonSecurity.exe]
  TCP    192.168.200.3:59357    151.101.117.175:443    ESTABLISHED
 [msedge.exe]
  TCP    192.168.200.3:59365    151.101.116.157:443    ESTABLISHED
 [msedge.exe]
  TCP    192.168.200.3:59370    35.241.45.82:443       ESTABLISHED
 [msedge.exe]
  TCP    192.168.200.3:59382    104.17.172.102:443     TIME_WAIT
  TCP    192.168.200.3:59405    151.101.116.214:443    ESTABLISHED
 [msedge.exe]
  TCP    192.168.200.3:59430    20.25.241.18:443       ESTABLISHED
 [OneDrive.exe]
  TCP    192.168.200.3:59478    52.182.141.63:443      TIME_WAIT
  TCP    192.168.200.3:59479    142.251.40.142:443     TIME_WAIT
  TCP    192.168.200.3:59486    35.186.224.25:443      TIME_WAIT
  TCP    192.168.200.3:59489    20.42.73.24:443        TIME_WAIT
  TCP    192.168.200.3:59494    142.251.40.142:443     TIME_WAIT
  TCP    192.168.200.3:59507    142.251.40.142:443     ESTABLISHED
 [HP.myHP.exe]
  TCP    192.168.200.3:59509    13.69.239.74:443       ESTABLISHED
 [msedge.exe]
  TCP    192.168.200.3:59510    34.193.205.101:443     ESTABLISHED
 [msedge.exe]
  TCP    192.168.200.3:59511    34.193.205.101:443     ESTABLISHED
 [msedge.exe]
  TCP    [::]:135               [::]:0                 LISTENING
  RpcSs
 [svchost.exe]
  TCP    [::]:445               [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:7680              [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:49664             [::]:0                 LISTENING
 [lsass.exe]
  TCP    [::]:49665             [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:49666             [::]:0                 LISTENING
  Schedule
 [svchost.exe]
  TCP    [::]:49667             [::]:0                 LISTENING
  EventLog
 [svchost.exe]
  TCP    [::]:49668             [::]:0                 LISTENING
 [spoolsv.exe]
  TCP    [::]:49669             [::]:0                 LISTENING
 Can not obtain ownership information
  TCP    [::]:58083             [::]:0                 LISTENING
 [NortonSecurity.exe]
  UDP    0.0.0.0:500            *:*
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:4500           *:*
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5050           *:*
  CDPSvc
 [svchost.exe]
  UDP    0.0.0.0:5353           *:*
 [msedge.exe]
  UDP    0.0.0.0:5353           *:*
 [msedge.exe]
  UDP    0.0.0.0:5353           *:*
 [msedge.exe]
  UDP    0.0.0.0:5353           *:*
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:5353           *:*
 [msedge.exe]
  UDP    0.0.0.0:5355           *:*
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:49665          *:*
 [mDNSResponder.exe]
  UDP    127.0.0.1:1900         *:*
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:49664        127.0.0.1:49664
  iphlpsvc
 [svchost.exe]
  UDP    127.0.0.1:64850        *:*
  SSDPSRV
 [svchost.exe]
  UDP    192.168.200.3:137      *:*
 Can not obtain ownership information
  UDP    192.168.200.3:138      *:*
 Can not obtain ownership information
  UDP    192.168.200.3:1900     *:*
  SSDPSRV
 [svchost.exe]
  UDP    192.168.200.3:5353     *:*
 [mDNSResponder.exe]
  UDP    192.168.200.3:64849    *:*
  SSDPSRV
 [svchost.exe]
  UDP    [::]:500               *:*
  IKEEXT
 [svchost.exe]
  UDP    [::]:4500              *:*
  IKEEXT
 [svchost.exe]
  UDP    [::]:5353              *:*
  Dnscache
 [svchost.exe]
  UDP    [::]:5353              *:*
 [msedge.exe]
  UDP    [::]:5353              *:*
 [msedge.exe]
  UDP    [::]:5355              *:*
  Dnscache
 [svchost.exe]
  UDP    [::]:49666             *:*
 [mDNSResponder.exe]
  UDP    [::1]:1900             *:*
  SSDPSRV
 [svchost.exe]
  UDP    [::1]:5353             *:*
 [mDNSResponder.exe]
  UDP    [::1]:64848            *:*
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::b88c:325b:274e:81d0%2]:1900  *:*
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::b88c:325b:274e:81d0%2]:64847  *:*
  SSDPSRV
 [svchost.exe]
PS C:\WINDOWS\system32>

Post screenshots of the activity you are seeing. Maybe we can help determine who and where this is coming from. I would be more than happy to assist with that, sure others will also. 

SA

Yea probably a good idea Too ! 
Hate to go thru all this and have them back the miserable @#$& lol ! 
If Imever could I’d them , we’ll be glad when this is resolved ! 
 

Thx

 

Regards

 

Rich

Yea it’s been a night mare and appreciate the helpful attempts as well ! Looks like 5 computers need to be wiped formatted etc! Prob look at doing this next week as I have  fought this long enough ! Seems that the Microsoft recovery tasks do not wipe the computer as they leave a lot of files on when performing the recovery as well I’ll reach out to Norton this week ! 
 

thx again for trying to help 

 

Happy Holidays !

 

Regards 

Rich 

Rich. I would REPLACE your ISP device if you haven't done so already. All things now point to it being compromised and or your accounts with your ISP, your email and possibly still your Microsoft account. IF, you are remotely working from home that is also a huge issue. 

SA

wow Rich to say you are "a bit upset" shows how calm you are.  This sounds like a nightmare.  I cannot help but wish you all the best of luck. I am guessing you have contacted Norton direct for assistance.

More info in case someone else runs into this !

Next wireshark trace as I am sure this is not over I will post up for you !

Quick update :

I did exactly what you suggest as I spent all day yesterday trying to figure this out ! 

04:00 AM this am I came back to my office as last night I had rebuilt 2 of my pc's ( Desktop and Laptop)

Monitored the desktop while finished rebuilding the laptop and all of a sudden IP addresses of bad guys filled the screen going outbound .

Traced it to the laptop as the clean wipe did NOT get rid of everything 

Another interesting fact : After the first wipe and clean , I found a word doc "Christmas Tree " on the desktop 

So Shut it down rewiped the laptop again and shut it down  , then rewiped my desktop and shut that down

It seems that it would follow the pattern of a worm possibly the Christmas tree worm ? No clue here as a guess !

Now I need to ID the devices affected and figure out how to get it off my network

My Wife's pc is in jeopardy now as they changed all the pwd's so I reboot 3 times and tried to wipe it but the bitlocker key cannot be found  

On my Microsoft account ! Not sure about this whether the key is somewhere else as I have a few accounts or it was deleted 

 

So now its how to get rid of the infected devices, clean them and keep the worm out !

Must be over 300 new entries in the 'new firewall as well !

As soon as I block a ton of them they get back by new subnets and ip addresses continuously !

All this time and expense as its been identified  in 2 of my sites ! One I see a ton of data downloaded too ! 

I know its tied to Microsoft Outlook and Office ( Microsoft Click and Run ) as that''s how they attack using these programs to gain access somehow . I know I said yesterday HsTsr.exe as it somehow fits into this as well ! 

I had shut down every thing I could think of and searched online for ways to enter the pc , changed the admin and standard accounts and they penetrated and changed them so they are pro's at this ! 

Its an inside attack to connect then they take over remotely accessing the pc's ! 

So much for great anti virus software as I am a bit upset as well ! 

Regards


Rich OÇonnor

 

 

Stumped as I am my suggestion is factory reset your router, change the defaults for router settings login and password. Change your WiFi SSID's and passwords as well. Update the router to its latest firmware in that process as well. Take all but one of your devices OFF LINE when you are accomplishing this. 

Posting a screenshot should be straight forward. Norton should not be blocking it. Here is how. https://community.norton.com/en/forums/how-post-image-forums-0

SA

Hi Permalink

Apologies for the long Message ! 

Still working this issue as I cannot find the infected file !

Hope some of this helps someone else out there ! 

Must have run Every scanner / anti everything program out there , had me convinced that maybe it was just an RDP attack until My test failed ! To confirm someone in the pc , Remote was not shut completely down so I shut this down (I shut down ALL RDP remote desktop etc. on the PC  ) and someone was confirmed in the PC , so I set up a test . I pulled down a dummy American Express PDF invoice, put it on my desktop and it was removed ! I have updated the router and firewall to track this also !

I am back to HxTsr.exe as I am unable to find out how to verify this file ! Been everywhere checking etc. Don't want to remove this yet , searching for any way to verify the executable first ! 

Everything on this file looks original from the general to the Security tab reviewing other pc's as well ! 

The affected 3 PC's now have all admin passwords changed windows defender beefed up Norton online and scanning every day

My firewall has about 200 more entries ( Over 300 now ) as I go out and check the IP addresses and find they are hacker addresses ! 

First day in over a few weeks I have been able to review and work this ! 

Everytime some of the bad guy IP addresses connect HxTsr.exe comes online along with outlook.exe as I am not  100% sure on this as I also blocked a ton of 443 ports but I can't block all of them due to some sites still use 443 , Hence my difficulty . I performed an end task as prior to this it states a suspended state but it comes back online by itself . A wireshark trace showed Microsoft Office ( Packet had data in it ) and was id'ed in the trace as one of the bad guy IP address packet ! Not quite sure but it looks like He was accessing something as I need to follow up on this as well ! Now blocked ! 

MS Edge and Widgets continue to come up as I have shut them down numerous times as well - Possibly a Microsoft thing as I am un able to disable them completely ! Every Admin account pwd changed as well  !

I did see some strange info under a user policy that had me reviewing why a strange user  had read write access assigned onto the account - On my list to find out who and why ! 

Totally amazed that no one else has reported or gone thru any sort of this type of attack ! 

Maybe I am just looking in the wrong places ! 

Now set up to just watch the logs traces Processors etc. ! 

Thx for the assistance ! 


Regards

Rich

 

 

Have you cleared your DNS cache on the affected machines?

SA

Good Morning Permalink

No 2FA but I do have the account send me a code to log in to my email which I will be changing today also and enabling more security . I will be working on that today as I changes some account user pwd updates etc. All my pwd's have been changed so Thx for the advice ! 

Interesting you mention account compromise as I changed my passwords etc. Yesterday

As of this writing , I just restored one of the pc's and These attack IP addresses followed as my new PC restore has them via netstat -a 

Unbelievable 

They do not seem to be on my laptop which is interesting on the same network 

 

Time to do some IP Swapping and network clean up as well

 

 

Thanks for the feedback. Asking for your current OS is to validate for the sake of accuracy, much appreciated since I never assume. My advice is contact Microsoft regarding your credentials being compromised. Wondering if you have 2FA protections set on your MS account or not. I do. You can begin using the Microsoft information in the link below.

https://support.microsoft.com/en-us/account-billing/how-to-recover-a-hacked-or-compromised-microsoft-account-24ca907d-bcdf-a44b-4656-47f0cd89c245

SA

FYI 

 

Malwarebytes TotalAV,ADSpyhunter,DriverSupportOne Av and also Norton Power Eraser found nothing 

Good Morning

Trying to give as much data as I can !

Thank You all for reaching out as I work crazy hours up early and back early 

Yes I do 

Windows 11 Pro 

HP Pavillion ( Brand new machine)

Windows 11 Pro

TPM enabled

Bitlocker just enabled this weekend 

Running Task manager I see the process : hx tsr running at around zero %

The same PID 2780 is running from

Process explorer searching on HxOutlook : 

C:\ProgramFiles\\windowsapps\microsoft.windowscommunicationsapp_1605.14326.20970_x64_8wekyb\\HxOutlook.resources.dll

 C:\ProgramFiles\\windowsapps\microsoft.windowscommunicationsapp_1605.14326.20970_x64_8wekyb\\HxOutlook.exe

 C:\ProgramFiles\\windowsapps\microsoft.windowscommunicationsapp_1605.14326.20970_x64_8wekyb\\HxOutlook.viewmodel.dll

 C:\ProgramFiles\\windowsapps\microsoft.windowscommunicationsapp_1605.14326.20970_x64_8wekyb\\HxOutlook.view.dll

 C:\ProgramFiles\\windowsapps\microsoft.windowscommunicationsapp_1605.14326.20970_x64_8wekyb\\HxOutlook.dll

 C:\ProgramFiles\\windowsapps\microsoft.windowscommunicationsapp_1605.14326.20970_x64_8wekyb\\HxOutlook_app.dll

 C:\ProgramFiles\\windowsapps\microsoft.windowscommunicationsapp_1605.14326.20970_x64_8wekyb\\HxOutlook.model.dll

 C:\ProgramFiles\\windowsapps\microsoft.windowscommunicationsapp_1605.14326.20970_x64_8wekyb\\HxOutlook.resources.dll

Numerousd threads on the same PID 

I have seen numerous IP Addresses id'ed as nasty and have blocked them on my firewall for now but it seems they are getting around it 

I use rdp to other machines and I believe that one of my other pc's actually was infected 

So this may have come in from a windows 11 Pro Lenovo machine as this is another brand new machine but we do NOT run mail on that one 

My Windows credentials have def been changed adding in other accounts on my pc not in windows tho 

I am unable to post process explorer or tcp view here as norton will not allow it 

My user ( Admin/system) credentials seem to have been compromsed as I removed them twice and they seem to  have new accoutns re appearing  ( Stripped down my admin account to 2 but I go back in and see 5 )

Tried removing them from the registry but each time it gets more difficult to remove 

Thank You ALL !

Regards

Rich

 

Hello again. The dispute on my part isn't whether these executables are not part of Windows Mail, they are as shown below in the screenshot using Sys Internals Process Explorer. Please note in the screenshot that "Virus Total" is also targeted by each process. There isn't any warnings there indicating these are bad actors. Also note the OP states his "login credentials" are randomly being changed. This is an indicator on my part that either the Windows account or mail credentials are compromised. 

@merlin02131 Do you in fact use Windows Mail? If so is that where your credentials are being changed? Additionally what is your OS and its version? Thanks in advance.

Winmail running proccesses.png

SA

SoulAsylum, the original poster can compare the file hash of the running hxoutlook.exe to see if it is in fact malware - that's why I posted the path of the legitimate file.  I use Windows Mail and the process is normally running on my systems.  TCP View shows HxTsr.exe instead of HXOutlook.exe if it's the legitimate file.

found these

 

https://howtofix.guide/hxoutlook-exe-virus/

https://digitalshiftmedia.co.uk/what-is-hxoutlook-exe-is-it-a-virus-or-malware-remove/

https://www.file.net/process/hxoutlook.exe.html

https://howtoremove.guide/hxoutlook-exe-virus/

http://processchecker.com/file/HxOutlook.exe.html

https://answers.microsoft.com/en-us/windows/forum/all/what-is-hxtsrexe-in-windows-10/19176b3a-98d9-4a7b-aaff-6a1d4d7c9d0e