Hacked with a virus

Archive
21

Geek007. Windows apps are legitimate targets of LOL infections ( Living off the land ), hijacking legit Windows processes to insert their own. WinMail can be removed and its processes terminated in task manager. It can also be uninstalled via the Start area with a few simple clicks of the mouse. And, as it is hidden within a secured area of Windows its extremely difficult to locate due to permissions assigned in Group Policies. Moreover, three separate devices are infected which the user has logged into. My concern is the common thread, the users Windows account as it is the common thread. Is their MS account compromised? We don't know that as of yet. I am concerned that may be the case. 

Further, if the OP isn't using Windows Mail there shouldn't be any processes starting on their own for that application. I've never had that happen on any of my machines to date whether using WinMail or Outlook. Lets find out if Rkill detects anything that needs attention before going off base with things.

SA

22

HXoutlook.exe is Windows Mail - it should be located in C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.20970.0_x64__8wekyb3d8bbwe directory.

https://www.file.net/process/hxoutlook.exe.html

23

Hello Merlin. Your first IP address traces to the below for your review:

https://www.ip-tracker.org/lookup.php?ip=20.25.241.18

Your second offending IP address traces to the below for your review:

https://www.ip-tracker.org/lookup.php?ip=13.107.136.254

*Commonality - They are BOTH listed under Microsoft and are NOT blacklisted. 

HXoutlook.exe is definitely a trojan dropper that was picked up from a compromised website, use of a torrent, etc. It is NOT, a legitimate Microsoft process. Disconnect the computer(s) from active internet services, one device at a time, download and run Rkill and see whether it detects and stops these tasks from running. If successful open your Norton product and run a full system scan using NPE. NPE is VERY aggressive and can delete valid system files so be extremely careful when telling it what to remove.

SA