Greetings everyone,

I've been away from this forum for a long time, must be more than 10 years since my last post. That's how long I've been pretty much trouble free, as far as the Internet and data safety was concerned. Back then I was experimenting all too often with the free anti-spyware and anti-virus programs (Avast, AVG, etc.), getting in trouble in the process, as those freebies would often interfere with each other cause all sorts of headaches, mainly because those conflicts produced a breeding ground for some real nasty Internet threat. I can still remember the friendly atmosphere and helpful people on the DaniWeb forum (DaniWebIT back then), everytime I'd get in the troubles, most of them way beyond my level of knowledge.

It's been years since I decided to make a move forward, to leave the comfort zone of Windows and aging Win XP and enter the exciting world of Linux; it felt right, the communities worldwide were growing fast, the support was improving, and so did the stability and number of desktop friendly distros. Yet somehow I managed to postpone that move indefinitely, re-inventing excuses to keep the increasingly sluggish and insecure XP on the machine, until it really needed to be replaced for good, by all the joys (and hardships) of the tux world. Seemingly bomb-proof performance of MS Essentials made all these excuses so much easier to make, even after the end of official MS support, as community maintained threat definitions were being kept up to date until present time.

Just days before the long postponed migration, I foolishly decided to re-activate the expired MS Office 2010 once again, so that I could transfer in peace the local library of files, bookmarks and contacts onto backup drive, before commencing the ultimate shutdown of the good ole' battered & weathered Windows machine. Lacking the known to work MS Toolkit on my SW backup drive, I hastingly searched the web, cursing along as none of Toolkit versions I downloaded, would work with my XP OS any longer. Finally I found one that looked legit (v2.6.2.rar) and went ahead with extracting the .rar file. That's when the calamity began, as the .rar extract triggered some sort of installer window, which for the life of me I couldn't close. During this short skirmish with unknown installer, a bunch of dirt showed up on the Desktop (folders), but ultimately I managed to close the installer window and delete the trash on the Desktop.

Soon enough the machine started to misbehave …. Firefox search engine would re-direct to »Safe-Finder« Yahoo search engine (little known malware), when starrting MS Outlook (»loading preferences« messages), it would attempt connections to some weird unknown locations, machine would freeze constantly … it's when I finally realized that things were rather serious.

Things I noticed, when I pulled myself together and started to solve the problems:

  • Alien processes, shown by Task Manager: Tolinx.exe, set.exe, nettrans.exe ;
  • MS Essentials would freak out every time I started MS Outlook or Firefox, telling me that LocalNETService.exe file in 'Documents and Settings\All Users\Application Data\LocalNETService' needs my attention;
  • Whenever I'd kill the Tolinx.exe process (END PROCESS), it would restart on every reboot;
  • Bizare and never seen before content observed in the 'Documents and Settings\All Users\Application Data\ … ' , such as folders 'Tolnix' and 'Tolnixs', with no readme files whatsoever, to give me a hint about what they might be used for.
  • I googled »Tolnix«, got a handful of really weird and suspicuous hits, but only one (1!) exact match – a link to website "Tolnix" (tolnix.com), with a sub-text »Tolnix Will Be Coming In 2017!«.
  • Just for the sake of argument, I replaced the small letter »l« (-el) in the word »Tolnix« with a capital »I« (-ai) in the Google search engine. No go … got even fewer results that didn't make any sense at all.

Steps I performed initially, and behavior of the system I observed during the process:

  • I ran several online deep scanners, one at a time (Trend Micro's HouseCall, Panda Cloud Cleaner), which did find a lot of dirt, but cleaned just a few (as you have to pay for the rest, of course). Here's what HouseCall scanner cleaned:

'HackTool:Win32/AutoKMS' ;
'Behavior:Win32/Locky.gen!B!ram' ;
'SoftwareBundler:Win32/Prepscram' ;

  • I ran a deep scan with MS Essentials (with latest manual update), which also found and cleaned several threats (or so I thought), such as 'TrojanDownloader:Win32/Zurgop.C«bit!', among others.
  • During the scanning process (HouseCall), the MS Essentials real-time scanner would turn off at random several times, reporting problems with Antimalware Service Executables. Sometimes it would switch on again automatically, still other times I had to switch it on manually;
  • I downloaded and ran the Trial version of Malwarebytes v3.5.1. Build 2522 (Legacy for Win XP); it did find over hundred of threats, which I quarantined them all;

At first look it seems that Malwarebytes scanner was remarkably effective, at finding and disarming the threats. Question is – did it fix all of them, and what's the damage that I may not be aware of. The machine perceives to be stable now (not counting one BSOD, due to buggy MB v3.5.1 Build 2522) - Firefox is no more sluggish, does not re-direct to Safe-Finder, Outlook loads as it did before, but like I said – I did encounter a fair share of episodes with nasties in the past (followed by painstaking HijackThis sessions on DaniWeb forum), so I know it's not wise to open the beer and make a toast too early.

I had a quick look at the Windows Registry (regedit), processes running (Task Manager, "GetServices" script) and folders in 'C:\Documents and Settings...\Application Data'. Here are my findings:

  • Subfolder 'C:\Documents and Settings\…\Application Data\Tolnix' is still there, but the 'Tolnixs' subfolder in the same subtree is now gone;
  • Process Tolnix.exe (and other suspicious ones) is no longer running, nor it is restarted after system reboots;
  • Tolnix is still an entry present in the Registry: 'HKLM\SYSTEM\CurrentControlSet\services\Tolnix', with subfolders 'Enum' and 'Security';
  • Windows services (Administrator Tools) still show the service 'Tolnix'; it's not not running, but it is set to Automatic;

I also ran the CCleaner v4.14.4707, which found and suggested a following entry to be fixed:

  • PROBLEM: Invalid File Reference ;
  • DATA: ImagePath – C:\Documents and Settings...\Application Data\tolnix\tolnix.exe –f ''C:\Documents … \Application Data\tolnix\tolnix.dat'' –l –a ;
  • REG. KEY: 'HKLM\SYSTEM\CurrentControlSet\services\Tolnix' ;

When the program such as CCleaner suggests you to heal the perpetrator, you just know that something's not right …

Logs and scan results that I would like to provide ...

1.) Registry content showing 'Tolnix' entry (regedit export file);
2.) Malwarebytes scan results;
3.) Services running ("GetServices" script export);

... but for some reason the icons of files attached (.txt files) have the red border, and the hover-over with cursor shows a message "The upload path does not appear to be valid" (is it restricted for newcomers ?).

Looking forward to your help and suggestions ...

Kind regards,
Bostjan

My advice is to get to Bleepingcomputer.com and follow their posting rules then they use a suite of scans and tools to clean this up.

Yes, you could google your way to what things are, try the usual Malwarebyte scans but I feel what you want is exactly what Bleepingcomputer.com does.

PS. Yes, you could do the hijackthis route but the threats and scan methods have changed so my advice has changed.

Thank you rproffitt,

Like I said ... I've been away for a long time, hence my first thought was to try my luck on DaniWeb, as that's where I always received helpful advices and instructions in the past. Moving on, to see what people on Bleepingcomputer.com have to say about my recent encounter with the perils of Internet.

Kind regards,
Bostjan

Bostjan attempted to upload these files but it didn't work. For the sake of testing site functionality, here they are.

A quick look at the logs shows the usual browser hijackers. https://www.bleepingcomputer.com/virus-removal/safefinder.com-linkury-removal-guide for more. The other looks to be newer or is just another trojan/adware or other item that may be using a random name generator schem to make identification harder.

Downloading apps from the Internet is now a game of Russian roulette. I will note that I do use Ninite.com for the items they have there since they are free from toolbars and more.

Thank you rproffitt,

The random generation of folder/file/process/Reg.Key name is what I thought might be the case, perhaps the only rational explanation that there is. Will certainly look into Safe-Finder removal guide on BleepingComputer, to start with. Downloading apps from places that you never heard of before ... just what was I thinking. It's not like I regulary stick my hand in the snake pit, but every now and then I trully amaze myself, by doing something completely irrational and very likely harmful as well. Go figure ... the Pink Floyd's tune "Momentary lapse of reason" best describes such a state of mind ...

Kind regards,
Bostjan

Greetings everyone,

After one week and four pages of correspondece on BleepingComputer, the problems with nasty infections are finally resolved. If anyone is curious what it was all about and how the clean-up was done, feel free to flip those pages of my thread, over here:

https://www.bleepingcomputer.com/forums/t/693702/bogeyman-tolnix-the-great-unknown/

Thank you once more, first to you Dani, for helping me with hiccups pertaining my newly registered account, and to you rproffitt, for referring me to BleepingComputer website.

Kind regards,
Bostjan

@Bostjan_K. I read four pages and you can see why I give them the nod. It's not fast as so many need that sort of help but if you can follow their rules it works. Thanks for updating here so folk can see how much work these pests create for us.