Member Avatar for Bostjan_K

Greetings everyone,

I've been away from this forum for a long time, must be more than 10 years since my last post. That's how long I've been pretty much trouble free, as far as the Internet and data safety was concerned. Back then I was experimenting all too often with the free anti-spyware and anti-virus programs (Avast, AVG, etc.), getting in trouble in the process, as those freebies would often interfere with each other cause all sorts of headaches, mainly because those conflicts produced a breeding ground for some real nasty Internet threat. I can still remember the friendly atmosphere and helpful people on the DaniWeb forum (DaniWebIT back then), everytime I'd get in the troubles, most of them way beyond my level of knowledge.

It's been years since I decided to make a move forward, to leave the comfort zone of Windows and aging Win XP and enter the exciting world of Linux; it felt right, the communities worldwide were growing fast, the support was improving, and so did the stability and number of desktop friendly distros. Yet somehow I managed to postpone that move indefinitely, re-inventing excuses to keep the increasingly sluggish and insecure XP on the machine, until it really needed to be replaced for good, by all the joys (and hardships) of the tux world. Seemingly bomb-proof performance of MS Essentials made all these excuses so much easier to make, even after the end of official MS support, as community maintained threat definitions were being kept up to date until present time.

Just days before the long postponed migration, I foolishly decided to re-activate the expired MS Office 2010 once again, so that I could transfer in peace the local library of files, bookmarks and contacts onto backup drive, before commencing the ultimate shutdown of the good ole' battered & weathered Windows machine. Lacking the known to work MS Toolkit on my SW backup drive, I hastingly searched the web, cursing along as none of Toolkit versions I downloaded, would work with my XP OS any longer. Finally I found one that looked legit (v2.6.2.rar) and went ahead with extracting the .rar file. That's when the calamity began, as the .rar extract triggered some sort of installer window, which for the life of me I couldn't close. During this short skirmish with unknown installer, a bunch of dirt showed up on the Desktop (folders), but ultimately I managed to close the installer window and delete the trash on the Desktop.

Soon enough the machine started to misbehave …. Firefox search engine would re-direct to »Safe-Finder« Yahoo search engine (little known malware), when starrting MS Outlook (»loading preferences« messages), it would attempt connections to some weird unknown locations, machine would freeze constantly … it's when I finally realized that things were rather serious.

Things I noticed, when I pulled myself together and started to solve the problems:

  • Alien processes, shown by Task Manager: Tolinx.exe, set.exe, nettrans.exe ;
  • MS Essentials would freak out every time I started MS Outlook or Firefox, telling me that LocalNETService.exe file in 'Documents and Settings\All Users\Application Data\LocalNETService' needs my attention;
  • Whenever I'd kill the Tolinx.exe process (END PROCESS), it would restart on every reboot;
  • Bizare and never seen before content observed in the 'Documents and Settings\All Users\Application Data\ … ' , such as folders 'Tolnix' and 'Tolnixs', with no readme files whatsoever, to give me a hint about what they might be used for.
  • I googled »Tolnix«, got a handful of really weird and suspicuous hits, but only one (1!) exact match – a link to website "Tolnix" (tolnix.com), with a sub-text »Tolnix Will Be Coming In 2017!«.

  • Just for the sake of argument, I replaced the small letter »l« (-el) in the word »Tolnix« with a capital »I« (-ai) in the Google search engine. No go … got even fewer results that didn't make any sense at all.

Steps I performed initially, and behavior of the system I observed during the process:

  • I ran several online deep scanners, one at a time (Trend Micro's HouseCall, Panda Cloud Cleaner), which did find a lot of dirt, but cleaned just a few (as you have to pay for the rest, of course). Here's what HouseCall scanner cleaned:

'HackTool:Win32/AutoKMS' ;
'Behavior:Win32/Locky.gen!B!ram' ;
'SoftwareBundler:Win32/Prepscram' ;

  • I ran a deep scan with MS Essentials (with latest manual update), which also found and cleaned several threats (or so I thought), such as 'TrojanDownloader:Win32/Zurgop.C«bit!', among others.
  • During the scanning process (HouseCall), the MS Essentials real-time scanner would turn off at random several times, reporting problems with Antimalware Service Executables. Sometimes it would switch on again automatically, still other times I had to switch it on manually;
  • I downloaded and ran the Trial version of Malwarebytes v3.5.1. Build 2522 (Legacy for Win XP); it did find over hundred of threats, which I quarantined them all;

At first look it seems that Malwarebytes scanner was remarkably effective, at finding and disarming the threats. Question is – did it fix all of them, and what's the damage that I may not be aware of. The machine perceives to be stable now (not counting one BSOD, due to buggy MB v3.5.1 Build 2522) - Firefox is no more sluggish, does not re-direct to Safe-Finder, Outlook loads as it did before, but like I said – I did encounter a fair share of episodes with nasties in the past (followed by painstaking HijackThis sessions on DaniWeb forum), so I know it's not wise to open the beer and make a toast too early.

I had a quick look at the Windows Registry (regedit), processes running (Task Manager, "GetServices" script) and folders in 'C:\Documents and Settings...\Application Data'. Here are my findings:

  • Subfolder 'C:\Documents and Settings\…\Application Data\Tolnix' is still there, but the 'Tolnixs' subfolder in the same subtree is now gone;
  • Process Tolnix.exe (and other suspicious ones) is no longer running, nor it is restarted after system reboots;
  • Tolnix is still an entry present in the Registry: 'HKLM\SYSTEM\CurrentControlSet\services\Tolnix', with subfolders 'Enum' and 'Security';
  • Windows services (Administrator Tools) still show the service 'Tolnix'; it's not not running, but it is set to Automatic;

I also ran the CCleaner v4.14.4707, which found and suggested a following entry to be fixed:

  • PROBLEM: Invalid File Reference ;
  • DATA: ImagePath – C:\Documents and Settings...\Application Data\tolnix\tolnix.exe –f ''C:\Documents … \Application Data\tolnix\tolnix.dat'' –l –a ;
  • REG. KEY: 'HKLM\SYSTEM\CurrentControlSet\services\Tolnix' ;

When the program such as CCleaner suggests you to heal the perpetrator, you just know that something's not right …

Logs and scan results that I would like to provide ...

1.) Registry content showing 'Tolnix' entry (regedit export file);
2.) Malwarebytes scan results;
3.) Services running ("GetServices" script export);

... but for some reason the icons of files attached (.txt files) have the red border, and the hover-over with cursor shows a message "The upload path does not appear to be valid" (is it restricted for newcomers ?).

Looking forward to your help and suggestions ...

Kind regards,
Bostjan

Edited by Bostjan_K because: Syntax touch-ups
  • 3 Contributors
  • 7 Replies
  • 4K Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by rproffitt

Recommended Answers

All 7 Replies

Member Avatar for rproffitt

My advice is to get to Bleepingcomputer.com and follow their posting rules then they use a suite of scans and tools to clean this up.

Yes, you could google your way to what things are, try the usual Malwarebyte scans but I feel what you want is exactly what Bleepingcomputer.com does.

PS. Yes, you could do the hijackthis route but the threats and scan methods have changed so my advice has changed.

Edited by rproffitt
Member Avatar for Bostjan_K

Thank you rproffitt,

Like I said ... I've been away for a long time, hence my first thought was to try my luck on DaniWeb, as that's where I always received helpful advices and instructions in the past. Moving on, to see what people on Bleepingcomputer.com have to say about my recent encounter with the perils of Internet.

Kind regards,
Bostjan

Member Avatar for Dani

Bostjan attempted to upload these files but it didn't work. For the sake of testing site functionality, here they are.

SERVICE_NAME: Alerter
DISPLAY_NAME: Alerter
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1464
        FLAGS              : 
        DESCRIPTION        : Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.

        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINXP\system32\svchost.exe -k LocalService
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Alerter
        DEPENDENCIES       : LanmanWorkstation
        SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 3580
        FLAGS              : 
        DESCRIPTION        : Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.

        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINXP\System32\alg.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Application Layer Gateway Service
        SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: AudioSrv
DISPLAY_NAME: Windows Audio
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1276
        FLAGS              : 
        DESCRIPTION        : Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINXP\System32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   : AudioGroup
        TAG                : 0
        DISPLAY_NAME       : Windows Audio
        DEPENDENCIES       : PlugPlay
                           : RpcSs
        SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Browser
DISPLAY_NAME: Computer Browser
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1276
        FLAGS              : 
        DESCRIPTION        : Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.

        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINXP\system32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Computer Browser
        DEPENDENCIES       : LanmanWorkstation
                           : LanmanServer
        SERVICE_START_NAME : LocalSystem

SERVICE_NAME: CryptSvc
DISPLAY_NAME: Cryptographic Services
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1276
        FLAGS              : 
        DESCRIPTION        : Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINXP\system32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Cryptographic Services
        DEPENDENCIES       : RpcSs
        SERVICE_START_NAME : LocalSystem

SERVICE_NAME: DcomLaunch
DISPLAY_NAME: DCOM Server Process Launcher
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1100
        FLAGS              : 
        DESCRIPTION        : Provides launch functionality for DCOM services.

        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINXP\system32\svchost -k DcomLaunch
        LOAD_ORDER_GROUP   : Event Log
        TAG                : 0
        DISPLAY_NAME       : DCOM Server Process Launcher
        SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Dhcp
DISPLAY_NAME: DHCP Client
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1276
        FLAGS              : 
        DESCRIPTION        : Manages network configuration by registering and updating IP addresses and DNS names.

        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINXP\system32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   : TDI
        TAG                : 0
        DISPLAY_NAME       : DHCP Client
        DEPENDENCIES       : Tcpip
                           : Afd
                           : NetBT
        SERVICE_START_NAME : LocalSystem

SERVICE_NAME: dmserver
DISPLAY_NAME: Logical Disk Manager
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1276
        FLAGS              : 
        DESCRIPTION        : Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.

        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINXP\System32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Logical Disk Manager
        DEPENDENCIES       : RpcSs
                           : PlugPlay
        SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Dnscache
DISPLAY_NAME: DNS Client
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1404
        FLAGS              : 
        DESCRIPTION        : Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.

        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINXP\system32\svchost.exe -k NetworkService
        LOAD_ORDER_GROUP   : TDI
        TAG                : 0
        DISPLAY_NAME       : DNS Client
        DEPENDENCIES       : Tcpip
        SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
DISPLAY_NAME: Error Reporting Service
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/20/19
Scan Time: 12:04 PM
Log File: ec99bcc9-4aff-11e9-8ef0-00ff693ead82.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.365
Update Package Version: 1.0.9762
License: Trial

-System Information-
OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: IGGYHOME\EagleDancer

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 217054
Threats Detected: 103
Threats Quarantined: 103
Time Elapsed: 43 min, 27 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 4
Adware.Agent, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LOCALNETSERVICE\LOCALNETSERVICE.EXE, Quarantined, [99], [603752],1.0.9762
Adware.Linkury, C:\Documents and Settings\All Users\Application Data\Logic Cramble\set.exe, Quarantined, [1173], [431817],1.0.9762
Adware.Linkury, C:\DOCUMENTS AND SETTINGS\ALL USERS\PREFSSECURE\NETTRANS.EXE, Quarantined, [1173], [377398],1.0.9762
Adware.Linkury, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\TOLNIX\TOLNIX.EXE, Quarantined, [1173], [475745],1.0.9762

Module: 4
Adware.Agent, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LOCALNETSERVICE\LOCALNETSERVICE.EXE, Quarantined, [99], [603752],1.0.9762
Adware.Linkury, C:\Documents and Settings\All Users\Application Data\Logic Cramble\set.exe, Quarantined, [1173], [431817],1.0.9762
Adware.Linkury, C:\DOCUMENTS AND SETTINGS\ALL USERS\PREFSSECURE\NETTRANS.EXE, Quarantined, [1173], [377398],1.0.9762
Adware.Linkury, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\TOLNIX\TOLNIX.EXE, Quarantined, [1173], [475745],1.0.9762

Registry Key: 16
Adware.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\localNETService, Delete-on-Reboot, [99], [603752],1.0.9762
Adware.Linkury, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\backlh, Delete-on-Reboot, [1173], [431817],1.0.9762
PUP.Optional.APNToolBar.Gen, HKU\S-1-5-21-448539723-1767777339-1177238915-500.bak\SOFTWARE\AskPartnerNetwork, Delete-on-Reboot, [820], [186876],1.0.9762
PUP.Optional.Linkury, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{ielnksrch}, Delete-on-Reboot, [253], [259313],1.0.9762
PUP.Optional.ASK, HKU\S-1-5-21-448539723-1767777339-1177238915-500.bak\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{BD107F37-287E-4229-8006-D6BD6065639A}, Delete-on-Reboot, [2], [258187],1.0.9762
PUP.Optional.Linkury, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{ielnksrch}, Delete-on-Reboot, [253], [259313],1.0.9762
PUP.Optional.Linkury, HKU\S-1-5-21-448539723-1767777339-1177238915-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{ielnksrch}, Delete-on-Reboot, [253], [259313],1.0.9762
PUP.Optional.Linkury, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\ielnksrch, Delete-on-Reboot, [253], [259314],1.0.9762
PUP.Optional.APNToolBar.Gen, HKU\S-1-5-18\SOFTWARE\AskPartnerNetwork, Delete-on-Reboot, [820], [186876],1.0.9762
PUP.Optional.Linkury.ACMB1, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Application Hosting, Delete-on-Reboot, [803], [259928],1.0.9762
Adware.Linkury, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETTRANS, Delete-on-Reboot, [1173], [377398],1.0.9762
Adware.Linkury, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TOLNIX.EXE, Delete-on-Reboot, [1173], [475745],1.0.9762
PUP.Optional.ASK, HKU\S-1-5-21-448539723-1767777339-1177238915-500.bak\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{D4027C7F-154A-4066-A1AD-4243D8127440}, Delete-on-Reboot, [2], [306571],1.0.9762
PUP.Optional.ASK, HKU\S-1-5-21-448539723-1767777339-1177238915-500.bak\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{D4027C7F-154A-4066-A1AD-4243D8127440}, Delete-on-Reboot, [2], [306571],1.0.9762
PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\CLSID\{F83D1872-D9FF-47F8-B5A0-49CC51E24EE8}, Delete-on-Reboot, [33], [160141],1.0.9762
Adware.Linkury, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETUP.EXE, Delete-on-Reboot, [1173], [475745],1.0.9762

Registry Value: 20
PUP.Optional.Linkury.ACMB1, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|APPINIT_DLLS, Delete-on-Reboot, [803], [-1],0.0.0
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-21-448539723-1767777339-1177238915-1004\ENVIRONMENT|SNF, Delete-on-Reboot, [803], [-1],0.0.0
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-21-448539723-1767777339-1177238915-1004\ENVIRONMENT|SNP, Delete-on-Reboot, [803], [259518],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-21-448539723-1767777339-1177238915-1004\ENVIRONMENT|SNF, Delete-on-Reboot, [803], [259517],1.0.9762
PUP.Optional.Linkury, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{ielnksrch}|DISPLAYNAME, Delete-on-Reboot, [253], [259313],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{ielnksrch}|URL, Delete-on-Reboot, [803], [259987],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHURL|DEFAULT, Delete-on-Reboot, [803], [259988],1.0.9762
PUP.Optional.ASK, HKU\S-1-5-21-448539723-1767777339-1177238915-500.bak\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{BD107F37-287E-4229-8006-D6BD6065639A}|URL, Delete-on-Reboot, [2], [258187],1.0.9762
PUP.Optional.Linkury, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{ielnksrch}|DISPLAYNAME, Delete-on-Reboot, [253], [259313],1.0.9762
PUP.Optional.Linkury, HKU\S-1-5-21-448539723-1767777339-1177238915-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{ielnksrch}|DISPLAYNAME, Delete-on-Reboot, [253], [259313],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-21-448539723-1767777339-1177238915-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{ielnksrch}|URL, Delete-on-Reboot, [803], [259987],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{ielnksrch}|URL, Delete-on-Reboot, [803], [259987],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-21-448539723-1767777339-1177238915-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHURL|DEFAULT, Delete-on-Reboot, [803], [259988],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHURL|DEFAULT, Delete-on-Reboot, [803], [259988],1.0.9762
PUP.Optional.Linkury, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\ielnksrch|DISPLAYNAME, Delete-on-Reboot, [253], [259314],1.0.9762
PUP.Optional.Linkury.ACMB1, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\ielnksrch|URL, Delete-on-Reboot, [803], [259989],1.0.9762
Adware.Linkury, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETTRANS|IMAGEPATH, Delete-on-Reboot, [1173], [377398],1.0.9762
Adware.Linkury, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BACKLH|IMAGEPATH, Delete-on-Reboot, [1173], [379533],1.0.9762
Adware.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\LOCALNETSERVICE|IMAGEPATH, Delete-on-Reboot, [99], [603754],1.0.9762
PUP.Optional.ASK, HKU\S-1-5-21-448539723-1767777339-1177238915-500.bak\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER|{D4027C7F-154A-4066-A1AD-4243D8127440}, Delete-on-Reboot, [2], [306571],1.0.9762

Registry Data: 19
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [803], [293485],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|SEARCH BAR, Replace-on-Reboot, [803], [293485],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|SEARCH PAGE, Replace-on-Reboot, [803], [293485],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|SEARCHASSISTANT, Replace-on-Reboot, [803], [293485],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCH|DEFAULT_SEARCH_URL, Replace-on-Reboot, [803], [293486],1.0.9762
PUP.Optional.Linkury, HKU\S-1-5-20\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES|DEFAULTSCOPE, Replace-on-Reboot, [253], [293476],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-21-448539723-1767777339-1177238915-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|SEARCH PAGE, Replace-on-Reboot, [803], [293485],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [803], [293485],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-21-448539723-1767777339-1177238915-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [803], [293485],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|SEARCH BAR, Replace-on-Reboot, [803], [293485],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-21-448539723-1767777339-1177238915-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|SEARCH BAR, Replace-on-Reboot, [803], [293485],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|SEARCH PAGE, Replace-on-Reboot, [803], [293485],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|SEARCHASSISTANT, Replace-on-Reboot, [803], [293485],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-21-448539723-1767777339-1177238915-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|SEARCHASSISTANT, Replace-on-Reboot, [803], [293485],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCH|DEFAULT_SEARCH_URL, Replace-on-Reboot, [803], [293486],1.0.9762
PUP.Optional.Linkury.ACMB1, HKU\S-1-5-21-448539723-1767777339-1177238915-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCH|DEFAULT_SEARCH_URL, Replace-on-Reboot, [803], [293486],1.0.9762
PUP.Optional.Linkury, HKU\S-1-5-19\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES|DEFAULTSCOPE, Replace-on-Reboot, [253], [293476],1.0.9762
PUP.Optional.Linkury, HKU\S-1-5-21-448539723-1767777339-1177238915-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES|DEFAULTSCOPE, Replace-on-Reboot, [253], [293476],1.0.9762
PUP.Optional.Linkury, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPE
Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tolnix

Class Name:        <NO CLASS>

Last Write Time:   3/20/2019 - 1:00 PM

Value 0

  Name:            Type

  Type:            REG_DWORD

  Data:            0x10



Value 1

  Name:            Start

  Type:            REG_DWORD

  Data:            0x2



Value 2

  Name:            ErrorControl

  Type:            REG_DWORD

  Data:            0x1



Value 3

  Name:            ImagePath

  Type:            REG_EXPAND_SZ

  Data:            C:\Documents and Settings\All Users\Application Data\\Tolnix\\Tolnix.exe shuz -f "C:\Documents and Settings\All Users\Application Data\\Tolnix\\Tolnix.dat" -l -a



Value 4

  Name:            DisplayName

  Type:            REG_SZ

  Data:            Tolnix



Value 5

  Name:            ObjectName

  Type:            REG_SZ

  Data:            LocalSystem





Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tolnix\Security

Class Name:        <NO CLASS>

Last Write Time:   3/18/2019 - 9:49 PM

Value 0

  Name:            Security

  Type:            REG_BINARY

  Data:            

00000000   01 00 14 80 90 00 00 00 - 9c 00 00 00 14 00 00 00  ................

00000010   30 00 00 00 02 00 1c 00 - 01 00 00 00 02 80 14 00  0...............

00000020   ff 01 0f 00 01 01 00 00 - 00 00 00 01 00 00 00 00  ...............

00000030   02 00 60 00 04 00 00 00 - 00 00 14 00 fd 01 02 00  ..`............

00000040   01 01 00 00 00 00 00 05 - 12 00 00 00 00 00 18 00  ................

00000050   ff 01 0f 00 01 02 00 00 - 00 00 00 05 20 00 00 00  ........... ...

00000060   20 02 00 00 00 00 14 00 - 8d 01 02 00 01 01 00 00   ...............

00000070   00 00 00 05 0b 00 00 00 - 00 00 18 00 fd 01 02 00  ...............

00000080   01 02 00 00 00 00 00 05 - 20 00 00 00 23 02 00 00  ........ ...#...

00000090   01 01 00 00 00 00 00 05 - 12 00 00 00 01 01 00 00  ................

000000a0   00 00 00 05 12 00 00 00 -                          ........





Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tolnix\Enum

Class Name:        <NO CLASS>

Last Write Time:   3/20/2019 - 1:00 PM

Value 0

  Name:            0

  Type:            REG_SZ

  Data:            Root\LEGACY_TOLNIX\0000



Value 1

  Name:            Count

  Type:            REG_DWORD

  Data:            0x1



Value 2

  Name:            NextInstance

  Type:            REG_DWORD

  Data:            0x1
Explorer_BOOTOS_Tree_Content.pdf (440.28 KB)
Member Avatar for rproffitt

A quick look at the logs shows the usual browser hijackers. https://www.bleepingcomputer.com/virus-removal/safefinder.com-linkury-removal-guide for more. The other looks to be newer or is just another trojan/adware or other item that may be using a random name generator schem to make identification harder.

Downloading apps from the Internet is now a game of Russian roulette. I will note that I do use Ninite.com for the items they have there since they are free from toolbars and more.

Member Avatar for Bostjan_K

Thank you rproffitt,

The random generation of folder/file/process/Reg.Key name is what I thought might be the case, perhaps the only rational explanation that there is. Will certainly look into Safe-Finder removal guide on BleepingComputer, to start with. Downloading apps from places that you never heard of before ... just what was I thinking. It's not like I regulary stick my hand in the snake pit, but every now and then I trully amaze myself, by doing something completely irrational and very likely harmful as well. Go figure ... the Pink Floyd's tune "Momentary lapse of reason" best describes such a state of mind ...

Kind regards,
Bostjan

Member Avatar for Bostjan_K

Greetings everyone,

After one week and four pages of correspondece on BleepingComputer, the problems with nasty infections are finally resolved. If anyone is curious what it was all about and how the clean-up was done, feel free to flip those pages of my thread, over here:

https://www.bleepingcomputer.com/forums/t/693702/bogeyman-tolnix-the-great-unknown/

Thank you once more, first to you Dani, for helping me with hiccups pertaining my newly registered account, and to you rproffitt, for referring me to BleepingComputer website.

Kind regards,
Bostjan

Edited by Bostjan_K because: typos
Member Avatar for rproffitt

@Bostjan_K. I read four pages and you can see why I give them the nod. It's not fast as so many need that sort of help but if you can follow their rules it works. Thanks for updating here so folk can see how much work these pests create for us.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.