I've been away from this forum for a long time, must be more than 10 years since my last post. That's how long I've been pretty much trouble free, as far as the Internet and data safety was concerned. Back then I was experimenting all too often with the free anti-spyware and anti-virus programs (Avast, AVG, etc.), getting in trouble in the process, as those freebies would often interfere with each other cause all sorts of headaches, mainly because those conflicts produced a breeding ground for some real nasty Internet threat. I can still remember the friendly atmosphere and helpful people on the DaniWeb forum (DaniWebIT back then), everytime I'd get in the troubles, most of them way beyond my level of knowledge.
It's been years since I decided to make a move forward, to leave the comfort zone of Windows and aging Win XP and enter the exciting world of Linux; it felt right, the communities worldwide were growing fast, the support was improving, and so did the stability and number of desktop friendly distros. Yet somehow I managed to postpone that move indefinitely, re-inventing excuses to keep the increasingly sluggish and insecure XP on the machine, until it really needed to be replaced for good, by all the joys (and hardships) of the tux world. Seemingly bomb-proof performance of MS Essentials made all these excuses so much easier to make, even after the end of official MS support, as community maintained threat definitions were being kept up to date until present time.
Just days before the long postponed migration, I foolishly decided to re-activate the expired MS Office 2010 once again, so that I could transfer in peace the local library of files, bookmarks and contacts onto backup drive, before commencing the ultimate shutdown of the good ole' battered & weathered Windows machine. Lacking the known to work MS Toolkit on my SW backup drive, I hastingly searched the web, cursing along as none of Toolkit versions I downloaded, would work with my XP OS any longer. Finally I found one that looked legit (v2.6.2.rar) and went ahead with extracting the .rar file. That's when the calamity began, as the .rar extract triggered some sort of installer window, which for the life of me I couldn't close. During this short skirmish with unknown installer, a bunch of dirt showed up on the Desktop (folders), but ultimately I managed to close the installer window and delete the trash on the Desktop.
Soon enough the machine started to misbehave …. Firefox search engine would re-direct to »Safe-Finder« Yahoo search engine (little known malware), when starrting MS Outlook (»loading preferences« messages), it would attempt connections to some weird unknown locations, machine would freeze constantly … it's when I finally realized that things were rather serious.
Things I noticed, when I pulled myself together and started to solve the problems:
- Alien processes, shown by Task Manager: Tolinx.exe, set.exe, nettrans.exe ;
- MS Essentials would freak out every time I started MS Outlook or Firefox, telling me that LocalNETService.exe file in 'Documents and Settings\All Users\Application Data\LocalNETService' needs my attention;
- Whenever I'd kill the Tolinx.exe process (END PROCESS), it would restart on every reboot;
- Bizare and never seen before content observed in the 'Documents and Settings\All Users\Application Data\ … ' , such as folders 'Tolnix' and 'Tolnixs', with no readme files whatsoever, to give me a hint about what they might be used for.
- I googled »Tolnix«, got a handful of really weird and suspicuous hits, but only one (1!) exact match – a link to website "Tolnix" (tolnix.com), with a sub-text »Tolnix Will Be Coming In 2017!«.
Just for the sake of argument, I replaced the small letter »l« (-el) in the word »Tolnix« with a capital »I« (-ai) in the Google search engine. No go … got even fewer results that didn't make any sense at all.
Steps I performed initially, and behavior of the system I observed during the process:
- I ran several online deep scanners, one at a time (Trend Micro's HouseCall, Panda Cloud Cleaner), which did find a lot of dirt, but cleaned just a few (as you have to pay for the rest, of course). Here's what HouseCall scanner cleaned:
- I ran a deep scan with MS Essentials (with latest manual update), which also found and cleaned several threats (or so I thought), such as 'TrojanDownloader:Win32/Zurgop.C«bit!', among others.
- During the scanning process (HouseCall), the MS Essentials real-time scanner would turn off at random several times, reporting problems with Antimalware Service Executables. Sometimes it would switch on again automatically, still other times I had to switch it on manually;
- I downloaded and ran the Trial version of Malwarebytes v3.5.1. Build 2522 (Legacy for Win XP); it did find over hundred of threats, which I quarantined them all;
At first look it seems that Malwarebytes scanner was remarkably effective, at finding and disarming the threats. Question is – did it fix all of them, and what's the damage that I may not be aware of. The machine perceives to be stable now (not counting one BSOD, due to buggy MB v3.5.1 Build 2522) - Firefox is no more sluggish, does not re-direct to Safe-Finder, Outlook loads as it did before, but like I said – I did encounter a fair share of episodes with nasties in the past (followed by painstaking HijackThis sessions on DaniWeb forum), so I know it's not wise to open the beer and make a toast too early.
I had a quick look at the Windows Registry (regedit), processes running (Task Manager, "GetServices" script) and folders in 'C:\Documents and Settings...\Application Data'. Here are my findings:
- Subfolder 'C:\Documents and Settings\…\Application Data\Tolnix' is still there, but the 'Tolnixs' subfolder in the same subtree is now gone;
- Process Tolnix.exe (and other suspicious ones) is no longer running, nor it is restarted after system reboots;
- Tolnix is still an entry present in the Registry: 'HKLM\SYSTEM\CurrentControlSet\services\Tolnix', with subfolders 'Enum' and 'Security';
- Windows services (Administrator Tools) still show the service 'Tolnix'; it's not not running, but it is set to Automatic;
I also ran the CCleaner v4.14.4707, which found and suggested a following entry to be fixed:
- PROBLEM: Invalid File Reference ;
- DATA: ImagePath – C:\Documents and Settings...\Application Data\tolnix\tolnix.exe –f ''C:\Documents … \Application Data\tolnix\tolnix.dat'' –l –a ;
- REG. KEY: 'HKLM\SYSTEM\CurrentControlSet\services\Tolnix' ;
When the program such as CCleaner suggests you to heal the perpetrator, you just know that something's not right …
Logs and scan results that I would like to provide ...
1.) Registry content showing 'Tolnix' entry (regedit export file);
2.) Malwarebytes scan results;
3.) Services running ("GetServices" script export);
... but for some reason the icons of files attached (.txt files) have the red border, and the hover-over with cursor shows a message "The upload path does not appear to be valid" (is it restricted for newcomers ?).
Looking forward to your help and suggestions ...