ComboFix killed SalesLogix service

Discussion in 'Malware Help (A Specialist Will Reply)' started by pjames, Apr 22, 2010.

  1. pjames

    pjames Private E-2

    Hi all,

    Hopefully, this is an appropriate forum for this topic... I have a few users who had malware on their PC's. Our Helpdesk used ComboFix to correct the problems. I have been able to duplicate the malware (installed it on another PC), and with the malware the SalesLogix service still functions. However, after running ComboFix, although the service is still running, it no longer does what it should.

    The service is called SLXSystem. It is a blackbox, so I don't know exactly how it functions, but the functionality is this:

    1. When a user is using SalesLogix, changes they make to the database are also written to text files called queue files.
    2. The queue files are stored in C:\Docs and Settings\All users\Application Data\SalesLogix\Sync|QUEUEFiles.
    3. The SLXSystem service scans that directory for files that have the appropriate name:
    xxxxx-xxxxxxxxxx.qts_<servername>_<listeningPort>
    I.E.- 100421-212847289.qts_ALA-SLX-003_1706
    4. It then tries to find the server, ALA-SLX-003, and connects to the port, 1706, and copies the file there.
    5. It then deletes the file from the source directory.

    What happens now is ..... nothing. The files just sit there. They are not copied to the server, nor removed. I have tried "Repairing" the network connections, run winsockxpfix.exe, run the reg fixes recommended for the malware, un-installed/ reinstalled SalesLogix, run some TCP/IP fix routines, run the Windows command line system file checker (sfc.exe), and nothing has helped.

    Also, I can ping the server and also connect using telnet to the port.
     
    pjames, Apr 22, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If your helpdesk people ran ComboFix on your computer, they need to dequarantine what Combo removed as far as your SalesLogix service is concerned.
     
    TimW, Apr 22, 2010
    #2
  3. pjames

    pjames Private E-2

    Thanks for the reply Tim,

    I checked the quarantine and there is nothing in there relating to SalesLogix. There was a tcpip.reg in teh Quarantine\Registry_backups folder. I checked the settings in there. All looked good, so I re-applied that to my registry, but still no change.
     
    pjames, Apr 22, 2010
    #3
  4. pjames

    pjames Private E-2

    Oh, by the way, I have one PC which is to the point of having the malware on it, but has not yet had ComboFix run. I have a backup of the registry both just before infecting the PC, and as it sits now. Hoped that I could capture everything that ComboFix changes, but was not real sure how best to do that, so did not go any further yet.
     
    pjames, Apr 22, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Then I am at a loss as to what you need to do. I would suggest that you post in the software forum, but I am sure your IT department set all this up for the server and that is who will need to repair those settings.

    It would be a good idea to attach the combofix.txt log created by ComboFix when it was run. That way we can check to see exactly what we removed. (See: HOW TO: Attach Items To Your Post )
     
    Last edited by a moderator: Apr 23, 2010
    TimW, Apr 22, 2010
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds