Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix breaks SalesLogix after running


  • Please log in to reply
5 replies to this topic

#1 SLXuser

SLXuser

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 11 January 2013 - 12:02 PM

Hi folks,

It would seem that a side effect of running combofix on a system that has SalesLogix installed, will cause SalesLogix to no longer process .qts files. I am in the process of trying to move through the registry to see exactly what key is the one that is causing this to happen but the changes from a "working" registry to where I run combofix to cause a "bad" register are many. Especially with a reboot in between there.

Running the erdnt in the hiv-backup folder will restore SalesLogix functionality. Currently I have a test machine that I am working on to solve this issue. Is there a file that combofix will create that contains all registry adds, changes, and deletions?

The way SalesLogix works is like this,

1. A user will enter information into SalesLogix
2. That information is then sent to the SalesLogix server
3. The local client will then create QTS files of these changes to be transferred to a synchronization server.(for remote users)
4. Once files have been placed into the QTS folder, SLXSystem.exe will then query the folder for *.qts files
5. It will then take the list of files and then transfer them to their proper destination and delete them from the QTS folder.

After running combo fix, everything works as intended except for step 4. When it gets to step 4, SLXSystem.exe will run as expected however, when it queries the folder for *.qts files, it will receive a response that there are none when in fact there are.(found this out from running process monitor)

Any thoughts?


Thanks!!

Edited by SLXuser, 11 January 2013 - 12:11 PM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:56 AM

Posted 11 January 2013 - 03:25 PM

My thought is...you would probably better be served by posting at http://community.sagesaleslogix.com/ , rather than a forum for Windows XP.

Louis

Edited by hamluis, 12 January 2013 - 01:24 PM.


#3 SLXuser

SLXuser
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 21 January 2013 - 07:01 AM

Ok, I thought this is where they were posting combofix logs to be reviewed. At any rate, if someone searches google and finds this post, the solution to this issue has been found.

When running process monitor on a working system, you can see that the SLXSystem.exe will receive a result of "SUCCESS" from the class "File System" with a list of files that match the filter *.qts

When it fails after running combofix, it will receive a response of "NO SUCH FILE" from the class "File System" meaning that the file system cannot locate any files ending in .qts

Why is that? Well, the files really end in more than just *.qts, they have the _servername_ as well.

The process to fix this is really simple in the long run. On my test system, I took a working registry, ran combofix, and compared all changes and it really boiled down to 3 small registry changes from the hundreds that have changed.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem]
"Win95TruncatedExtensions"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\FileSystem]
"Win95TruncatedExtensions"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"Win95TruncatedExtensions"=dword:00000001

Combofix changes the Win95TruncatedExtensions to 0. Because this happens, the file system sends a response to SLXsystem.exe a "NO SUCH FILE" because the file extension is interpreted as *.qt_ because of the length of the file extension. When changing this to 1 in each of the keys above, it will get a successful response. However, there are a few steps to get the old changes to purge.

So, to fix this, do as follows

1. Apply the registry changes listed above.
2. Move the qts files out of the C:\Documents and Settings\All Users\Application Data\SalesLogix\Sync\QUEUEFiles folder to a temporary directory.
3. Reboot the computer.
4. Open SLX and put in a test change.
5. Look in the C:\Documents and Settings\All Users\Application Data\SalesLogix\Sync\QUEUEFiles and verify the changes are now leaving.
6. wait 2 minutes for the SLXsystem.exe to cycle with the QUEUEFiles directory empty.
7. Move all your QTS files from your temporary directory to C:\Documents and Settings\All Users\Application Data\SalesLogix\Sync\QUEUEFiles

The changes should then start to purge from the system.

In my journey of trying to get this fixed, I ended up cutting all new remote databases back on 12/7/2012. Because of this, any system that had this problem, I deleted all of the QTS files on each of the effected systems prior to that date. If you have also made new remote databases in the process of trying to fix your issue, you may want to delete these files. I am not sure what the side effect would be of having these old QTS files apply to a remote database that already has those changes.

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:56 AM

Posted 21 January 2013 - 07:46 AM

FWIW: If you review the title of this forum...you will see no mention of "malware" or "ComboFix" as one of the areas covered here. That's whay I referred you to the link I previously provided.

ComboFix/malware log issues and XP O/S issues...are not synonymous.

Louis

Edited by hamluis, 21 January 2013 - 07:47 AM.


#5 SLXuser

SLXuser
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 21 January 2013 - 08:17 AM

Thanks Louis, are you able to move this post to BleepingComputer.com> Security> Virus, Trojan, Spyware, and Malware Removal Logs?

#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:56 AM

Posted 21 January 2013 - 04:56 PM

I can move it...but i don't believe that's wise.

But...it would be simpler all around if you follow my suggestion and originate a new post in the Malware Removal Logs forum. That would prevent a lot of unnecessary assumptions by members there...that someone is already working your logs (they look at post-count on a topic as an indication) and the data you have posted here is not really germane to any review of malware logs.

No one there would find anything posted here thus far...of any value, IMO, and the simple, direct route suggested...works.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users