mystery exe ?? -- qnglkz.exe --

BoredNow · November 24, 2010, 2:52am

I was wondering if anyone has any thoughts on the following.

I was doing a rootkit scan with SOPHOS.
During the scan I got a firewall alert saying that ‘qnglkz.exe’ was
trying to make an outbound connection to 92.242.144.10
Protocol 41
Comodo said it was safe.
But I had never seen it before so I ticked block
but I told Comodo not to remember.

Sophos didn’t find any rootkits.
It did find about a dozen unknown hidden files – like ask.com
but ‘qnglkz.exe’ was not one of them.

I searched google – not a single match.

I’ve gone to a couple websites that list all windows files and could
not find that file anywhere.

I searched the forum here and at wilders and again, no results.

I searched my PC for ‘qnglkz.exe’ and came up empty.

My question is – what the hell is ‘qnglkz.exe’ and why did it try to contact
92.242.144.10 ??

I’ve never had a problem tracking down info on a windows .exe before.
See attach…
Thanks in advance

[attachment deleted by admin]

languy99 · November 24, 2010, 4:07am

sounds like a random names .exe created by sophos to contact their servers. Usually files like this are created to avoid malware from being able to block them.

The IP is

inetnum: 92.242.128.0 - 92.242.159.255
netname: UK-BAREFRUIT-20071227
descr: Barefruit Ltd.
country: GB
org: ORG-BL53-RIPE
admin-c: PR42-RIPE
tech-c: PR42-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: CATALYST2-MNT
mnt-domains: CATALYST2-MNT
mnt-routes: CATALYST2-MNT
source: RIPE # Filtered

organisation: ORG-BL53-RIPE
org-name: Barefruit Ltd.
org-type: LIR
address: Barefruit Ltd.
26 Southampton Street
London WC2E 7RS
United Kingdom
phone: +44 207 717 8675
fax-no: +44 207 717 8759
admin-c: PR42-RIPE
mnt-ref: CATALYST2-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

person: Paul Redpath
remarks: Catalyst2 Services Ltd
org: ORG-csl3-RIPE
address: Centre House
address: 79 Chichester Street
address: Belfast
address: BT1 4JE
phone: +44 800 107 7979
fax-no: +44 845 280 4993
abuse-mailbox: abuse@catalyst2.com
mnt-by: CATALYST2-MNT
source: RIPE # Filtered
nic-hdl: PR42-RIP

BoredNow · November 24, 2010, 4:43am

Mystery solved.
Thanks Languy, you rule.

FYI…it was your YouTube videos that convinced me to try Comodo.

languy99 · November 24, 2010, 4:47am

No problem but this is just something I am guessing as to what it is. The only thing is when I tried Sophos Anti-root kit I never got any pop up from Comodo. Can you give me a link to where you got yours?

BoredNow · November 24, 2010, 6:17am

Well, I have my alert setting to very high and also set to ‘custom policy’

However, I am still puzzled that Comodo said it was a safe file.
I’ve been using CIS since last July and I have never had a pop up asking about that file.
Anyway…
I downloaded the Sophos anti-rootkit from the Sophos website, is that what you mean?

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

take care

languy99 · November 24, 2010, 6:32am

ok then that is what you saw. When you turn up your settings in CIS it will ask even for safe files if you want it to access the internet.

riggers · November 24, 2010, 12:57pm

It seems like as Languy has said Sophos anti-rootkit spawns a random .exe in the AppData->Local->Temp directory (mine was gcckrd.exe)
I think the reason CIS says it is a safe file is due to it being spawned (a child process) of the main Sophos executable sargui.exe which is a digitally signed file.
On a second scan the temp file name is different

[attachment deleted by admin]

BoredNow · November 24, 2010, 5:21pm

Thanks you guys, that clears it all up.

I have my setting set high because I got hit by a drive-by last summer (pre-Comodo) and I’ve been paranoid that something may be lingering, undetected, ever since.

Thanks again

Take care
8)