what is tirhservice.exe which shows up in my Virus Protection Software Quarantine?

bonbon1
bonbon1 used Ask the Experts™
on
I do have Numara Track-it running on our Network, but it shouldn't be running an exe file on servers for example which the client does not run on.  Or perhaps it is part of the Inventory agent, but I cannot find anything that alludes to this on their site.  Can someone help with this?  I found a lot of links to the possibility that it is malware on the web, and am wondering if I remove this file from C:\Windows will anything bad happen?

We are running Sophos client versions 7 and 9 on our network and several users machines and serves have this file in their Quarantine.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2009

Commented:
Upload the file to virustotal and post the results here :)
http://www.virustotal.com/

Author

Commented:
THis is for the file on my machine which is not in quarantine, and I will second post the one from my server which is in quarantine:

File B5D1D98000FB7C4870B8014E0E3593004274A3F2.exe received on 2009.06.19 13:32:57 (UTC)
Current status: finished

Result: 0/40 (0.00%)
 Compact Print results  Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.19 -
AhnLab-V3 5.0.0.2 2009.06.19 -
AntiVir 7.9.0.191 2009.06.19 -
Antiy-AVL 2.0.3.1 2009.06.19 -
Authentium 5.1.2.4 2009.06.19 -
Avast 4.8.1335.0 2009.06.18 -
AVG 8.5.0.339 2009.06.19 -
BitDefender 7.2 2009.06.19 -
CAT-QuickHeal 10.00 2009.06.19 -
ClamAV 0.94.1 2009.06.19 -
Comodo 1371 2009.06.19 -
DrWeb 5.0.0.12182 2009.06.19 -
eSafe 7.0.17.0 2009.06.18 -
eTrust-Vet 31.6.6569 2009.06.19 -
F-Prot 4.4.4.56 2009.06.19 -
F-Secure 8.0.14470.0 2009.06.18 -
Fortinet 3.117.0.0 2009.06.19 -
GData 19 2009.06.19 -
Ikarus T3.1.1.59.0 2009.06.19 -
Jiangmin 11.0.706 2009.06.19 -
K7AntiVirus 7.10.768 2009.06.19 -
McAfee 5650 2009.06.18 -
McAfee+Artemis 5650 2009.06.18 -
McAfee-GW-Edition 6.7.6 2009.06.19 -
Microsoft 1.4701 2009.06.19 -
NOD32 4171 2009.06.19 -
Norman  2009.06.19 -
nProtect 2009.1.8.0 2009.06.19 -
Panda 10.0.0.16 2009.06.19 -
PCTools 4.4.2.0 2009.06.19 -
Prevx 3.0 2009.06.19 -
Rising 21.34.44.00 2009.06.19 -
Sophos 4.42.0 2009.06.19 -
Sunbelt 3.2.1858.2 2009.06.18 -
Symantec 1.4.4.12 2009.06.19 -
TheHacker 6.3.4.3.348 2009.06.19 -
TrendMicro 8.950.0.1094 2009.06.19 -
VBA32 3.12.10.7 2009.06.19 -
ViRobot 2009.6.19.1796 2009.06.19 -
VirusBuster 4.6.5.0 2009.06.18 -
Additional information
File size: 94208 bytes
MD5   : 6de2cf5820d541d463cd3df7295137a8
SHA1  : f16442973edd413177d8c93f18178535a6a99940
SHA256: f8b4cf9cc38e2c98c84a873c78166d1d8c15f7c83a8b27c0b447c42903876062
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x47F8
timedatestamp.....: 0x4A21F942 (Sun May 31 05:28:02 2009)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xCFF3 0xD000 6.72 71b1a8bbc96d37157cdc439d4c4c66be
.rdata 0xE000 0x60E6 0x7000 6.26 1851c355cc5ad10e5fb59a6c082876bd
.data 0x15000 0x2AD8 0x2000 2.09 7a0e0e7d34ac584612338773f28de48e

( 2 imports )

> advapi32.dll: RevertToSelf, CreateProcessAsUserW, ImpersonateLoggedOnUser, LogonUserW, RegisterServiceCtrlHandlerW, StartServiceCtrlDispatcherW, SetServiceStatus
> kernel32.dll: InterlockedExchange, GetACP, GetLocaleInfoA, GetVersionExW, RaiseException, InitializeCriticalSection, DeleteCriticalSection, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CloseHandle, GetExitCodeProcess, SetEvent, TerminateProcess, WaitForMultipleObjects, CreateProcessW, LocalFree, FormatMessageW, OutputDebugStringW, GlobalFree, GlobalAlloc, GetLastError, ExpandEnvironmentStringsW, SetLastError, CreateThread, WaitForSingleObject, CreateEventW, MultiByteToWideChar, WideCharToMultiByte, GetVersionExA, EnterCriticalSection, LeaveCriticalSection, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, GetProcessHeap, ExitProcess, RtlUnwind, GetModuleHandleA, GetStartupInfoW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleFileNameA, SetUnhandledExceptionFilter, VirtualQuery, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, TlsAlloc, TlsFree, TlsSetValue, TlsGetValue, GetProcAddress, GetCurrentProcess, WriteFile, GetStdHandle, UnhandledExceptionFilter, GetModuleFileNameW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, LoadLibraryA, IsBadReadPtr, IsBadCodePtr, GetOEMCP, GetCPInfo, SetFilePointer, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW, SetStdHandle, VirtualProtect, GetSystemInfo, FlushFileBuffers

( 0 exports )
 
TrID  : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 1536:NdOniOLSHiNBOeziDA66NAt1HfzRp0/wMSL7i29ON9S4A3ZpJl5LbNNNNNNN:KVCA66Nkzff5f7lN
PEiD  : -
RDS   : NSRL Reference Data Set
-


 ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

VirusTotal © Hispasec Sistemas -  Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy

Author

Commented:
From the Server:

File 020EE6C100E28C7760AA01CCD54C7A00AD422D5B.exe received on 2009.10.08 19:56:46 (UTC)
Current status: finished

Result: 0/41 (0.00%)
 Compact Print results  Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.08 -
AhnLab-V3 5.0.0.2 2009.10.08 -
AntiVir 7.9.1.35 2009.10.08 -
Antiy-AVL 2.0.3.7 2009.10.05 -
Authentium 5.1.2.4 2009.10.08 -
Avast 4.8.1351.0 2009.10.08 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.08 -
CAT-QuickHeal 10.00 2009.10.08 -
ClamAV 0.94.1 2009.10.08 -
Comodo 2539 2009.10.08 -
DrWeb 5.0.0.12182 2009.10.08 -
eSafe 7.0.17.0 2009.10.08 -
eTrust-Vet 35.1.7057 2009.10.08 -
F-Prot 4.5.1.85 2009.10.08 -
F-Secure 8.0.14470.0 2009.10.08 -
Fortinet 3.120.0.0 2009.10.08 -
GData 19 2009.10.08 -
Ikarus T3.1.1.72.0 2009.10.08 -
Jiangmin 11.0.800 2009.10.08 -
K7AntiVirus 7.10.865 2009.10.08 -
Kaspersky 7.0.0.125 2009.10.08 -
McAfee 5765 2009.10.08 -
McAfee+Artemis 5765 2009.10.08 -
McAfee-GW-Edition 6.8.5 2009.10.08 -
Microsoft 1.5101 2009.10.08 -
NOD32 4491 2009.10.08 -
Norman 6.01.09 2009.10.08 -
nProtect 2009.1.8.0 2009.10.08 -
Panda 10.0.2.2 2009.10.08 -
PCTools 4.4.2.0 2009.10.08 -
Prevx 3.0 2009.10.08 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.08 -
Sunbelt 3.2.1858.2 2009.10.08 -
Symantec 1.4.4.12 2009.10.08 -
TheHacker 6.5.0.2.033 2009.10.07 -
TrendMicro 8.950.0.1094 2009.10.08 -
VBA32 3.12.10.11 2009.10.08 -
ViRobot 2009.10.8.1976 2009.10.08 -
VirusBuster 4.6.5.0 2009.10.08 -
Additional information
File size: 90112 bytes
MD5   : 3a0feb5d89faef7a7959447315016463
SHA1  : 71200cff13010ab40d68ec2468698ee70fea6126
SHA256: 15e50c704b9f19de0b97dec33ea145e0398c4ee058e5db276935290e142719e9
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4738
timedatestamp.....: 0x45C0BBBE (Wed Jan 31 16:54:38 2007)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xCF33 0xD000 6.69 e727565d13ef703b39d201ea68765ee4
.rdata 0xE000 0x5FC0 0x6000 6.94 f2a4be952ddde0e1799bc09e3d6b0019
.data 0x14000 0x2AD8 0x2000 2.09 9bf047b0de1656480180d6b98c9dbe37

( 2 imports )

> advapi32.dll: CreateProcessAsUserW, LogonUserW, RegisterServiceCtrlHandlerW, StartServiceCtrlDispatcherW, SetServiceStatus
> kernel32.dll: InterlockedExchange, GetACP, GetLocaleInfoA, RaiseException, InitializeCriticalSection, DeleteCriticalSection, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CloseHandle, GetExitCodeProcess, SetEvent, TerminateProcess, WaitForMultipleObjects, CreateProcessW, LocalFree, FormatMessageW, OutputDebugStringW, GlobalFree, GlobalAlloc, GetLastError, ExpandEnvironmentStringsW, SetLastError, CreateThread, WaitForSingleObject, CreateEventW, MultiByteToWideChar, WideCharToMultiByte, GetVersionExA, EnterCriticalSection, LeaveCriticalSection, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, GetProcessHeap, ExitProcess, RtlUnwind, GetModuleHandleA, GetStartupInfoW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleFileNameA, SetUnhandledExceptionFilter, VirtualQuery, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, TlsAlloc, TlsFree, TlsSetValue, TlsGetValue, GetProcAddress, GetCurrentProcess, WriteFile, GetStdHandle, UnhandledExceptionFilter, GetModuleFileNameW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, LoadLibraryA, IsBadReadPtr, IsBadCodePtr, GetOEMCP, GetCPInfo, SetFilePointer, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW, SetStdHandle, VirtualProtect, GetSystemInfo, FlushFileBuffers

( 0 exports )
 
TrID  : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 1536:XUDbxreAYisuiRxd3A3J8kjHYw5z7zRp0/wauuLyIs6XN9S4A3L3yJlPes:0Adw3J8kjHnzf/3dulPe
PEiD  : -
RDS   : NSRL Reference Data Set
-


 ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

VirusTotal  Hispasec Sistemas -  Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2009

Commented:
Not one detection and Sophos is included in list. Not sure why its being quarantined :(

Have you contacted Sophos regarding this file being quarantined? It could be down to its configurations-possibly too sensitive or strict?

I'm not sure what else but other experts on server appz may help :)

Author

Commented:
It is being quarantined as suspicious behavior files: HIPS/RegMod-013  because it is trying to update the registry.  On some machines it is quarantined and on some it is not.

I suppose if it is quarantined then it is not active anyway and could be removed harmlessly.

?
Top Expert 2009

Commented:
I wouldn't remove it yet as unsure. Possibly being flagged as a "false positive".
Have you came accross this Sophos link. You can send the file off to their lab and see what they think
http://www.sophos.com/security/analyses/suspicious-behavior-and-files/hipsregmod013.html

Author

Commented:
No I will try it.  I was on their site and didn't find anything.

b

Author

Commented:
I submitted it to them.  I will see what comes of it.  Thanks again.
Top Expert 2009
Commented:
No prob. Great product so hopefully great support!
Top Expert 2009

Commented:
Cheers! Curious as to what they say in their response :)

Author

Commented:
NO worries I will keep this open until then.

Author

Commented:
This was their answer:
 < I also found on the web, but I wanted to be sure it wasn't pretending to be a Track-It service file.>

Thanks for the sample, it appears to be the Intuit Track-It! Remoting Helper Service and is not malicious, you can authorise the file if you wish.


Regards,

Andrew Martin
Sophos Technical Support

www.sophos.com/support/
SOPHOS - simply secure
Top Expert 2009

Commented:
Thats good. Did'nt take them long to  reply either!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial