bonbon1
asked on
what is tirhservice.exe which shows up in my Virus Protection Software Quarantine?
I do have Numara Track-it running on our Network, but it shouldn't be running an exe file on servers for example which the client does not run on. Or perhaps it is part of the Inventory agent, but I cannot find anything that alludes to this on their site. Can someone help with this? I found a lot of links to the possibility that it is malware on the web, and am wondering if I remove this file from C:\Windows will anything bad happen?
We are running Sophos client versions 7 and 9 on our network and several users machines and serves have this file in their Quarantine.
We are running Sophos client versions 7 and 9 on our network and several users machines and serves have this file in their Quarantine.
ASKER
THis is for the file on my machine which is not in quarantine, and I will second post the one from my server which is in quarantine:
File B5D1D98000FB7C4870B8014E0E 3593004274 A3F2.exe received on 2009.06.19 13:32:57 (UTC)
Current status: finished
Result: 0/40 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.19 -
AhnLab-V3 5.0.0.2 2009.06.19 -
AntiVir 7.9.0.191 2009.06.19 -
Antiy-AVL 2.0.3.1 2009.06.19 -
Authentium 5.1.2.4 2009.06.19 -
Avast 4.8.1335.0 2009.06.18 -
AVG 8.5.0.339 2009.06.19 -
BitDefender 7.2 2009.06.19 -
CAT-QuickHeal 10.00 2009.06.19 -
ClamAV 0.94.1 2009.06.19 -
Comodo 1371 2009.06.19 -
DrWeb 5.0.0.12182 2009.06.19 -
eSafe 7.0.17.0 2009.06.18 -
eTrust-Vet 31.6.6569 2009.06.19 -
F-Prot 4.4.4.56 2009.06.19 -
F-Secure 8.0.14470.0 2009.06.18 -
Fortinet 3.117.0.0 2009.06.19 -
GData 19 2009.06.19 -
Ikarus T3.1.1.59.0 2009.06.19 -
Jiangmin 11.0.706 2009.06.19 -
K7AntiVirus 7.10.768 2009.06.19 -
McAfee 5650 2009.06.18 -
McAfee+Artemis 5650 2009.06.18 -
McAfee-GW-Edition 6.7.6 2009.06.19 -
Microsoft 1.4701 2009.06.19 -
NOD32 4171 2009.06.19 -
Norman 2009.06.19 -
nProtect 2009.1.8.0 2009.06.19 -
Panda 10.0.0.16 2009.06.19 -
PCTools 4.4.2.0 2009.06.19 -
Prevx 3.0 2009.06.19 -
Rising 21.34.44.00 2009.06.19 -
Sophos 4.42.0 2009.06.19 -
Sunbelt 3.2.1858.2 2009.06.18 -
Symantec 1.4.4.12 2009.06.19 -
TheHacker 6.3.4.3.348 2009.06.19 -
TrendMicro 8.950.0.1094 2009.06.19 -
VBA32 3.12.10.7 2009.06.19 -
ViRobot 2009.6.19.1796 2009.06.19 -
VirusBuster 4.6.5.0 2009.06.18 -
Additional information
File size: 94208 bytes
MD5 : 6de2cf5820d541d463cd3df729 5137a8
SHA1 : f16442973edd413177d8c93f18 178535a6a9 9940
SHA256: f8b4cf9cc38e2c98c84a873c78 166d1d8c15 f7c83a8b27 c0b447c429 03876062
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x47F8
timedatestamp.....: 0x4A21F942 (Sun May 31 05:28:02 2009)
machinetype.......: 0x14C (Intel I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xCFF3 0xD000 6.72 71b1a8bbc96d37157cdc439d4c 4c66be
.rdata 0xE000 0x60E6 0x7000 6.26 1851c355cc5ad10e5fb59a6c08 2876bd
.data 0x15000 0x2AD8 0x2000 2.09 7a0e0e7d34ac584612338773f2 8de48e
( 2 imports )
> advapi32.dll: RevertToSelf, CreateProcessAsUserW, ImpersonateLoggedOnUser, LogonUserW, RegisterServiceCtrlHandler W, StartServiceCtrlDispatcher W, SetServiceStatus
> kernel32.dll: InterlockedExchange, GetACP, GetLocaleInfoA, GetVersionExW, RaiseException, InitializeCriticalSection, DeleteCriticalSection, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CloseHandle, GetExitCodeProcess, SetEvent, TerminateProcess, WaitForMultipleObjects, CreateProcessW, LocalFree, FormatMessageW, OutputDebugStringW, GlobalFree, GlobalAlloc, GetLastError, ExpandEnvironmentStringsW, SetLastError, CreateThread, WaitForSingleObject, CreateEventW, MultiByteToWideChar, WideCharToMultiByte, GetVersionExA, EnterCriticalSection, LeaveCriticalSection, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, GetProcessHeap, ExitProcess, RtlUnwind, GetModuleHandleA, GetStartupInfoW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleFileNameA, SetUnhandledExceptionFilte r, VirtualQuery, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, TlsAlloc, TlsFree, TlsSetValue, TlsGetValue, GetProcAddress, GetCurrentProcess, WriteFile, GetStdHandle, UnhandledExceptionFilter, GetModuleFileNameW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, LoadLibraryA, IsBadReadPtr, IsBadCodePtr, GetOEMCP, GetCPInfo, SetFilePointer, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW, SetStdHandle, VirtualProtect, GetSystemInfo, FlushFileBuffers
( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 1536:NdOniOLSHiNBOeziDA66N At1HfzRp0/ wMSL7i29ON 9S4A3ZpJl5 LbNNNNNNN: KVCA66Nkzf f5f7lN
PEiD : -
RDS : NSRL Reference Data Set
-
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy
File B5D1D98000FB7C4870B8014E0E
Current status: finished
Result: 0/40 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.19 -
AhnLab-V3 5.0.0.2 2009.06.19 -
AntiVir 7.9.0.191 2009.06.19 -
Antiy-AVL 2.0.3.1 2009.06.19 -
Authentium 5.1.2.4 2009.06.19 -
Avast 4.8.1335.0 2009.06.18 -
AVG 8.5.0.339 2009.06.19 -
BitDefender 7.2 2009.06.19 -
CAT-QuickHeal 10.00 2009.06.19 -
ClamAV 0.94.1 2009.06.19 -
Comodo 1371 2009.06.19 -
DrWeb 5.0.0.12182 2009.06.19 -
eSafe 7.0.17.0 2009.06.18 -
eTrust-Vet 31.6.6569 2009.06.19 -
F-Prot 4.4.4.56 2009.06.19 -
F-Secure 8.0.14470.0 2009.06.18 -
Fortinet 3.117.0.0 2009.06.19 -
GData 19 2009.06.19 -
Ikarus T3.1.1.59.0 2009.06.19 -
Jiangmin 11.0.706 2009.06.19 -
K7AntiVirus 7.10.768 2009.06.19 -
McAfee 5650 2009.06.18 -
McAfee+Artemis 5650 2009.06.18 -
McAfee-GW-Edition 6.7.6 2009.06.19 -
Microsoft 1.4701 2009.06.19 -
NOD32 4171 2009.06.19 -
Norman 2009.06.19 -
nProtect 2009.1.8.0 2009.06.19 -
Panda 10.0.0.16 2009.06.19 -
PCTools 4.4.2.0 2009.06.19 -
Prevx 3.0 2009.06.19 -
Rising 21.34.44.00 2009.06.19 -
Sophos 4.42.0 2009.06.19 -
Sunbelt 3.2.1858.2 2009.06.18 -
Symantec 1.4.4.12 2009.06.19 -
TheHacker 6.3.4.3.348 2009.06.19 -
TrendMicro 8.950.0.1094 2009.06.19 -
VBA32 3.12.10.7 2009.06.19 -
ViRobot 2009.6.19.1796 2009.06.19 -
VirusBuster 4.6.5.0 2009.06.18 -
Additional information
File size: 94208 bytes
MD5 : 6de2cf5820d541d463cd3df729
SHA1 : f16442973edd413177d8c93f18
SHA256: f8b4cf9cc38e2c98c84a873c78
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x47F8
timedatestamp.....: 0x4A21F942 (Sun May 31 05:28:02 2009)
machinetype.......: 0x14C (Intel I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xCFF3 0xD000 6.72 71b1a8bbc96d37157cdc439d4c
.rdata 0xE000 0x60E6 0x7000 6.26 1851c355cc5ad10e5fb59a6c08
.data 0x15000 0x2AD8 0x2000 2.09 7a0e0e7d34ac584612338773f2
( 2 imports )
> advapi32.dll: RevertToSelf, CreateProcessAsUserW, ImpersonateLoggedOnUser, LogonUserW, RegisterServiceCtrlHandler
> kernel32.dll: InterlockedExchange, GetACP, GetLocaleInfoA, GetVersionExW, RaiseException, InitializeCriticalSection,
( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 1536:NdOniOLSHiNBOeziDA66N
PEiD : -
RDS : NSRL Reference Data Set
-
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy
ASKER
From the Server:
File 020EE6C100E28C7760AA01CCD5 4C7A00AD42 2D5B.exe received on 2009.10.08 19:56:46 (UTC)
Current status: finished
Result: 0/41 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.08 -
AhnLab-V3 5.0.0.2 2009.10.08 -
AntiVir 7.9.1.35 2009.10.08 -
Antiy-AVL 2.0.3.7 2009.10.05 -
Authentium 5.1.2.4 2009.10.08 -
Avast 4.8.1351.0 2009.10.08 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.08 -
CAT-QuickHeal 10.00 2009.10.08 -
ClamAV 0.94.1 2009.10.08 -
Comodo 2539 2009.10.08 -
DrWeb 5.0.0.12182 2009.10.08 -
eSafe 7.0.17.0 2009.10.08 -
eTrust-Vet 35.1.7057 2009.10.08 -
F-Prot 4.5.1.85 2009.10.08 -
F-Secure 8.0.14470.0 2009.10.08 -
Fortinet 3.120.0.0 2009.10.08 -
GData 19 2009.10.08 -
Ikarus T3.1.1.72.0 2009.10.08 -
Jiangmin 11.0.800 2009.10.08 -
K7AntiVirus 7.10.865 2009.10.08 -
Kaspersky 7.0.0.125 2009.10.08 -
McAfee 5765 2009.10.08 -
McAfee+Artemis 5765 2009.10.08 -
McAfee-GW-Edition 6.8.5 2009.10.08 -
Microsoft 1.5101 2009.10.08 -
NOD32 4491 2009.10.08 -
Norman 6.01.09 2009.10.08 -
nProtect 2009.1.8.0 2009.10.08 -
Panda 10.0.2.2 2009.10.08 -
PCTools 4.4.2.0 2009.10.08 -
Prevx 3.0 2009.10.08 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.08 -
Sunbelt 3.2.1858.2 2009.10.08 -
Symantec 1.4.4.12 2009.10.08 -
TheHacker 6.5.0.2.033 2009.10.07 -
TrendMicro 8.950.0.1094 2009.10.08 -
VBA32 3.12.10.11 2009.10.08 -
ViRobot 2009.10.8.1976 2009.10.08 -
VirusBuster 4.6.5.0 2009.10.08 -
Additional information
File size: 90112 bytes
MD5 : 3a0feb5d89faef7a7959447315 016463
SHA1 : 71200cff13010ab40d68ec2468 698ee70fea 6126
SHA256: 15e50c704b9f19de0b97dec33e a145e0398c 4ee058e5db 276935290e 142719e9
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4738
timedatestamp.....: 0x45C0BBBE (Wed Jan 31 16:54:38 2007)
machinetype.......: 0x14C (Intel I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xCF33 0xD000 6.69 e727565d13ef703b39d201ea68 765ee4
.rdata 0xE000 0x5FC0 0x6000 6.94 f2a4be952ddde0e1799bc09e3d 6b0019
.data 0x14000 0x2AD8 0x2000 2.09 9bf047b0de1656480180d6b98c 9dbe37
( 2 imports )
> advapi32.dll: CreateProcessAsUserW, LogonUserW, RegisterServiceCtrlHandler W, StartServiceCtrlDispatcher W, SetServiceStatus
> kernel32.dll: InterlockedExchange, GetACP, GetLocaleInfoA, RaiseException, InitializeCriticalSection, DeleteCriticalSection, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CloseHandle, GetExitCodeProcess, SetEvent, TerminateProcess, WaitForMultipleObjects, CreateProcessW, LocalFree, FormatMessageW, OutputDebugStringW, GlobalFree, GlobalAlloc, GetLastError, ExpandEnvironmentStringsW, SetLastError, CreateThread, WaitForSingleObject, CreateEventW, MultiByteToWideChar, WideCharToMultiByte, GetVersionExA, EnterCriticalSection, LeaveCriticalSection, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, GetProcessHeap, ExitProcess, RtlUnwind, GetModuleHandleA, GetStartupInfoW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleFileNameA, SetUnhandledExceptionFilte r, VirtualQuery, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, TlsAlloc, TlsFree, TlsSetValue, TlsGetValue, GetProcAddress, GetCurrentProcess, WriteFile, GetStdHandle, UnhandledExceptionFilter, GetModuleFileNameW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, LoadLibraryA, IsBadReadPtr, IsBadCodePtr, GetOEMCP, GetCPInfo, SetFilePointer, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW, SetStdHandle, VirtualProtect, GetSystemInfo, FlushFileBuffers
( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 1536:XUDbxreAYisuiRxd3A3J8 kjHYw5z7zR p0/wauuLyI s6XN9S4A3L 3yJlPes:0A dw3J8kjHnz f/3dulPe
PEiD : -
RDS : NSRL Reference Data Set
-
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy
File 020EE6C100E28C7760AA01CCD5
Current status: finished
Result: 0/41 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.08 -
AhnLab-V3 5.0.0.2 2009.10.08 -
AntiVir 7.9.1.35 2009.10.08 -
Antiy-AVL 2.0.3.7 2009.10.05 -
Authentium 5.1.2.4 2009.10.08 -
Avast 4.8.1351.0 2009.10.08 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.08 -
CAT-QuickHeal 10.00 2009.10.08 -
ClamAV 0.94.1 2009.10.08 -
Comodo 2539 2009.10.08 -
DrWeb 5.0.0.12182 2009.10.08 -
eSafe 7.0.17.0 2009.10.08 -
eTrust-Vet 35.1.7057 2009.10.08 -
F-Prot 4.5.1.85 2009.10.08 -
F-Secure 8.0.14470.0 2009.10.08 -
Fortinet 3.120.0.0 2009.10.08 -
GData 19 2009.10.08 -
Ikarus T3.1.1.72.0 2009.10.08 -
Jiangmin 11.0.800 2009.10.08 -
K7AntiVirus 7.10.865 2009.10.08 -
Kaspersky 7.0.0.125 2009.10.08 -
McAfee 5765 2009.10.08 -
McAfee+Artemis 5765 2009.10.08 -
McAfee-GW-Edition 6.8.5 2009.10.08 -
Microsoft 1.5101 2009.10.08 -
NOD32 4491 2009.10.08 -
Norman 6.01.09 2009.10.08 -
nProtect 2009.1.8.0 2009.10.08 -
Panda 10.0.2.2 2009.10.08 -
PCTools 4.4.2.0 2009.10.08 -
Prevx 3.0 2009.10.08 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.08 -
Sunbelt 3.2.1858.2 2009.10.08 -
Symantec 1.4.4.12 2009.10.08 -
TheHacker 6.5.0.2.033 2009.10.07 -
TrendMicro 8.950.0.1094 2009.10.08 -
VBA32 3.12.10.11 2009.10.08 -
ViRobot 2009.10.8.1976 2009.10.08 -
VirusBuster 4.6.5.0 2009.10.08 -
Additional information
File size: 90112 bytes
MD5 : 3a0feb5d89faef7a7959447315
SHA1 : 71200cff13010ab40d68ec2468
SHA256: 15e50c704b9f19de0b97dec33e
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4738
timedatestamp.....: 0x45C0BBBE (Wed Jan 31 16:54:38 2007)
machinetype.......: 0x14C (Intel I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xCF33 0xD000 6.69 e727565d13ef703b39d201ea68
.rdata 0xE000 0x5FC0 0x6000 6.94 f2a4be952ddde0e1799bc09e3d
.data 0x14000 0x2AD8 0x2000 2.09 9bf047b0de1656480180d6b98c
( 2 imports )
> advapi32.dll: CreateProcessAsUserW, LogonUserW, RegisterServiceCtrlHandler
> kernel32.dll: InterlockedExchange, GetACP, GetLocaleInfoA, RaiseException, InitializeCriticalSection,
( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 1536:XUDbxreAYisuiRxd3A3J8
PEiD : -
RDS : NSRL Reference Data Set
-
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy
Not one detection and Sophos is included in list. Not sure why its being quarantined :(
Have you contacted Sophos regarding this file being quarantined? It could be down to its configurations-possibly too sensitive or strict?
I'm not sure what else but other experts on server appz may help :)
Have you contacted Sophos regarding this file being quarantined? It could be down to its configurations-possibly too sensitive or strict?
I'm not sure what else but other experts on server appz may help :)
ASKER
It is being quarantined as suspicious behavior files: HIPS/RegMod-013 because it is trying to update the registry. On some machines it is quarantined and on some it is not.
I suppose if it is quarantined then it is not active anyway and could be removed harmlessly.
?
I suppose if it is quarantined then it is not active anyway and could be removed harmlessly.
?
I wouldn't remove it yet as unsure. Possibly being flagged as a "false positive".
Have you came accross this Sophos link. You can send the file off to their lab and see what they think
http://www.sophos.com/security/analyses/suspicious-behavior-and-files/hipsregmod013.html
Have you came accross this Sophos link. You can send the file off to their lab and see what they think
http://www.sophos.com/security/analyses/suspicious-behavior-and-files/hipsregmod013.html
ASKER
No I will try it. I was on their site and didn't find anything.
b
b
ASKER
I submitted it to them. I will see what comes of it. Thanks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Cheers! Curious as to what they say in their response :)
ASKER
NO worries I will keep this open until then.
ASKER
This was their answer:
< I also found on the web, but I wanted to be sure it wasn't pretending to be a Track-It service file.>
Thanks for the sample, it appears to be the Intuit Track-It! Remoting Helper Service and is not malicious, you can authorise the file if you wish.
Regards,
Andrew Martin
Sophos Technical Support
www.sophos.com/support/
SOPHOS - simply secure
< I also found on the web, but I wanted to be sure it wasn't pretending to be a Track-It service file.>
Thanks for the sample, it appears to be the Intuit Track-It! Remoting Helper Service and is not malicious, you can authorise the file if you wish.
Regards,
Andrew Martin
Sophos Technical Support
www.sophos.com/support/
SOPHOS - simply secure
Thats good. Did'nt take them long to reply either!
http://www.virustotal.com/