what is tirhservice.exe which shows up in my Virus Protection Software Quarantine?
I do have Numara Track-it running on our Network, but it shouldn't be running an exe file on servers for example which the client does not run on. Or perhaps it is part of the Inventory agent, but I cannot find anything that alludes to this on their site. Can someone help with this? I found a lot of links to the possibility that it is malware on the web, and am wondering if I remove this file from C:\Windows will anything bad happen?
We are running Sophos client versions 7 and 9 on our network and several users machines and serves have this file in their Quarantine.
We are running Sophos client versions 7 and 9 on our network and several users machines and serves have this file in their Quarantine.
ASKER
THis is for the file on my machine which is not in quarantine, and I will second post the one from my server which is in quarantine:
File B5D1D98000FB7C4870B8014E0E
Current status: finished
Result: 0/40 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.19 -
AhnLab-V3 5.0.0.2 2009.06.19 -
AntiVir 7.9.0.191 2009.06.19 -
Antiy-AVL 2.0.3.1 2009.06.19 -
Authentium 5.1.2.4 2009.06.19 -
Avast 4.8.1335.0 2009.06.18 -
AVG 8.5.0.339 2009.06.19 -
BitDefender 7.2 2009.06.19 -
CAT-QuickHeal 10.00 2009.06.19 -
ClamAV 0.94.1 2009.06.19 -
Comodo 1371 2009.06.19 -
DrWeb 5.0.0.12182 2009.06.19 -
eSafe 7.0.17.0 2009.06.18 -
eTrust-Vet 31.6.6569 2009.06.19 -
F-Prot 4.4.4.56 2009.06.19 -
F-Secure 8.0.14470.0 2009.06.18 -
Fortinet 3.117.0.0 2009.06.19 -
GData 19 2009.06.19 -
Ikarus T3.1.1.59.0 2009.06.19 -
Jiangmin 11.0.706 2009.06.19 -
K7AntiVirus 7.10.768 2009.06.19 -
McAfee 5650 2009.06.18 -
McAfee+Artemis 5650 2009.06.18 -
McAfee-GW-Edition 6.7.6 2009.06.19 -
Microsoft 1.4701 2009.06.19 -
NOD32 4171 2009.06.19 -
Norman 2009.06.19 -
nProtect 2009.1.8.0 2009.06.19 -
Panda 10.0.0.16 2009.06.19 -
PCTools 4.4.2.0 2009.06.19 -
Prevx 3.0 2009.06.19 -
Rising 21.34.44.00 2009.06.19 -
Sophos 4.42.0 2009.06.19 -
Sunbelt 3.2.1858.2 2009.06.18 -
Symantec 1.4.4.12 2009.06.19 -
TheHacker 6.3.4.3.348 2009.06.19 -
TrendMicro 8.950.0.1094 2009.06.19 -
VBA32 3.12.10.7 2009.06.19 -
ViRobot 2009.6.19.1796 2009.06.19 -
VirusBuster 4.6.5.0 2009.06.18 -
Additional information
File size: 94208 bytes
MD5 : 6de2cf5820d541d463cd3df729
SHA1 : f16442973edd413177d8c93f18
SHA256: f8b4cf9cc38e2c98c84a873c78
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x47F8
timedatestamp.....: 0x4A21F942 (Sun May 31 05:28:02 2009)
machinetype.......: 0x14C (Intel I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xCFF3 0xD000 6.72 71b1a8bbc96d37157cdc439d4c
.rdata 0xE000 0x60E6 0x7000 6.26 1851c355cc5ad10e5fb59a6c08
.data 0x15000 0x2AD8 0x2000 2.09 7a0e0e7d34ac584612338773f2
( 2 imports )
> advapi32.dll: RevertToSelf, CreateProcessAsUserW, ImpersonateLoggedOnUser, LogonUserW, RegisterServiceCtrlHandler
> kernel32.dll: InterlockedExchange, GetACP, GetLocaleInfoA, GetVersionExW, RaiseException, InitializeCriticalSection,
( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 1536:NdOniOLSHiNBOeziDA66N
PEiD : -
RDS : NSRL Reference Data Set
-
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy
File B5D1D98000FB7C4870B8014E0E
Current status: finished
Result: 0/40 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.19 -
AhnLab-V3 5.0.0.2 2009.06.19 -
AntiVir 7.9.0.191 2009.06.19 -
Antiy-AVL 2.0.3.1 2009.06.19 -
Authentium 5.1.2.4 2009.06.19 -
Avast 4.8.1335.0 2009.06.18 -
AVG 8.5.0.339 2009.06.19 -
BitDefender 7.2 2009.06.19 -
CAT-QuickHeal 10.00 2009.06.19 -
ClamAV 0.94.1 2009.06.19 -
Comodo 1371 2009.06.19 -
DrWeb 5.0.0.12182 2009.06.19 -
eSafe 7.0.17.0 2009.06.18 -
eTrust-Vet 31.6.6569 2009.06.19 -
F-Prot 4.4.4.56 2009.06.19 -
F-Secure 8.0.14470.0 2009.06.18 -
Fortinet 3.117.0.0 2009.06.19 -
GData 19 2009.06.19 -
Ikarus T3.1.1.59.0 2009.06.19 -
Jiangmin 11.0.706 2009.06.19 -
K7AntiVirus 7.10.768 2009.06.19 -
McAfee 5650 2009.06.18 -
McAfee+Artemis 5650 2009.06.18 -
McAfee-GW-Edition 6.7.6 2009.06.19 -
Microsoft 1.4701 2009.06.19 -
NOD32 4171 2009.06.19 -
Norman 2009.06.19 -
nProtect 2009.1.8.0 2009.06.19 -
Panda 10.0.0.16 2009.06.19 -
PCTools 4.4.2.0 2009.06.19 -
Prevx 3.0 2009.06.19 -
Rising 21.34.44.00 2009.06.19 -
Sophos 4.42.0 2009.06.19 -
Sunbelt 3.2.1858.2 2009.06.18 -
Symantec 1.4.4.12 2009.06.19 -
TheHacker 6.3.4.3.348 2009.06.19 -
TrendMicro 8.950.0.1094 2009.06.19 -
VBA32 3.12.10.7 2009.06.19 -
ViRobot 2009.6.19.1796 2009.06.19 -
VirusBuster 4.6.5.0 2009.06.18 -
Additional information
File size: 94208 bytes
MD5 : 6de2cf5820d541d463cd3df729
SHA1 : f16442973edd413177d8c93f18
SHA256: f8b4cf9cc38e2c98c84a873c78
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x47F8
timedatestamp.....: 0x4A21F942 (Sun May 31 05:28:02 2009)
machinetype.......: 0x14C (Intel I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xCFF3 0xD000 6.72 71b1a8bbc96d37157cdc439d4c
.rdata 0xE000 0x60E6 0x7000 6.26 1851c355cc5ad10e5fb59a6c08
.data 0x15000 0x2AD8 0x2000 2.09 7a0e0e7d34ac584612338773f2
( 2 imports )
> advapi32.dll: RevertToSelf, CreateProcessAsUserW, ImpersonateLoggedOnUser, LogonUserW, RegisterServiceCtrlHandler
> kernel32.dll: InterlockedExchange, GetACP, GetLocaleInfoA, GetVersionExW, RaiseException, InitializeCriticalSection,
( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 1536:NdOniOLSHiNBOeziDA66N
PEiD : -
RDS : NSRL Reference Data Set
-
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy
ASKER
From the Server:
File 020EE6C100E28C7760AA01CCD5
Current status: finished
Result: 0/41 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.08 -
AhnLab-V3 5.0.0.2 2009.10.08 -
AntiVir 7.9.1.35 2009.10.08 -
Antiy-AVL 2.0.3.7 2009.10.05 -
Authentium 5.1.2.4 2009.10.08 -
Avast 4.8.1351.0 2009.10.08 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.08 -
CAT-QuickHeal 10.00 2009.10.08 -
ClamAV 0.94.1 2009.10.08 -
Comodo 2539 2009.10.08 -
DrWeb 5.0.0.12182 2009.10.08 -
eSafe 7.0.17.0 2009.10.08 -
eTrust-Vet 35.1.7057 2009.10.08 -
F-Prot 4.5.1.85 2009.10.08 -
F-Secure 8.0.14470.0 2009.10.08 -
Fortinet 3.120.0.0 2009.10.08 -
GData 19 2009.10.08 -
Ikarus T3.1.1.72.0 2009.10.08 -
Jiangmin 11.0.800 2009.10.08 -
K7AntiVirus 7.10.865 2009.10.08 -
Kaspersky 7.0.0.125 2009.10.08 -
McAfee 5765 2009.10.08 -
McAfee+Artemis 5765 2009.10.08 -
McAfee-GW-Edition 6.8.5 2009.10.08 -
Microsoft 1.5101 2009.10.08 -
NOD32 4491 2009.10.08 -
Norman 6.01.09 2009.10.08 -
nProtect 2009.1.8.0 2009.10.08 -
Panda 10.0.2.2 2009.10.08 -
PCTools 4.4.2.0 2009.10.08 -
Prevx 3.0 2009.10.08 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.08 -
Sunbelt 3.2.1858.2 2009.10.08 -
Symantec 1.4.4.12 2009.10.08 -
TheHacker 6.5.0.2.033 2009.10.07 -
TrendMicro 8.950.0.1094 2009.10.08 -
VBA32 3.12.10.11 2009.10.08 -
ViRobot 2009.10.8.1976 2009.10.08 -
VirusBuster 4.6.5.0 2009.10.08 -
Additional information
File size: 90112 bytes
MD5 : 3a0feb5d89faef7a7959447315
SHA1 : 71200cff13010ab40d68ec2468
SHA256: 15e50c704b9f19de0b97dec33e
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4738
timedatestamp.....: 0x45C0BBBE (Wed Jan 31 16:54:38 2007)
machinetype.......: 0x14C (Intel I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xCF33 0xD000 6.69 e727565d13ef703b39d201ea68
.rdata 0xE000 0x5FC0 0x6000 6.94 f2a4be952ddde0e1799bc09e3d
.data 0x14000 0x2AD8 0x2000 2.09 9bf047b0de1656480180d6b98c
( 2 imports )
> advapi32.dll: CreateProcessAsUserW, LogonUserW, RegisterServiceCtrlHandler
> kernel32.dll: InterlockedExchange, GetACP, GetLocaleInfoA, RaiseException, InitializeCriticalSection,
( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 1536:XUDbxreAYisuiRxd3A3J8
PEiD : -
RDS : NSRL Reference Data Set
-
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy
File 020EE6C100E28C7760AA01CCD5
Current status: finished
Result: 0/41 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.08 -
AhnLab-V3 5.0.0.2 2009.10.08 -
AntiVir 7.9.1.35 2009.10.08 -
Antiy-AVL 2.0.3.7 2009.10.05 -
Authentium 5.1.2.4 2009.10.08 -
Avast 4.8.1351.0 2009.10.08 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.08 -
CAT-QuickHeal 10.00 2009.10.08 -
ClamAV 0.94.1 2009.10.08 -
Comodo 2539 2009.10.08 -
DrWeb 5.0.0.12182 2009.10.08 -
eSafe 7.0.17.0 2009.10.08 -
eTrust-Vet 35.1.7057 2009.10.08 -
F-Prot 4.5.1.85 2009.10.08 -
F-Secure 8.0.14470.0 2009.10.08 -
Fortinet 3.120.0.0 2009.10.08 -
GData 19 2009.10.08 -
Ikarus T3.1.1.72.0 2009.10.08 -
Jiangmin 11.0.800 2009.10.08 -
K7AntiVirus 7.10.865 2009.10.08 -
Kaspersky 7.0.0.125 2009.10.08 -
McAfee 5765 2009.10.08 -
McAfee+Artemis 5765 2009.10.08 -
McAfee-GW-Edition 6.8.5 2009.10.08 -
Microsoft 1.5101 2009.10.08 -
NOD32 4491 2009.10.08 -
Norman 6.01.09 2009.10.08 -
nProtect 2009.1.8.0 2009.10.08 -
Panda 10.0.2.2 2009.10.08 -
PCTools 4.4.2.0 2009.10.08 -
Prevx 3.0 2009.10.08 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.08 -
Sunbelt 3.2.1858.2 2009.10.08 -
Symantec 1.4.4.12 2009.10.08 -
TheHacker 6.5.0.2.033 2009.10.07 -
TrendMicro 8.950.0.1094 2009.10.08 -
VBA32 3.12.10.11 2009.10.08 -
ViRobot 2009.10.8.1976 2009.10.08 -
VirusBuster 4.6.5.0 2009.10.08 -
Additional information
File size: 90112 bytes
MD5 : 3a0feb5d89faef7a7959447315
SHA1 : 71200cff13010ab40d68ec2468
SHA256: 15e50c704b9f19de0b97dec33e
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4738
timedatestamp.....: 0x45C0BBBE (Wed Jan 31 16:54:38 2007)
machinetype.......: 0x14C (Intel I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xCF33 0xD000 6.69 e727565d13ef703b39d201ea68
.rdata 0xE000 0x5FC0 0x6000 6.94 f2a4be952ddde0e1799bc09e3d
.data 0x14000 0x2AD8 0x2000 2.09 9bf047b0de1656480180d6b98c
( 2 imports )
> advapi32.dll: CreateProcessAsUserW, LogonUserW, RegisterServiceCtrlHandler
> kernel32.dll: InterlockedExchange, GetACP, GetLocaleInfoA, RaiseException, InitializeCriticalSection,
( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 1536:XUDbxreAYisuiRxd3A3J8
PEiD : -
RDS : NSRL Reference Data Set
-
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy
Not one detection and Sophos is included in list. Not sure why its being quarantined :(
Have you contacted Sophos regarding this file being quarantined? It could be down to its configurations-possibly too sensitive or strict?
I'm not sure what else but other experts on server appz may help :)
Have you contacted Sophos regarding this file being quarantined? It could be down to its configurations-possibly too sensitive or strict?
I'm not sure what else but other experts on server appz may help :)
ASKER
It is being quarantined as suspicious behavior files: HIPS/RegMod-013 because it is trying to update the registry. On some machines it is quarantined and on some it is not.
I suppose if it is quarantined then it is not active anyway and could be removed harmlessly.
?
I suppose if it is quarantined then it is not active anyway and could be removed harmlessly.
?
I wouldn't remove it yet as unsure. Possibly being flagged as a "false positive".
Have you came accross this Sophos link. You can send the file off to their lab and see what they think
http://www.sophos.com/security/analyses/suspicious-behavior-and-files/hipsregmod013.html
Have you came accross this Sophos link. You can send the file off to their lab and see what they think
http://www.sophos.com/security/analyses/suspicious-behavior-and-files/hipsregmod013.html
ASKER
No I will try it. I was on their site and didn't find anything.
b
b
ASKER
I submitted it to them. I will see what comes of it. Thanks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Cheers! Curious as to what they say in their response :)
ASKER
NO worries I will keep this open until then.
ASKER
This was their answer:
< I also found on the web, but I wanted to be sure it wasn't pretending to be a Track-It service file.>
Thanks for the sample, it appears to be the Intuit Track-It! Remoting Helper Service and is not malicious, you can authorise the file if you wish.
Regards,
Andrew Martin
Sophos Technical Support
www.sophos.com/support/
SOPHOS - simply secure
< I also found on the web, but I wanted to be sure it wasn't pretending to be a Track-It service file.>
Thanks for the sample, it appears to be the Intuit Track-It! Remoting Helper Service and is not malicious, you can authorise the file if you wish.
Regards,
Andrew Martin
Sophos Technical Support
www.sophos.com/support/
SOPHOS - simply secure
Thats good. Did'nt take them long to reply either!
http://www.virustotal.com/