PSEXESVC being detected by VirusScan

I've got a domain controller/file/print server running W2k SP4 that has McAfee VirusScan Enterprise 7.1 on it.  The last couple weeks we've been getting the following warning........The file C:\WINNT\system32\PSEXESVC.EXE is infected with the RemAdm-ProcLaunch Program.  Delete failed, quarantine failed. Detected using Scan engine version 4.3.20 DAT version 4410.(from Server IP 172.1.1.1 user SYSTEM running VirusScan EntSv 7.1.0 OAS).  We've been running this virus scan on the machine for about a month or more.  There were no problems until just recently.

I know Sysinternals has some PStools that you can use to remotely manage PCs.  There is also a service on my server called PSEXESVC that is not running and it set to manual.  I've got other W2k servers w/SP4 and none of them have this service.  I'm not finding any information about where this service came from or why it's on this particular one and not the others.  I've looked on McAfee's web site and read that it's not a virus, but a potentially dangerous program.  I would like to know why this server has this service for one.  I didn't build this server; I need to know if I need this service and/or file.  
LVL 5
scrmcnaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oBdACommented:
That's very probably harmless and indeed related to psexec. On the first run against a machine, psexec will install this file as a service.
Have a look at the properties of the psexesvc.exe file, and it should display Sysinternals as company name.
Run psexec against a test workstation, and you'll notice that afterwards, the psexesvc service will be installed as well.

Have a look here: http://www.winnetmag.com/Windows/Issues/IssueID/714/Index.html (Link from http://www.sysinternals.com/ntw2k/freeware/psexec.shtml), and the on the second page, you'll find this note:
"Inside PsExec
PsExec starts an executable on a remote system and controls the input and output streams of the executable's process so that you can interact with the executable from the local system. PsExec does so by extracting from its executable image an embedded Windows service named Psexesvc and copying it to the Admin$ share of the remote system. PsExec then uses the Windows Service Control Manager API, which has a remote interface, to start the Psexesvc service on the remote system."
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
scrmcnaAuthor Commented:
When I tested it on another computer it, I was able to connect but never saw anything with the services.  I tried connecting to the server I was having this problem with again, it worked.  When I exited the exe was gone so of course was the service.
0
oBdACommented:
Just checked again; seems like it leaves the service on the system only when psexec itself got terminated unexpectedly; I had one machine where it was still present. Ran psexec against it, and afterwards it was gone. On another machine, it showed up during execution, and disappeared after the started process was done.
You can reproduce the "leftover" service by doing the following:
Open a command prompt, start a process with a psexec (without using the -d switch), for example
psexec \\somemachine -i notepad
This will open notepad. Now close the window with the command prompt. Close Notepad, and the service will still be there (start type manual).
Run psexec again, close notepad while psexec is still waiting for the execution, and the service will have disappeared.
0
fletch72Commented:
It is from PSTOOLS and if someone wrote a script such as I have it will leave a copy on machines depending on what you do and when the script runs.  The easiest thing to do is either get rid of it if you aren't doing anything or just exclude it from your virus scan.  It is annoying but many programs that run like this are detected as spyware or virus'.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.