[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1454
  • Last Modified:

PSEXESVC being detected by VirusScan

I've got a domain controller/file/print server running W2k SP4 that has McAfee VirusScan Enterprise 7.1 on it.  The last couple weeks we've been getting the following warning........The file C:\WINNT\system32\PSEXESVC.EXE is infected with the RemAdm-ProcLaunch Program.  Delete failed, quarantine failed. Detected using Scan engine version 4.3.20 DAT version 4410.(from Server IP 172.1.1.1 user SYSTEM running VirusScan EntSv 7.1.0 OAS).  We've been running this virus scan on the machine for about a month or more.  There were no problems until just recently.

I know Sysinternals has some PStools that you can use to remotely manage PCs.  There is also a service on my server called PSEXESVC that is not running and it set to manual.  I've got other W2k servers w/SP4 and none of them have this service.  I'm not finding any information about where this service came from or why it's on this particular one and not the others.  I've looked on McAfee's web site and read that it's not a virus, but a potentially dangerous program.  I would like to know why this server has this service for one.  I didn't build this server; I need to know if I need this service and/or file.  
0
scrmcna
Asked:
scrmcna
  • 2
1 Solution
 
oBdACommented:
That's very probably harmless and indeed related to psexec. On the first run against a machine, psexec will install this file as a service.
Have a look at the properties of the psexesvc.exe file, and it should display Sysinternals as company name.
Run psexec against a test workstation, and you'll notice that afterwards, the psexesvc service will be installed as well.

Have a look here: http://www.winnetmag.com/Windows/Issues/IssueID/714/Index.html (Link from http://www.sysinternals.com/ntw2k/freeware/psexec.shtml), and the on the second page, you'll find this note:
"Inside PsExec
PsExec starts an executable on a remote system and controls the input and output streams of the executable's process so that you can interact with the executable from the local system. PsExec does so by extracting from its executable image an embedded Windows service named Psexesvc and copying it to the Admin$ share of the remote system. PsExec then uses the Windows Service Control Manager API, which has a remote interface, to start the Psexesvc service on the remote system."
0
 
scrmcnaAuthor Commented:
When I tested it on another computer it, I was able to connect but never saw anything with the services.  I tried connecting to the server I was having this problem with again, it worked.  When I exited the exe was gone so of course was the service.
0
 
oBdACommented:
Just checked again; seems like it leaves the service on the system only when psexec itself got terminated unexpectedly; I had one machine where it was still present. Ran psexec against it, and afterwards it was gone. On another machine, it showed up during execution, and disappeared after the started process was done.
You can reproduce the "leftover" service by doing the following:
Open a command prompt, start a process with a psexec (without using the -d switch), for example
psexec \\somemachine -i notepad
This will open notepad. Now close the window with the command prompt. Close Notepad, and the service will still be there (start type manual).
Run psexec again, close notepad while psexec is still waiting for the execution, and the service will have disappeared.
0
 
fletch72Commented:
It is from PSTOOLS and if someone wrote a script such as I have it will leave a copy on machines depending on what you do and when the script runs.  The easiest thing to do is either get rid of it if you aren't doing anything or just exclude it from your virus scan.  It is annoying but many programs that run like this are detected as spyware or virus'.

0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now