Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PAExec services running


  • Please log in to reply
7 replies to this topic

#1 suitandthaiguy

suitandthaiguy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 March 2016 - 08:38 AM

Hello,

 

Can anyone tell me what this is, and if I need to be concerned? I am joined to a network of about 80 employees. Recently, one of our employees had their work email "spoofed", so I started doing some digging; virus scans, firewall settings, and the like. I noticed a service running on her computer called PAExec-###-"Server Name". When I Googled it, a legit "Telnet style" server monitoring application came back in the results. I checked my own PC, and found almost 17 instances running. I can't manually stop them, and there is no folder in C:\ to uninstall it. Any ideas??

 

Also, how do I upload a picture on here? I have a screenshot of what I am referring to.

Thanks!



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:21 AM

Posted 16 March 2016 - 08:48 AM

You can share a picture by uploading to SendSpace and linking it here.

 

I'm not familiar with PAExec myself. If you find it suspicious, you can upload it to VirusTotal for a second-opinion by multipl antiviruses. It will also give you more information on if it was reported before, and if it is a legitimate signed file.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 suitandthaiguy

suitandthaiguy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 March 2016 - 09:10 AM

https://www.sendspace.com/file/v7sz85

 

Here is the screen shot. It doesn't register as malware.



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:21 AM

Posted 16 March 2016 - 09:14 AM

Do you have a domain controller named DC4? Just a random guess on the names. I've not seen something like that in the services, bit strange.

 

What does the properties show for one of them? Can you link the VirusTotal hash you uploaded?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 suitandthaiguy

suitandthaiguy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 March 2016 - 09:21 AM

Yes, DC4 is our redundant Domain Controller. Here is the link to the FreeFixer.com search:

 

http://www.freefixer.com/library/file/paexec.exe-148877/

 

I couldn't upload it to VirusTotal because I can't find the actual .exe file. Crazy. I searched the entire C:\, and nothing. Here is a screenshot of the properties:

 

https://www.sendspace.com/file/843d8h

 

It lists it as residing in the C:\Windows\PAExec... folder, but no such folder exists.



#6 suitandthaiguy

suitandthaiguy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 March 2016 - 09:40 AM

Actually, strike that. I found the files. Here is their Virus Total scan:

 

https://www.virustotal.com/en/file/2ec0bfa78f1be5f3a80badb4c97340a7644959c066928423c6ea68c27f3ee1e1/analysis/

 

0/56 detected



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:21 AM

Posted 16 March 2016 - 11:46 AM

...how do I upload a picture on here? I have a screenshot of what I am referring to.

Also see How do I post a screen shot?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:21 AM

Posted 16 March 2016 - 12:01 PM

Hmm, the exe itself looks legit to me. May have to wait for someone else to answer on why it could be running multiple times, I'm just not as familiar with its usage. Could be something legitimate just going rampant, or some type of management tool you have running that uses it under the hood.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users