PTI in temp folder trying to start a process

I have an issue where the command line, attempting to start a process is, contained within a temp folder.

I've made a search on the temp folder and found only two temporary files in the folder, one is PTI4, digitally signed by British Telecomm in July 2005 the other is ~DFC4DB, which I'm assuming is an open process as there's no signature or summary tabs when I right-click.

Below is the page from ZoneLabs web site, which is reporting what was happening. The ZoneAlarm technical info below gives it as being PTI7, however ZAP reported 16 attempts by various flavours of PTI 'n' to do this.

I do not understand why a file in the temp folder would attempt to spawn these processes.

Alert property Alert property value Technical explanation
Program Name LSA Shell (Export Version) A program running on your computer, which attempted an action that it is not currently permitted to perform.
Filename D:\WINDOWS\WINDOWS\system32\lsass.exe The filename of the program that ZoneAlarm Pro found on your computer.
Program Size 13312 The size of the program executable file in bytes.
Program MD5 84885f9b82f4d55c6146ebf6065d75d2 The MD5 hash, or number, that uniquely identifies the executable.
Smart Checksum 493f6c8183f8a5aa6026d91468455ec7 The SKIMP hash, or number, that uniquely identifies the executable.
Date Modified Aug-04-2004 0750 AM The date when D:\WINDOWS\WINDOWS\system32\lsass.exe was most recently modified.
Event Type Process The event involved starting or terminating a thread or process.
Sub Event Type OpenProcess LSA Shell (Export Version) attempted to open another process.
Command Line D:\DOCUME~1\Katy\LOCALS~1\Temp\PTI7.tmp The command being used to open another process.

VirusTotal

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:

• D:\WINDOWS\WINDOWS\system32\lsass.exe

Click Send.
Please post the results of this scan to this thread.

If VirusTotal's service load is too high, you can use the following scanner instead:
http://virusscan.jotti.org



Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.
  
  Please also provide any new current observations.

Post a HijackThis LOG and Uninstall List as per instructions, here (if you require further assistance):
Read This First - IMPORTANT Instructions

__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

Report from VirusTotal:

File has already been analysed:
MD5: 84885f9b82f4d55c6146ebf6065d75d2
Date: 12.26.2007 06:42:37 (CET) [>30D]
Results: 0/32
Permalink: analisis/7835bf8a6479239d9b64c58d210a7339

Hi Vincent, below is the SDFix log report.

SDFix: Version 1.131

Run by xxxxxx on 25/01/2008 at 17:31

Microsoft Windows XP [Version 5.1.2600]

Running From: D:\PROGRA~1\SDFix\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

HJT logfile below. I see nothing untoward with this log. I recognise everything here.

Logfile of HijackThis v1.99.1
Scan saved at 20:53:51, on 25/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\WINDOWS\System32\smss.exe
D:\WINDOWS\WINDOWS\system32\winlogon.exe
D:\WINDOWS\WINDOWS\system32\services.exe
D:\WINDOWS\WINDOWS\system32\lsass.exe
D:\WINDOWS\WINDOWS\system32\svchost.exe
D:\WINDOWS\WINDOWS\System32\svchost.exe
D:\WINDOWS\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Kontiki\KService.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\WINDOWS\System32\svchost.exe
D:\WINDOWS\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\WINDOWS\WINDOWS\system32\LVCOMSX.EXE
D:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
D:\WINDOWS\WINDOWS\System32\svchost.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\btbb_wcm\McciTrayApp.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\WINDOWS\system32\DrvMon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Windows Media Player\WMPNSCFG.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by BT Openworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FlashFetcher - {16E8A050-74CE-43D5-8DC0-BADD7347B2DD} - D:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - D:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] D:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] D:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] D:\WINDOWS\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] D:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] D:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] D:\WINDOWS\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: BT Broadband Desktop Help.lnk = D:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - D:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll
O9 - Extra 'Tools' menuitem: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - D:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: BT - {57DBBAA2-2AC8-485E-B775-FB34F6B8E5B9} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {95A91570-02DF-4049-910C-D705D5F762E2} - http://www.btopenworld.com/businesshome (file missing) (HKCU)
O9 - Extra button: Help - {ACD494A7-97A4-4AEA-8512-58F90D2B1FBF} - http://www.btopenworld.com/helpbb (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140629525255
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-dcfbeb702a91b1c8.spaces.l...d/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Kontiki Inc. - D:\Program Files\Kontiki\KService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - d:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - D:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - D:\WINDOWS\WINDOWS\system32\YPCSER~1.EXE

I think we can consider this closed. I see no issues with the HJT log or the report from SDFix. VirusTotal reported clear and I've deleted the offending files.

Added to which the files were dated 2005, albeit they appeared in the temporary folder on the 23/1/2008. It's possible they are related to the BT Help Notifier, that occasionally tries to update itself.

Thanks for your help.