Temporary Processes in windows temp apXXXX.exe

[KevinR]

HI guys.

While looking further into my U891711 issues (see elsewhere) I had the misfortune to run MS-SysInfo and found that I LOADS of processes running from c:\windows\temp. These are all called apXXXX.exe where XXXX is a 4 digit hex number and they are all 407Kb in size. Is this an effect of the U891711/KB891711 patch or have I suffered some sort of attack.

(I could not google anything about ap*.exe).

Thanks

[eidenk]

Sounds like you are infected by some malware.

[KevinR]

Sounds like you are infected by some malware.

That's what worried me. They appeared while I trying to run the U891711 patch AFTER booting with (a now known to be incompatible) ZoneAlarm 3.7.179 installed. They are not appearing anymore. So either the problem has gone or its installed a rootkit. haha.

[eidenk]

Try to get a software that shows which files are opened in your system. I can think of sysinternals' open list (You can find it on the internet archive) or G. Topalla's System Information Viewer.

Best way I know to see if you've got a rootkit.

Well with those tools I found executables runing that were hidden from my process viewer apps and whose startup keys were not visible with regedit.

You could also open your registry user.dat and system.dat files (preferably in another machine or in a virtual machine) with RegExport and inspect all startup keys with it, not forgetting this one especially :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components and its stub path entries.

HTH