All Things Patrick - Working Hard to be Lazy!

I was having an issue on my Windows game box with firefox stating it didn't have the latest version of flash installed. It had also been a couple of days since I had last run firefox and I didn't recall having any pages require a java applet loaded the last time (and today it opened the Java web start). I was also having issues with player controls in firefox on a particular site and games were crashing so it was time to reboot my computer. After I logged in up popped a window for flash stating that it was ready to finish installing the latest version of flash. This was really odd because I don't remember going through any process to update flash.

I say it's odd because I go through no small effort to rid myself of the billions of sleeper updater programs that do nothing other than to constantly consume CPU cycles and tons of memory to simply check to see if there's an update for a particular company's product once a week... There's this built in function in Windows that's similar to cron on Unixes called Scheduled Tasks that proprietary companies using a proprietary operating system need to check into using.

After it finished installing the latest flash update I ran msconfig (Start -> Run -> type msconfig into the box and press [Enter] or click the OK button) to check to see if I needed to remove a sleeper update program. I didn't see anything related to flash and the QuickTime, Java, and Adobe Acrobat scheduled update programs were still marked so the would not constantly run in the background.

I did notice that there were some extra things being loaded that I hadn't seen before and I googled them only to find nothing.

I could be wrong on the wwwzuc32.exe command (I think it had /install, but that might have just been the nvidia command I also ran across). I ran regedit and searched for afabiper & msp14de and cleaned out the entries I found. I closed out msconfig and then re-opened it expecting the entries to have disappeared - only to find they'd been re-added. The wwwzuc32.exe entry was gone, but I couldn't find the exe anywhere so I wasn't sure if it would come back or not.

I couldn't find afabiper or msp14de in the task manager so my assumption was that they were running under 1 of the many svchost.exe entries. I attempted to delete c:\windows\afabiper.dll and c:\windows\msp14DE.dll, but both were currently in use and Windows doesn't like it when you try to delete files currently being used. I unchecked the boxes in msconfig, clicked OK, and let the system immediately reboot.

As my game box is set up to dual-boot (defaults to Windows) I selected Linux and let it load up. I then changed to /mnt/win_c in a terminal at which point I was also able to see C:\Documents and Settings\username\Start Menu\Programs\Startup\wwwzuc32.exe and proceeded to delete all 3 of these troublesome files. I also discovered a bunch of eula.*.txt files that each had 2 binary characters in them as well as install.exe, install.ini, and a bunch of other files that do not belong at the root directory in Windows. I deleted all of these crap files and also checked the contents of the C:\$$current$$ directory and it was empty. Not seeing anything else unusual at this point I rebooted.

I let Windows load this time and after I logged in I got 2 errors - it couldn't find and was unable to load afabiper.dll and msp14DE.dll. This means that even after I unchecked them in msconfig they were re-added... This means it would have been impossible for me to use normal means to rid myself of these files - yay for Windows knowing better than me that I really need to keep these infestations.

I opened up msconfig and sure enough. All 3 items were back and enabled in the startup section of msconfig along with the 2 disabled entries for afabiper and msp14de. This means they rewrote themselves into the registry before allowing Windows to shutdown. Luckily for me I was able to delete them from Linux so they were unable to load again. I completely removed the entries from the registry and made sure they were gone by restarting msconfig. This time they were not re-added and after a reboot they still hadn't re-appeared.

I just wish entries in Services were better labeled and had better descriptions along with better information regarding what is required. I've disabled some of the services only to discover that networking was no longer working or some other simple and mundane needed service had been disabled.

The other thing I wish is that people writing apps and drivers for Windows would stop it with the Services or background processes to update themselves (use the bloody built-in Scheduled Tasks!) or to run print servers... Seriously, Windows just sucks and is why I only use it for playing games and watching Netflix. The last time I looked at my parents' computer it had 3 different printer servers running and only the laser printer is connected all the time. I also know 1 of the services (can't remember if it's a printer or scanner) can't simply be run/turned on via a script prior to use, it requires a reboot after enabling it.

I still don't know what the purpose of mysterious DLLs was nor do I know where they came from. As I completely deleted them from my system and they've not yet returned I'm not sure if I'll ever find out. I'm also pretty sure that the afabiper, msp14DE, and wwwzuc32 were randomly generated, but I could be wrong. The entries for them in the registry were definitely randomly generated alpha-numeric strings most likely either embedded directly in the DLLs and/or the EXE or else the randomizer wasn't randomized as the registry strings were fairly similar (I can't be completely sure they were exactly the same as I never wrote them down, but they were close).