The drivers & services you are seeing are a "trojan" copy protection. This can be disabled so you can copy your Audio CD, removing everything is a pain and I couldn't begin to tell you how to do that.

As was posted on CD Freaks this week: http://club.cdfreaks.com/showthread.php?t=151461

How to remove CDS-300 (MacroVision) & XCP (First 4 Internet) Drivers

--------------------------------------------------------------------------------

It's very sad how greedy record companies are now using these "trojan" based copy protections to stop you from copying your Audio CDs and preventing freedom w/ iPod etc.. Like Alex Halderman proved nothing is 100%.

I know all you CD Freaks know how to disable the MediaMax drivers. The purpose of these instructions is meant to disable the other (less known) trojans being used on Audio CDs.

As always if autorun is turned off there is no need for these instructions, however when it isn't - these drivers will infect your PC and then you need to either reformat or simply remove them as stated below:

HOW TO REMOVE CD AUDIO PROTECTION DRIVERS FROM PC

CDS-300 (MacroVision) http://www.macrovision.com

How to identify: There will be a directory in the root called “CDS300” and multiple files with “CDS” in the name.

Win98/ME: No protection

Win XP/2K: On windows partition (where Windows is installed default is C:/ drive) search for file called “sdcplh.sys” and delete it. You must restart the computer & now copy protection is now permanently disabled.

The default path is C:\WINDOWS\system32\drivers

XCP2 (First 4 Internet) http://www.xcp-aurora.com/

How to identify: There will be a file called “VERSION.DAT” if this is opened with Note Pad it will say something like “VERSION=XCP2, Version 1.7”

Win98/ME/2K & XP

Step 1. Press F8 during startup to boot into safe mode.

Step 2: On windows partition (where Windows is installed default is C:/ drive) Search for a file called “$sys$caj.dll” and delete it.

The default path is C:\WINDOWS\system32\$sys$caj.dll

Step 2: Reboot PC and go to “Device Manager” and uninstall all CD/DVD drives and then rescan for hardware changes.

Now the XCP protection is permanently disabled.

If you are looking for info on SunnComm's MediaMax CD3 see: http://www.cs.princeton.edu/~jhalderm/cd3/

This was just posted on SysInternals and Slashdotted in case anyone missed it.

http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

This is indeed a rootkit installed as DRM software from Sony. Further details in the article.

That blog also tells you how to get your Cd drive back...

hello read these links on this
http://www.sysinternals.com/Blog/
http://blogs.guardian.co.uk/technology/archives/2005/11/01/sony_rootkits_and_drm_gone_too_far.html
http://www.theregister.co.uk/2005/11/01/sony_rootkit_drm/
/t137305-Safemode_rootkit_amp_DRM.html
http://carmainc.org/forums/index.php?showtopic=4064&st=0&p=2280181&#entry2280181

If you still need to remove this infection let me know and I'll post the instructions. I have most of the removal automated via batch files, but there are a few registry keys that need manually deleted.

MINz

I guess I missed my opportunity to make big news back in August when I first surfaced this...have you seen all the press that Mark Russinovich from SysInternals has gotten for making this public on his blog? (http://www.sysinternals.com/Blog/2005/11/victory.html)

Well, Mark put more time and more skill (yeah, a lot!) than I did or could have, but, it is sort of weird to feel like I did the initial detective work.

I must admit, I used several of the SysInternals tools (RootKitRevealer, Process Explorer, AutoRuns) in my early diagnostics of the problem. It was really RKR that uncovered the hidden directory.

Some related stories
- http://www.cnet.com/4520-6033_1-6376177.html
- http://www.theregister.co.uk/2005/11/15/sony_bmg_bodycount/
- http://www.infoworld.com/article/05/11/04/HNsonydrm_1.html
- http://www.eweek.com/article2/0,1895,1880543,00.asp?login=1&r=0
and there's lots more.

Cheers!

JGK

=============
"Blue is the color, Chelsea is the name!"
ChelseaFC - 1955, 2005 EPL Champs
Is 2006 our year in Europe?

@jgk4cfc I did notice kudos to you thanks to this thread on several locations out there. So there is a movement in recognizing your initial work.

@jgk4cfc, Bruce Schneier has linked to the story. Although both links point to this second page, here is the link to the work you did on page one for readers before Russinovich posted about it:

/postx130470-0-0.html

[spammer banned by Paul ]

To permanently remove sccfg.sys use AVG Anti-Rootkit , it is free and works perfectly ! When it asks you if you want to remove this file , just say yes . Your computer will be back to normal in no time , trust me , IT WORKS ! Heres a link to it : http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5