Link to home
Start Free TrialLog in
Avatar of Havin_it
Havin_it

asked on

Cactus Data Shield (CDS200) - spyware?

Hi,

I recently found some unknown files at the drive-root of a Windows XP PC I look after.  The files are UNWISE.EXE and INSTALL.LOG - here are the contents of INSTALL.LOG:

***  Installation Started 09/30/2005 16:53  ***
Title:  Installation
Source: E:\player\SKIN.EXE | 01-31-2002 | 11:58:02 | 725005
File Copy: C:\UNWISE.EXE | 05-24-2001 | 12:59:30 | | 162304 | 432c52a3
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val:
RegDB Name: DisplayName
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val: C:\UNWISE.EXE C:\INSTALL.LOG
RegDB Name: UninstallString
RegDB Root: 2
Shared DLL counter ignored:
File Overwrite: C:\WINDOWS\system32\atl.dll | | | | 58938 | 2d1835a8
File Copy: C:\WINDOWS\ActiveSkin.INI | 01-18-2002 | 18:12:32 | | 112 | 398ca304
File Copy: C:\WINDOWS\system32\ActiveSkin.ocx | 09-30-2001 | 19:10:44 | 3.65.0.0 | 246784 | 73c606a4
File Overwrite: C:\WINDOWS\system32\shlwapi.dll | | | | 131856 | 97e6a077
File Overwrite: C:\WINDOWS\system32\urlmon.dll | | | | 166160 | 7eec9854
File Overwrite: C:\WINDOWS\system32\wininet.dll | | | | 291600 | f0f51099
Self-Register: C:\WINDOWS\system32\atl.dll
Self-Register: C:\WINDOWS\system32\ActiveSkin.ocx
Self-Register: C:\WINDOWS\system32\urlmon.dll
***  Installation Started 09/30/2005 16:53  ***
Title:  Installation
Source: E:\player\SKIN.EXE | 01-31-2002 | 11:58:02 | 725005
File Overwrite: C:\UNWISE.EXE | 05-24-2001 | 12:59:30 | | 162304 | 432c52a3
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val:
RegDB Name: DisplayName
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val: C:\UNWISE.EXE C:\INSTALL.LOG
RegDB Name: UninstallString
RegDB Root: 2
RegDB Old: C:\UNWISE.EXE C:\INSTALL.LOG
Shared DLL counter ignored:
File Overwrite: C:\WINDOWS\system32\atl.dll | | | | 58938 | 2d1835a8
File Overwrite: C:\WINDOWS\ActiveSkin.INI | 01-18-2002 | 18:12:32 | | 112 | 398ca304
File Overwrite: C:\WINDOWS\system32\ActiveSkin.ocx | | | | 246784 | 73c606a4
File Overwrite: C:\WINDOWS\system32\shlwapi.dll | | | | 131856 | 97e6a077
File Overwrite: C:\WINDOWS\system32\urlmon.dll | | | | 166160 | 7eec9854
File Overwrite: C:\WINDOWS\system32\wininet.dll | | | | 291600 | f0f51099
Self-Register: C:\WINDOWS\system32\atl.dll
Self-Register: C:\WINDOWS\system32\ActiveSkin.ocx
Self-Register: C:\WINDOWS\system32\urlmon.dll
***  Installation Started 09/30/2005 16:53  ***
Title:  Installation
Source: E:\player\SKIN.EXE | 01-31-2002 | 11:58:02 | 725005
File Overwrite: C:\UNWISE.EXE | 05-24-2001 | 12:59:30 | | 162304 | 432c52a3
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val:
RegDB Name: DisplayName
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val: C:\UNWISE.EXE C:\INSTALL.LOG
RegDB Name: UninstallString
RegDB Root: 2
RegDB Old: C:\UNWISE.EXE C:\INSTALL.LOG
Shared DLL counter ignored:
File Overwrite: C:\WINDOWS\system32\atl.dll | | | | 58938 | 2d1835a8
File Overwrite: C:\WINDOWS\ActiveSkin.INI | 01-18-2002 | 18:12:32 | | 112 | 398ca304
File Overwrite: C:\WINDOWS\system32\ActiveSkin.ocx | | | | 246784 | 73c606a4
File Overwrite: C:\WINDOWS\system32\shlwapi.dll | | | | 131856 | 97e6a077
File Overwrite: C:\WINDOWS\system32\urlmon.dll | | | | 166160 | 7eec9854
File Overwrite: C:\WINDOWS\system32\wininet.dll | | | | 291600 | f0f51099
Self-Register: C:\WINDOWS\system32\atl.dll
Self-Register: C:\WINDOWS\system32\ActiveSkin.ocx
Self-Register: C:\WINDOWS\system32\urlmon.dll


From what I've been able to discover, these appear to be connected with the Cactus Data Shield (aka CDS200) copy-protection on some audio CDs.  Besides preventing the computer from reading the audio, this system installs its own software player to play low-bitrate WMA versions of the audio tracks.  The player itself is supposedly only loaded into RAM, but (reading between the lines) it appears the ActiveSkin.ocx, a third-party skinning control used to render the player's GUI, has to be installed to disk.

Now, that's as much as I've been able to learn.  That, and the fact that UNWISE.EXE does not actually uninstall a damn thing.  What concerns me most is that system DLLs (specifically network-related ones) were overwritten.  I should add that, to the best of my knowledge, this would have taken place under a Limited User account, so I'm not too sure how it was possible for a CD to do this.  As soon as I discovered this I performed sfc /scannow but the scan ended without any alerts.  Were the files really overwritten, or did WFP prevent this?

Essentially, I would like to know (a) whether there is any known or suspected spyware/other malware component in CDS200, (b) how can I thoroughly remove it, and (c) how can I mitigate the chances of a repeat?

Points high in hopes of a factual and backed-up response.
Avatar of phototropic
phototropic

I have not found any references to spyware, but many users are not happy with CDS. As far as I can make out, it creates the files you found - install.log and unwise.exe in the Root Directory, plus the following in the Windows directory:
activeskin.ini
activeskin.ocx (windows/system)

Apparently there are registry changes as well. A search for "activeskin" reveals several, according to the forums.

The best advice I have found so far is to system restore back to a point before this thing appeared, and then avoid playing any CDS protected CDs in your pc!
Avatar of Havin_it

ASKER

Say it ain't so!  I'd sooner reinstall Windows than use System Restore; Slightly more predictable results :(  Anyway, if you check the date of the install, it's kinda moot at this point.

I'm open to the possibility that parts of the logfile are spurious; I mean, is it even possible for a program executed from a CD by a Limited User to overwrite system files?  It certainly seems that it shouldn't be, but this is Windows...  Can anyone answer that?
CDS website contains no technical information:

http://www.macrovision.com/products/activereach_cd/cds100/index.shtml

Only source is the forums. If you Google CDS 200 you get a lot of hits.

I can't find any further information about what this thing does to your op/system.
Avatar of Tolomir
This seems to be in fact cactus data shield 200.

A restricted user cannot install software to the windows directory. But maybe the computer user bugged the owner, to get a chance to listen to the music on a such protected CD, and the damage was done.

I suggest you reinstall XP servicepack 2, this should get rid of all modified dlls...

Tolomir
Hmm, I must say googling "cds 200" yields a lot more info than "cds200" - guess that's where I was going wrong.  Most discussions/articles are still a bit low on hard data of the kind I'm after though.

@Tolomir: not likely, there is only one person with Administrator access besides myself, and trust me - such a request would get short shrift.  So far, nobody I've spoken to (including Mme. Admin) has any recollection of an audio-CD launching its own player.

I know there *shouldn't* be any way for system dirs to be writable by a LU account, but I tend not to rule it out when dealing with Windows.  I realise this isn't entirely analogous, but drivers can be installed there when new hardware is added, whatever the account.  Does any similar escalation capability exist with CD autoruns?
You cannot install anything driver / windows/system related without administrator rights.

Also cd-autoruns can just start(!) an setup program that will fail if proper permissions aren't available.

As said, reinstall the XP service pack 2 this should overwrite all "manipulated" files.

You might want to check the create/last accessed/modified date of these particular files: right mouse click on it, open properties.
This might give you an idea of that date/time of the installation.

Tolomir

Hmm I see, some time in the past:

***  Installation Started 09/30/2005 16:53  ***

Really no Audio-CD used/ bought around that date?
On your first point, my experience disagrees - I've been able to install drivers for new hardware via the "Add new hardware wizard" which pops up for Plug'n'Play devices.  I'm sure I have...or am I going mad?  I'm just conjecturing that a CD autorun might have this type of power, as I haven't yet found a reputable source to confirm or deny it.  Also the other Admin here is a bit more astute than the other staff, I just struggle to believe she'd have done this without noticing.

Yeah, the ActiveSkin.ocx and .ini files match the last date/time in the logfile.  I'm not saying nobody did this - obviously someone did - and they are playing CDs all the time on this PC.  It's possible they didn't realise the player wasn't actually Windows Media Player, or maybe they thought it was just WMP in skin-mode.  They can be a bit unobservant, to put it nicely.  (Then again, I'm the genius that didn't notice these rogue files for like 9 months...)

I did sfc /scannow so all the Windows files should be kosher now.  I'd still like to find some sources on the CD/privileges matter, but I should probably close this shortly otherwise, as it appears the main result is just a quantity of cruft, not anything more sinister.
As user with administrator rights, you are of cause able to install anything. The art of war^W window-using is to use it without administrator rights, as restricted user.

The musicindustry tried (remember the sony case) anything to disable cd-buring features on normal computers, but also them had to rely on users having the proper permissions.

So I woudn't wonder too much, if there were no big notices that some kind of software was installed. Or even it was camouflages as leet <the bandname-fits-here>screensaver.

Please check http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html for more details.

Tolomir
Heh, I was just reading that very page, as it happens.  There was one comment confirming that LU accounts wouldn't have higher rights on the autorun program.  In fact, if the disc used an autorun.inf file, there'd be a security dialog appearing.  I found a further reference to this on Microsoft's site:

http://support.microsoft.com/?kbid=314855

I actually want to go and verify this on my XP now.  If true, it means the culprit *had* to be the boss.  Man, that'll be a conversation I won't enjoy.
Blinkin' flip.  My own box is not nearly as locked-down as I'd thought.

At home I've been running XP under a LU account for some time, and had disabled Autorun using TweakUI.  At least, I'd unchecked the autoplay boxes for the CDROM and DVD services.  Now, I was aware that Windows' specialised Autoplay for doing things with CDs depending what files it detected was still active, so I wasn't surprised that my audio and picture CDs were still opening in the respective handler apps.

However, that should have protected me adequately against autorun.inf launches, right?  WRONG!!  I just fired-up my beloved Studio MX installer disc, and sure enough the installer front-end appeared in moments.  So forget about the Microsoft KB link above.  There was no "Install as another user" dialog, it just ran.

So I logged-in as Administrator, opened TweakUI, and unticked all 26 drive letters for Autoplay.  While there, confirmed that this had disabled the autoplay for Admin... it had.  Logged back in as my LUser, and... damn thing still auto-plays!

Right... back to Admin, regedit, and did what folks used to do before TweakUI was around.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom

Key: AutoRun
Value: 0

Rebooted, for good measure ;)

Now, finally, the drive won't autoplay the installer on insertion.  HOWEVER, 'Autoplay' is still the default action on the drive, so double-clicking it has the same result.

This is a scary revelation for four reasons.
1) TweakUI doesn't do what it says on the tin;
2) You need reg-hacking to prevent autorun.inf launching;
3) It's actually *harder* to disable autorun for Limited Users.
4) No, it's actually *impossible* to completely disable it for Limited Users, who (for the very reason that makes them Limited Users) will, when Autoplay doesn't happen, will of course double-click on the drive to 'open' it.

Am I alone here?  I've read so many pages about Windows autorun since this saga began, but I've never heard of it requiring this much work.  And how the hell can I disable it fully?
Oh, and another interesting discovery.  I've now taken out the CD, closed the drive, refreshed the view several times, and the (empty) CD drive still thinks it's called Studio MX Plus.  I am in Hell.
hehe
no your not.
If you disable autoruns, windows will no longer detect a media change, so it still thinks the already removed drom in inserted.
ASKER CERTIFIED SOLUTION
Avatar of Tolomir
Tolomir
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Wow, that is a lot more info all right :)

I looked at my LUser's key, and the value was 91 = 10010001 so you were nearly right, except I had autorun enabled for removable drives (that can't be good?)

Bizarrely, after doing another reboot, I actually had no Autoplay, though I hadn't changed anything else.  I'll implement the above as suggested, but are there any further downsides to this?  Is there any way I can have the Autoplay functions available, just not as a default?
Well at least windows has to find out that a new medium is inserted, after that right click on the drive icon in exploer - autoplay should be the last entry in the upper selections.

But while using windows with admin right, you know you are playing with fire, aren't you?

So you should consider using a restricted user account for the "daily" tasks.

If you want to master windows filemon and regmon (www.sysinternals.com) comes in play, run these, start any application via "runas restricted user" that might be moaning about your insufficiant rights and check the filemon/regmon logs for permision denied entries.

Now step by step allow those entries for restricted users, you can doubleclick on them in filmon/regmon, it will open the exploer, registry respectively.

Of cause there are applications you will never get to run, but e.g. icq just needed the "create subkey" permission on a certain branch in the registry, so this is possible.

There is even a better way, you can download the free vmware server, install windows xp in a virtual host, make a snapshot of the fresh virtual system. Now you can install anything with full permissions in the virtual session. If something wants "way too much" restore the clean snapshot, "bestest" spyware removal tool ever: undo all changes - within minutes.

But we are getting off-topic ;-)

Tolomir

 
Someone hasn't been listening... as I already explained (twice, I think) both the home and office systems are running day-to-day under Limited User accounts.
What me? - ok, fair enough.

It's just too "normal" running windows with too many rights. And the only way, files / drivers can be installed ( in the windows / system32 folders) is via installations done as administrator.

So with autoruns disabled, you should be quite safe on that matter. No popup will appear one might accidently confirm.

Anything else?
Heh, sorry to get crabby.  This issue has just turned into a rampaging monster to the point of playing on my nerves a bit.

No, nothing else I think.  Now we've gotten the drives beaten into submission, that mitigates further problems of this sort.  Now all I have to do is gently inform my employer about the perils of scumware-laden music CDs.  Hm, is there an 'Industrial Diplomacy' topic area here?

You're right to fly the flag for Non-Admin policy;  I do so myself whenever possible (see my profile ;) ) and so far, I've found the horror-stories largely unfounded.  The problematic apps I have encountered are generally the older ones, like Office 97 (nearly got that tamed, after about a dozen reg hacks) and some ActiveX apps.

TY for all the info, anyway.