Hi, I'm someone who runs SpyBot on my computer every once in awhile to be sure I haven't had any malware installed. I'm pretty careful about what goes onto my computer so most of these scans ammount to a bit of cookie cleaning from the web browser. However on my latest scan I had something brand new, something detected as WinSpy.SpySoftWareX, a keylogger. The following were found:


WinSpy.SpySoftWareX: Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{DF6D6569-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{DF6D655A-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{DF6D6559-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{DF6D6568-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{DF6D656E-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{DF6D6558-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\vbVidC60.ezVidCap
WinSpy.SpySoftWareX: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DF6D6569-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\vbVidC60.ICapCallBack
WinSpy.SpySoftWareX: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DF6D655A-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Library (File, nothing done)
C:\WINDOWS\system32\EZVIDC60.OCX

Since this has been installed on my computer for a couple of months... I was a little suspicious.. these files seem to be related to some of the video software I use for captures and editing. The homepage for the EZVIC60.OCX file is at http://www.shrinkwrapvb.com/ezvidcap.htm .

Anyway, I suspect this is a false positive so I'm just posting to let people know. However SpyBot is not alone here. Supposedly Symantec's antivirus(?) products also identify the file as spyware. http://www.symantec.com/security_response/writeup.jsp?docid=2003-110711-5846-99 . I don't know what the process is to get this "re-examined" by the spyware/antivirus community.

Thanks,
Bluess

Since the CLSID=DF6D6569-5B0C-11D3-9396-008029E9B3A6 and EZVIDC60.OCX appear in the following Symantec article:
Spyware.WinSpy
http://www.symantec.com/security_response/writeup.jsp?docid=2003-110711-5846-99&tabid=1
Are there any other symptoms, files, etc. present that are in that article?

Are there any other symptoms, files, etc. present that are in that article?

I clicked the "Technical Details" and reviewed all the files listed. With the exception of the EZVIDC60.OCX itself, none are present on my system.

From the looks of those files listed, it looks like this WinSpy is a logger that uses several components... from the filenames alone I'd suspect there are applications to steal information from databases, outlook, the printer, etc.... Since EZVID60.OCX by itself is a control for webcams, or getting data from a connected video source... it would make sense that some nasty virus spyware might use this (freeware) component as part of it's nastiness.