Khalmnpr.exe infected with Virtumonde?

[CryoFox]

- Operating System: Windows XP, Service Pack 3
- Browser: IE 7.0.5730; FireFox 3.0.5
- SpyBot-Version: 1.6.0.31
- Last Update: 07.01.2009
- False positive occured: Scan result
- Spybot scan result:
Virtumonde: [SBI $845EA7F9] Ausführbare Datei (Datei, nothing done)
C:\WINDOWS\KHALMNPR.Exe


Hi everyone,
I was slightly surprised when I scanned my system with SpyBot today just to find out that one of the exe-files (situated in C:\Windows\Khalmnpr.exe) that usually comes with Logitech-mice is supposed to be infected with Virtumonde.

I've checked the file with a couple of anti-virus programs, none of them confirmed Spybot's scan-result. I'd assume it's a false positive since I don't have any sort of problem with my computer or using IE/FireFox - no random pop-ups or other kinds of strange behaviour there.

[Buster]

Thanks for reporting this false positive. You are right. It will be fixed in our next update scheduled for next Wednesday. In order to help us preventing future false positives you may download our distributed testing client here.

[klatham]

I thought maybe I was plagued with the rootkit from hell.

This would explain why Spybot reported Virtumonde in KHALMNPR.exe, and yet ...
VundoFix
FixVundo
and ClamAV (of the Windows FS from a Linux dual boot)
All reported nothing out of the ordinary.

Whew! Thanks.

Ken