Kaspersky
Question

VHO:Trojan.Win32.Fsysna.gen

  • 2 August 2019
  • 8 replies
  • 5212 views

I did a full scan. This picked up a few things, but notably: VHO:Trojan.Win32.Fsysna.gen

As Kaspersky should be doing real-time protection I don't know how this was allowed to get through to my computer.

Also, I have no idea what this trojan is as I can't find any information online. Has anybody else had this virus or know anything about it?

Prior to the scan that picked it up I did a back up to an external drive. When I scanned this the above trojan was not picked up. The back-up is an identical copy of the computer drive so if the scan is picking this trojan up on the computer I am puzzled why it failed to do so on the external drive copy.

Quite a few things seem puzzling. If anyone has any ideas please respond; it would be appreciated!

8 replies

Userlevel 7
Badge +4
Welcome. Please post the full, complete detection details. Full file name, full path, full location, detection verdict.



How to take and post screenshot: https://support.kaspersky.com/common/diagnostics/492

PrtSc (Print screen) key (upper right part of keyboard)> open Paint (Start > All programs > Accessories) > Edit > Paste, File >
Save as (jpeg or png, Not bmp). When replying, bottom left of reply box > Drag files here to attach, or choose files... Submit reply.


I attach a screenshot as requested. Hope this helps.
Userlevel 7
Badge +4
Did you download Vitakey from the official source? If yes, this may possibly be a false positive.

How to be sure if it is infected, or if it is a false positive:

Please contact Tech Support: https://my.kaspersky.com/support/

Please attach the following items to your Tech Support request:

a. Description of the issue, full detection details.
b. Screenshot, as needed.
c. GSI
Userlevel 7
Badge +9
I attach a screenshot as requested. Hope this helps.
Hello @intelvir,
Additional to the info from @richbuff,
  1. Is the screenshot from Kaspersky software detection or ?
  2. Are there any any events logged in Kaspersky REPORTS related to VITAKEY?
  3. Is there any VitaKey sofware installed on your computer?
  4. If so, what is the exact path please?
  5. Have you scanned (Vitakey6.0.5.4\driver\)SDKInstaller.exe using https://virusdesk.kaspersky.com/ ?
Please let us know?
Thanks
Thanks for the responses, both. In answer:-

I don't know what "vitakey" is and have not downloaded it. (The folder containing it was created in 2010, according to my windows file explorer).

If it is a "false positive" then should it not have been picked up (a) in a previous full scan done about two months ago (when I first installed Kaspersky Total Security) and/ or (b) during real-time scanning?

I have emailed technical support with a full description of this issue, together with screenshots (exports of scan reports) and "Get System Info". (By the way, what is "Get System Info" as it seems to contain a huge amount of data and information about me/ my computer and I am wondering if it is all relevant and/ or necessary?).

The screenshot in my earlier message was from Kaspersky Total Security.

The events logged in Kaspersky in relation to "vitakey" are documented in the scan reports (such as the screenshot I provided previously). There are nine entries in total, the only difference being that "KHLB0" in the path has a "KHLB1" version and a "KHLB2" version as well - and there are three of each: one that says "detected" (for each of KHLB0, KHLB1 and KHLB2), and again for each one that says "quarantined" and a final one that says "deleted".

As I don't know what "vitakey" is I don't believe I have any software installed in relation to it.

The only path that I have found that leads to anything relating to "vitakey" is the one in the screenshot I provided. However, that path still exists and there is still an existing file in the same folder from which Kaspersky deleted the file SDKInstaller.exe. So, what still exists on my computer is the following:


As one can see, it follows the exact path as the "trojan" file that was detected, quarantined and deleted by Kaspersky. The only difference is that the name is different (InstallSDK64.exe as opposed to the deleted file name of SDKInstaller.exe).

As the "trojan" file was deleted, and therefore no longer appearing in windows file explorer, it does not seem that there is any way to establish a "date modified" for it, which would have given us a clue as to how long it had been present on my computer.

And again, as the file no longer exists it does not seem there is any way to scan the individual file using "virusdesk". It seems to have been automatically deleted as part of the full scan process.

Thanks again both for your engagement and effort to help.
Userlevel 7
Badge +9
Hello @intelvir,
Thanks for replying.

Please go to Kaspersky REPORTS, export just the report with the detections, deletion information, upload it here using the "upload icon".
----
  • Re: why didn't KTS detect this object earlier (if it's been in the sys since 2010)?
Kaspersky adds signatures/threat definitions continously, objects that previously were "clean" may fall into a new classification, end result = detection.
The Kaspersky software has worked exactly as it should, detected a threat, deleted it, notified you.
----
  • Re: GSI/Windows logs, yes there is a lot of information, yes it is necessary.
  • All user data is managed according to strict privacy policies.
  • Kaspersky does not deviate from Privacy Policy compliance.
Thanks
Userlevel 7
Badge +4
Thanks for the responses, both. In answer:-

I don't know what "vitakey" is and have not downloaded it. (The folder containing it was created in 2010, according to my windows file explorer).

If it is a "false positive" then should it not have been picked up (a) in a previous full scan done about two months ago (when I first installed Kaspersky Total Security) and/ or (b) during real-time scanning?

I have emailed technical support with a full description of this issue, together with screenshots (exports of scan reports) and "Get System Info". (By the way, what is "Get System Info" as it seems to contain a huge amount of data and information about me/ my computer and I am wondering if it is all relevant and/ or necessary?).

The screenshot in my earlier message was from Kaspersky Total Security.

The events logged in Kaspersky in relation to "vitakey" are documented in the scan reports (such as the screenshot I provided previously). There are nine entries in total, the only difference being that "KHLB0" in the path has a "KHLB1" version and a "KHLB2" version as well - and there are three of each: one that says "detected" (for each of KHLB0, KHLB1 and KHLB2), and again for each one that says "quarantined" and a final one that says "deleted".

As I don't know what "vitakey" is I don't believe I have any software installed in relation to it.

The only path that I have found that leads to anything relating to "vitakey" is the one in the screenshot I provided. However, that path still exists and there is still an existing file in the same folder from which Kaspersky deleted the file SDKInstaller.exe. So, what still exists on my computer is the following:


As one can see, it follows the exact path as the "trojan" file that was detected, quarantined and deleted by Kaspersky. The only difference is that the name is different (InstallSDK64.exe as opposed to the deleted file name of SDKInstaller.exe).

As the "trojan" file was deleted, and therefore no longer appearing in windows file explorer, it does not seem that there is any way to establish a "date modified" for it, which would have given us a clue as to how long it had been present on my computer.

And again, as the file no longer exists it does not seem there is any way to scan the individual file using "virusdesk". It seems to have been automatically deleted as part of the full scan process.

Thanks again both for your engagement and effort to help.

Hello,

Could you provider these files “InstallSDK.exe” and "InstallSDK64.exe" to me by PM?

Regards.
Userlevel 7
Badge +9
If it is a "false positive" then should it not have been picked up (a) in a previous full scan done about two months ago (when I first installed Kaspersky Total Security) and/ or (b) during real-time scanning?

Hello @intelvir
Malware definitions are updated continuously, something previously determined to be "safe/trusted", can change to "unsafe/untrusted" at any time.
Oftentimes the software owners make changes to their products that cause Kaspersky software to detect. And sometimes, the detections are false positives.
In this case, Kaspersky software has functioned normally, it's alerted there's a current issue.
It's up to the Lab to tell you if it's a false/positive or not.
----
Is File History activated in your system?
&
Please share with us the TS advice (when they advise you)?
Thanks so much.

Reply