Helping people with computers... one answer at a time.

Occasionally, malware will infect files that are critical to Windows own operation. Repairing these types of infections can be difficult, at best.

I got the following infection warning "Trojan horse Downloader.Generic8.ABKH" followed by "Object is white-listed (critical/system file that should not be removed)"

Questions: Is this true? What does white-listed mean? Aren't Trojan Horses" bad? And if it's critical, why does it keep popping up everyday on the virus scan as an infection.

There are two ways that malware can enter your system:

First, they can install additional files on your system that contain the malicious code. No real surprise, I suppose.

Second, and perhaps most dangerous, they can place themselves inside existing files. And if those existing files happen to be files that comprise part of Windows itself, things get ugly, fast.

And I'm guessing it's this later scenario you're seeing.

The word "critical" in the error message doesn't mean that the infection is critical (it may or may not be), it means that the file in which the infection was found is a "critical system file". That means the virus has modified and placed itself inside a file which is critical to Windows being able to run. You can't simply remove the infected file - Windows won't run without it.

A great example is our friend "svchost.exe". That file is a required component of Windows. It's "critical" to Windows being able to operate. Remove it, and Windows won't even boot.

"By far the safest thing to do is backup, reformat and reinstall everything from scratch."

Knowing that it's required, virus writers often target it - they create malware that actually infects the file svchost.exe by modifying it. Why? Because they know that you can't just delete it.

That's what "whitelisted" probably means. The file c:\windows\system32\svchost.exe is "whitelisted" because it can never be simply deleted. Doing so would crash your system and render it unbootable.

In fact, that's where many anti-malware products just stop. Repairing an infected but otherwise required system file is not just difficult, it's often beyond their abilities if not just plain impossible. That's why you're seeing it every day - your anti-malware program can't fix it.

So, what to do?

By far the safest thing to do is backup, reformat and reinstall everything from scratch. I know, it's a royal pain and a lot of work, but it's the only way to be 100% certain you've removed any malware infestation. (Alternately, if you have an image backup from a time prior to the infection, you can restore to that.)

Windows actually includes some level of protection against this type of attack in the form of Windows File Protection - if critical system files are altered, Windows is supposed to be able to detect and recover from it. Obviously, this can be thwarted by sufficiently adept malware. The System File Checker will force a check of all system files, and if any are found altered will attempt to restore them from your original media. Like a full reinstall, this will likely require your original Windows Installation CDs. In addition, it should probably be run after having booted into safe mode, to increase the likelihood of it's success.

Finally, if you know the infected file and you really like living on the edge, it may be possible to restore the file manually. I'm not going to spell out the details since it does require a level of familiarity with things best left to experts, but in short it involves booting from a different media (typically a Linux Live CD, or your Windows Recovery Console on your installation media), and manually expanding and copying the original file on top of the infected one. For most people, this should be considered a next-to-last resort, only because it's rare that a virus that's simple enough to be repaired by replacing a single file this way would have been sophisticated enough to infect system files. What that means is that it's likely that even replacing a single infected file will not be enough to resolve the problem.

Article C3801 - July 9, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

5 Comments
DSU
July 9, 2009 10:05 AM

One thing I want to point out. I have never had anything marked "Trojan horse Downloader.Generic8.ABKH" or the like be anything other then a false positive. When this happens upload the file to a service like http://virscan.org/ to see if any other virus scanners agree. This is especially critical if it is a system file. "Generic" means is not in the database but appears to be virus. Since few of us get the real cutting edge malware it is the worth the time to check.

howiem
July 14, 2009 9:30 AM

A web search for the trojan indicated it can be fixed http://freeforum.avg.com/read.php?4,178474,178797, http://freeforum.avg.com/read.php?4,180496,180496#msg-180496,

I'd also recommend that the user get Hijackthis from trend Micro, run a scan and create a log file and post it on a Hijackthis Forum for assistance.

Dave Markley
July 14, 2009 12:26 PM

I have a suggestion that may help if it will work, but I haven't needed to try it (yet). If you know someone who has the identical version of Windows (not just XP, or Vista, or whatever but the same service packs, build code etc.) copy the file from their PC (I'm also using 'svchost.exe' for an example) onto a flash drive. Then copy it into your computer. You'll be asked whether or not to 'overwrite' the existing file - click 'yes'. In theory this should 'overwrite' (delete) your 'infected' svchost.exe file and replace it with the original, undamaged one. Just make sure to create a 'restore point' first. Good luck!

JH
July 14, 2009 1:59 PM

You may need to boot into the recovery console first otherwise the file will probably be in use if its system.

Alan
July 17, 2009 6:29 AM

Has the user tried the program "Malwarebytes"? its a free malware remover. to me its one the best programs that out there on the market. but you can use the free version but you have to run it manually. your AV program only does so much but the malware remover programs do much more. Users should not relie on windows defender it does nothing on your system. To me its just a lameduck program. Main thing usally if you got a nasty virus on your system your best case is to rebuild the system. Some people say that the last way out but it is the only way for the user to gain control of their systems. But first try the "Malware bytes" program first there may be other malware hidden under this program.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.