Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why can't this trojan be removed?

Question:

I got the following infection warning “Trojan horse Downloader.Generic8.ABKH” followed by “Object is white-listed (critical/system file that should not be removed)”

Questions: Is this true? What does white-listed mean? Aren’t Trojan Horses” bad? And if it’s critical, why does it keep popping up everyday on the virus scan as an infection.

There are two ways that malware can enter your system:

First, they can install additional files on your system that contain the malicious code. No real surprise, I suppose.

Second, and perhaps most dangerous, they can place themselves inside existing files. And if those existing files happen to be files that comprise part of Windows itself, things get ugly, fast.

And I’m guessing it’s this later scenario you’re seeing.

Become a Patron of Ask Leo! and go ad-free!

The word “critical” in the error message doesn’t mean that the infection is critical (it may or may not be), it means that the file in which the infection was found is a “critical system file”. That means the virus has modified and placed itself inside a file which is critical to Windows being able to run. You can’t simply remove the infected file – Windows won’t run without it.

A great example is our friend “svchost.exe“. That file is a required component of Windows. It’s “critical” to Windows being able to operate. Remove it, and Windows won’t even boot.

“By far the safest thing to do is backup, reformat and reinstall everything from scratch.”

Knowing that it’s required, virus writers often target it – they create malware that actually infects the file svchost.exe by modifying it. Why? Because they know that you can’t just delete it.

That’s what “whitelisted” probably means. The file c:\windows\system32\svchost.exe is “whitelisted” because it can never be simply deleted. Doing so would crash your system and render it unbootable.

In fact, that’s where many anti-malware products just stop. Repairing an infected but otherwise required system file is not just difficult, it’s often beyond their abilities if not just plain impossible. That’s why you’re seeing it every day – your anti-malware program can’t fix it.

So, what to do?

By far the safest thing to do is backup, reformat and reinstall everything from scratch. I know, it’s a royal pain and a lot of work, but it’s the only way to be 100% certain you’ve removed any malware infestation. (Alternately, if you have an image backup from a time prior to the infection, you can restore to that.)

Windows actually includes some level of protection against this type of attack in the form of Windows File Protection – if critical system files are altered, Windows is supposed to be able to detect and recover from it. Obviously, this can be thwarted by sufficiently adept malware. The System File Checker will force a check of all system files, and if any are found altered will attempt to restore them from your original media. Like a full reinstall, this will likely require your original Windows Installation CDs. In addition, it should probably be run after having booted into safe mode, to increase the likelihood of it’s success.

Finally, if you know the infected file and you really like living on the edge, it may be possible to restore the file manually. I’m not going to spell out the details since it does require a level of familiarity with things best left to experts, but in short, it involves booting from a different media (typically a Linux Live CD, or your Windows Recovery Console on your installation media), and manually expanding and copying the original file on top of the infected one. For most people, this should be considered a next-to-last resort, only because it’s rare that a virus that’s simple enough to be repaired by replacing a single file this way would have been sophisticated enough to infect system files. What that means is that it’s likely that even replacing a single infected file will not be enough to resolve the problem.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

7 comments on “Why can't this trojan be removed?”

  1. One thing I want to point out. I have never had anything marked “Trojan horse Downloader.Generic8.ABKH” or the like be anything other then a false positive. When this happens upload the file to a service like http://virscan.org/ to see if any other virus scanners agree. This is especially critical if it is a system file. “Generic” means is not in the database but appears to be virus. Since few of us get the real cutting edge malware it is the worth the time to check.

    Reply
  2. I have a suggestion that may help if it will work, but I haven’t needed to try it (yet). If you know someone who has the identical version of Windows (not just XP, or Vista, or whatever but the same service packs, build code etc.) copy the file from their PC (I’m also using ‘svchost.exe’ for an example) onto a flash drive. Then copy it into your computer. You’ll be asked whether or not to ‘overwrite’ the existing file – click ‘yes’. In theory this should ‘overwrite’ (delete) your ‘infected’ svchost.exe file and replace it with the original, undamaged one. Just make sure to create a ‘restore point’ first. Good luck!

    Reply
  3. Has the user tried the program “Malwarebytes”? its a free malware remover. to me its one the best programs that out there on the market. but you can use the free version but you have to run it manually. your AV program only does so much but the malware remover programs do much more. Users should not relie on windows defender it does nothing on your system. To me its just a lameduck program. Main thing usally if you got a nasty virus on your system your best case is to rebuild the system. Some people say that the last way out but it is the only way for the user to gain control of their systems. But first try the “Malware bytes” program first there may be other malware hidden under this program.

    Reply
  4. I’m shown a Trojan Virus by Windows Defender when I scan with it, and it points to delete it in offsite. I tried to do it but it doesn’t work as I see it again on the next scans. It hasn’t bothered me except 2 weeks ago I got some bad visible virus occupying the entire screen, stopping my cursor and urging to call them instantly, etc. I haven’t received any more visible viruses but I still wanted to try again. However, after reading Leo’s explanation, I’ll just let it go as long as it doesn’t “attack” me. I write this for those who aren’t savvy, like myself.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.