I got the following infection warning “Trojan horse
Downloader.Generic8.ABKH” followed by “Object is white-listed (critical/system
file that should not be removed)”
Questions: Is this true? What does white-listed mean? Aren’t Trojan Horses”
bad? And if it’s critical, why does it keep popping up everyday on the virus
scan as an infection.
There are two ways that malware can enter your system:
First, they can install additional files on your system that contain the
malicious code. No real surprise, I suppose.
Second, and perhaps most dangerous, they can place themselves inside
existing files. And if those existing files happen to be files that
comprise part of Windows itself, things get ugly, fast.
And I’m guessing it’s this later scenario you’re seeing.
The word “critical” in the error message doesn’t mean that the infection is critical (it may or may not be), it means that the file in which the infection was found is a “critical system file”. That means the virus has modified and placed itself inside a file which is critical to Windows being able to run. You can’t simply remove the infected file – Windows won’t run without it.
A great example is our friend “svchost.exe“. That file is a required component of Windows. It’s “critical” to Windows being able to operate. Remove it, and Windows won’t even boot.
Knowing that it’s required, virus writers often target it – they create malware that actually infects the file svchost.exe by modifying it. Why? Because they know that you can’t just delete it.
That’s what “whitelisted” probably means. The file c:\windows\system32\svchost.exe is “whitelisted” because it can never be simply deleted. Doing so would crash your system and render it unbootable.
In fact, that’s where many anti-malware products just stop. Repairing an infected but otherwise required system file is not just difficult, it’s often beyond their abilities if not just plain impossible. That’s why you’re seeing it every day – your anti-malware program can’t fix it.
So, what to do?
By far the safest thing to do is backup, reformat and reinstall everything from scratch. I know, it’s a royal pain and a lot of work, but it’s the only way to be 100% certain you’ve removed any malware infestation. (Alternately, if you have an image backup from a time prior to the infection, you can restore to that.)
Windows actually includes some level of protection against this type of attack in the form of Windows File Protection – if critical system files are altered, Windows is supposed to be able to detect and recover from it. Obviously, this can be thwarted by sufficiently adept malware. The System File Checker will force a check of all system files, and if any are found altered will attempt to restore them from your original media. Like a full reinstall, this will likely require your original Windows Installation CDs. In addition, it should probably be run after having booted into safe mode, to increase the likelihood of it’s success.
Finally, if you know the infected file and you really like living on the edge, it may be possible to restore the file manually. I’m not going to spell out the details since it does require a level of familiarity with things best left to experts, but in short it involves booting from a different media (typically a Linux Live CD, or your Windows Recovery Console on your installation media), and manually expanding and copying the original file on top of the infected one. For most people, this should be considered a next-to-last resort, only because it’s rare that a virus that’s simple enough to be repaired by replacing a single file this way would have been sophisticated enough to infect system files. What that means is that it’s likely that even replacing a single infected file will not be enough to resolve the problem.