Trojan:Win32/Malgent!ml

Trojan:Win32/Malgent!ml Won't Delete? Here's the Fix

Cybersecurity & Malware Intermediate 👁 1 views 📅 May 28, 2026

Windows Defender flags this trojan but can't remove it because it's hiding in system restore or running from memory. Here's how to kill it for good.

When This Error Pops Up

You're working away, maybe installing some software from a site that looked legit, and suddenly Windows Defender goes red. The notification says it found Trojan:Win32/Malgent!ml. You click ‘Clean’ or ‘Remove’, and it looks like it worked. But a few hours later — bang — same alert again. Or worse, Defender says ‘Action failed’ and nothing happens at all.

I saw this last month with a client who ran a small real estate office. They'd downloaded a PDF viewer from a third-party site, and that was it — the trojan kept popping up in their system files, and Defender couldn't touch it. Eventually, their whole print queue locked up because the malware was messing with spooler services.

What's Really Going On

Trojan:Win32/Malgent!ml is a machine-learning detection — Defender's AI flagged suspicious behavior, not a known signature. The problem? This trojan often hides in System Restore points, or it runs from memory (a process you can't easily kill). When Defender tries to delete the file, the OS says ‘nope, it's protected’ because the restore point owns it, or the process is still active. So Defender quarantines it, but the restore point keeps spawning it back, or the process just re-creates the file.

The core issue: Defender can't delete files that are locked by System Restore or actively running from a protected location like C:\System Volume Information. You have to break that lock first.

Step-by-Step Fix (Takes 15 Minutes)

Step 1: Boot Into Safe Mode with Networking

This stops most malware processes from starting. Restart your PC, and as it boots, hold the Shift key and click Restart. On the blue screen, go to Troubleshoot > Advanced Options > Startup Settings > Restart. Then press F5 for Safe Mode with Networking.

Step 2: Run Defender Full Scan in Safe Mode

In Safe Mode, open Windows Security (search ‘Defender’ in the start menu). Go to Virus & threat protection > Scan options > Full scan. Let it run — this can take 30-60 minutes. Once it finishes, click ‘Start actions’ to remove whatever it finds. This time, it should actually delete the files since the malware processes aren't running.

Step 3: Delete All System Restore Points

Here's the trick most people miss. Open the start menu, type ‘Create a restore point’ and hit Enter. In the System Properties window, select your system drive (usually C:), then click Configure. Click Delete to wipe all restore points. Yes, you lose your restore history — but that's where the trojan was hiding. After that, click OK and close out.

Step 4: Run Disk Cleanup to Nuke the Hidden Copies

Open the start menu, type ‘Disk Cleanup’, and run it. Select your C: drive. Click Clean up system files. Check System Restore and Shadow Copies (it may be called ‘Volume Shadow Copy’). Click OK and confirm. This wipes any leftover hidden copies the trojan was using to respawn.

Step 5: Check Running Processes and Startup

Boot back into normal mode. Open Task Manager (Ctrl+Shift+Esc). Look for anything with a random name like syshelp.exe, svchost.exe running from a weird path (like AppData\Local\Temp), or high CPU spikes. Right-click and End task if you see something suspicious. Next, go to Startup tab in Task Manager and disable anything you didn't install yourself.

Step 6: Use Autoruns to Catch Persistence (Advanced Step)

If the trojan keeps coming back, download Autoruns from Sysinternals (free from Microsoft). Run it as admin. Look for entries signed by ‘Unknown’ or with no description, especially in the Logon and Scheduled Tasks tabs. Uncheck any that look like run32dll or random strings — those are often leftover persistence mechanisms. I had a case where the trojan was hiding as a scheduled task named MicrosoftEdgeUpdateTask — fake, but clever.

If It Still Fails After These Steps

Sometimes the trojan has deeper hooks. Here's what to check next:

  • Check for hidden admin accounts: Open Command Prompt as admin, type net user, and look for accounts you didn't create. If you see one like Admin or Debug, delete it with net user [name] /delete.
  • Run a second opinion scanner: Download Malwarebytes free version and run a scan. It catches things Defender misses. I've seen Malwarebytes find Malgent variants that Defender's ML model flagged but couldn't touch.
  • Use Windows Defender Offline Scan: In Windows Security, go to Virus & threat protection > Scan options > Microsoft Defender Offline Scan. Click Scan now. This reboots into a pre-Windows environment that can delete locked files.
  • Check browser extensions: Open Chrome or Edge, go to chrome://extensions (or the Edge equivalent), and remove anything you don't recognize. Some Malgent variants install a browser helper that auto-reloads the payload.

If none of that works, honestly, your best bet is a fresh Windows install. Backup your personal files (scan them with Malwarebytes first), then use the Reset this PC option in Settings > Update & Security > Recovery. Choose ‘Remove everything’. It's nuclear, but it's faster than chasing a rootkit for two days.

The bottom line: Malgent!ml is a pain because it's a behavioral detection, not a fixed signature. But once you kill its hiding spots — restore points and persistence — you can get rid of it. Don't waste time running Defender ten times. Follow these steps and you'll be done in under an hour.

Was this solution helpful?

Trojan:Win32/Malgent!ml Windows Defender can't remove remove Malgent trojan malware stuck in system restore trojan keeps coming back Windows Defender removal failed clear restore points malware safe mode malware removal Malgent ml fix trojan in Windows 10 remove persistent trojan Defender error action failed Malgent variant removal