The system constantly prompts a “Critical System Error!” pop up message saying “Your browser was infected by Trojan.Win32.Obfuscated.gx. You need to clean your system immediately, in other case it can be crashed soon! Click OK to download the high-tech antispyware protection software! (Recommended).” The pop up appears randomly, such as when opening a URL using IE, clicking on a link on web page or clicking on a file item in Windows Explorer.
If users ‘infected’ click on OK button to download the high-tech antispyware remover, an executable with file name as defender-install.exe will be offered. Beside, the Google, Yahoo! and Windows Live search results may also be hijacked where clicking on links in search results will direct users to incorrect and misleading websites rather than intended sites. Worse of all, the infection warning message may appear in the search results page too.
Trojan.Win32.Obfuscated.gx (can also be known as Trojan.Win32, Trojan.Win32.agent.akk, Trojan.Zlob, Trojan.Zlob-X.a, Trojan.Win32.LinkReplacer, Trojan.Win32.StarField, Trojan.Win32.Startpage.fq, Trojan.Agent, Trojan.Win32.Gorshok.a, Worm.Win32.Sober, Trojan.Vundo, Trojan.KillAV, Trojan.Win32.Patched, Trojan.Win32.CP4000, Trojan Win32/Qoologic, Trojan Win32.Murlo and other unknown Trojans) is in essence not a virus by itself, instead is a malicious trick by new rogue anti-spyware program such as IE Defender or Files Secure to con users by displaying one of the Trojan listed above as their scan results in fake system security alerts, to mislead and trick users into downloading and subsequently paying to buy the rogue antispyware program just to simply remove the Trojan that they planted on users’ computer themselves.
The Trojan.Win32.Obfuscated.gx Trojan or the malware can infect a computer through installing a fake video codec which is asked to install when playing video, usually adult contents and sexually explicit videos downloaded from P2P sharing sites or torrents, such as the infamous Edison Chen sex photos scandal.
There are various way to safely remove Trojan.Win32.Obfuscated.gx, Trojan.Win32, Trojan.Win32.agent.akk or Trojan.Zlob. Most new antivirus and anti-spyware programs updated with latest signature should be able to detect and delete and Trojan horse. If your anti-virus program doesn’t do its job properly, here’s the manual removal instruction to clean and remove trace of Trojan.Win32.Obfuscated.gx from your system safely and easily.
- Click on the Start Menu button, then click on the Control Panel option, and then double-click on the Add or Remove Programs icon or Uninstall a program link.
- Locate Trojan.Win32.Obfuscated.gx (or its related variant name) and double-click on it to uninstall the Trojan. Follow the step-by-step on screen instructions to complete uninstallation of the Trojan. If the Trojan.Win32.Obfuscated.gx is not found as one of the uninstallation item, step to step 5.
- Restart the computer when prompted.
- System will continue uninstalling the Trojan. When uninstallation completed, exit “Add or Remove Programs” and “Control Panel” or “Programs and Features” folder.
- Close all programs, especially Internet Explorer and Windows Explorer.
- Run Registry Editor (regedit.exe), and then search and delete all of the following infected entries in registry:
7d4b39e4cab018496e2fe9bf9c3234b2
69c9be662f7f284aae171adeb136cb24
1bc5752bd72f44f004d9f061dd7f9e00
bcf3a381bbe26d9c1ec24bac8b18f567
8266c79a434aed795a5f3f7abb0aff0d
696ce23305a35bb118afc42d58845791
2982068d063848ddb0b8029750411a84
fe6e6a62a572e84e9eaee12eb3ee8a2b
1057a2dcd13130963be0a51c41dc4d1c
396955766b2e512bc3545a24bc485dbe
5f9523529ce2cac480acbda2b8bf4e1e
7df5417b22988d88e8080a44392ade95
cbdc7b3033e82c2065a1b48061b2ca01
6d3c4dbecf4aaf1ae826a0a7edde5951
e05997f932f826f0271cf32d00bbd3be
c18c3b4771120703624baaf835feecd8
9ceecf911241c9890541167edf53739f
40613dee6ad5fec910606c25b25262fd
3ba096caa45ab117721e725079cc53a1
bb5be1c92c299a1c6bcfe67655b0a0c7
9a9f57899a28547b04fc2da3700c95cf
7a329404de21925daacbbbee093ff6dc - Open Task Manager (taskmgr.exe) and terminate any Trojan.Win32.Obfuscated.gx (or its variant) process.
- Find and locate the path to the following Trojan infected files. Unregister these DLLs with command below at command prompt, and then rename the infected DLL files as BADFILE1.DLL, BADFILE2.DLL, BADFILE3.DLL and so on:
Command to unregister DLL (Run the command in the folder which contain the DLL by using “cd” to change directory):
regsvr32 /u FILENAME.dll (FILENAME is the name of the file that you want to unregister listed below)
Trojan infect DLLs:
mlljh.dll
ibpmxtbv.dll
ljjhedc.dll
cabvie.dll
windivx.dll
ddayv.dll
vkcxxfvi.dll
ssqpo.dll
stream32a.dll
vipextqtr.dll
ecxwp.dll
gebca.dll
ddcdedd.dll
advpac.dll
tdlRMS.dll
lcxmehhg.dll
hdbxuqje.dll
mljge.dll
ddcbyvt.dll
advrepkon.dll
ddccd.dll
sgqddvym.dll
pofwjina.dll
bkfgnqhm.dll
orkbobob.dll
tuvttrr.dll
cpwvehup.dll
enhtb.dllNote: If you unable to delete or rename the files, try to restart computer in and boot in safe mode to try again.
- Go to C:\Program Files\ folder and delete the “IE Defender” folder, if found.
Note: If you unable to rename the files, try to restart computer in and boot in safe mode to try again.
- Restart computer.
- If no problem exists, delete all “BADFILE*.DLL” which renamed from infected DLLs.
- If IE homepage has been changed or hijacked, go to Start -> Control Panel -> Internet Options, click on the General tab, and then click Use Default under Home Page. Type in the new desired default homepage, then click Apply or OK button. Open a new web browser to check that IE displays the desired default homepage.
- To remove Trojan.Win32.Obfuscated.gx or its variant icons from the Desktop, simply delete them or drag and drop thems to the Recycle Bin.
Trojan.Win32.Obfuscated.gx is now completely removed and cleaned from the system. If you prefer a more automated way to delete the virus, use SmithfraudFix (no longer available) or follow guide below to use FixIEDef that specifically removes AntiSpyPro, Files Secure, and IEDefender and thus eliminates the “Fake Alerts” generated by Trojan-Downloader.Win32.Delf. FixIEDef also removes Trojan-Downloader.Win32.Delf from the system.
- Download FixIEDef.exe by ShadowPuterDude to the Desktop.
Note that FixIEDef.exe must be saved to desktop or it may not work properly.
- Double-click FixIEDef on desktop.
- Click OK.
- Click Scan! to start scanning the system for trace of Trojan.Win32.Obfuscated.gx and related Trojans.
- Click OK.
- Wait for the scanning process to finish. Both file system and registry will be scanned.
Note that FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.
- Click Exit once FixIEDef displays the “All Finished” message.
- All FixIEDef log will be posted on the desktop. Review the content of the log if needed.
If you’re using HijackThis, there is also a how-to guide to get rid of “IE Defender” or “Files Secure” with HijackThis at Lavasoft Support forum.