The system constantly prompts a “Critical System Error!” pop up message saying “Your browser was infected by Trojan.Win32.Obfuscated.gx. You need to clean your system immediately, in other case it can be crashed soon! Click OK to download the high-tech antispyware protection software! (Recommended).” The pop up appears randomly, such as when opening a URL using IE, clicking on a link on web page or clicking on a file item in Windows Explorer.

If users ‘infected’ click on OK button to download the high-tech antispyware remover, an executable with file name as defender-install.exe will be offered. Beside, the Google, Yahoo! and Windows Live search results may also be hijacked where clicking on links in search results will direct users to incorrect and misleading websites rather than intended sites. Worse of all, the infection warning message may appear in the search results page too.

Trojan.Win32.Obfuscated.gx (can also be known as Trojan.Win32, Trojan.Win32.agent.akk, Trojan.Zlob, Trojan.Zlob-X.a, Trojan.Win32.LinkReplacer, Trojan.Win32.StarField, Trojan.Win32.Startpage.fq, Trojan.Agent, Trojan.Win32.Gorshok.a, Worm.Win32.Sober, Trojan.Vundo, Trojan.KillAV, Trojan.Win32.Patched, Trojan.Win32.CP4000, Trojan Win32/Qoologic, Trojan Win32.Murlo and other unknown Trojans) is in essence not a virus by itself, instead is a malicious trick by new rogue anti-spyware program such as IE Defender or Files Secure to con users by displaying one of the Trojan listed above as their scan results in fake system security alerts, to mislead and trick users into downloading and subsequently paying to buy the rogue antispyware program just to simply remove the Trojan that they planted on users’ computer themselves.

The Trojan.Win32.Obfuscated.gx Trojan or the malware can infect a computer through installing a fake video codec which is asked to install when playing video, usually adult contents and sexually explicit videos downloaded from P2P sharing sites or torrents, such as the infamous Edison Chen sex photos scandal.

There are various way to safely remove Trojan.Win32.Obfuscated.gx, Trojan.Win32, Trojan.Win32.agent.akk or Trojan.Zlob. Most new antivirus and anti-spyware programs updated with latest signature should be able to detect and delete and Trojan horse. If your anti-virus program doesn’t do its job properly, here’s the manual removal instruction to clean and remove trace of Trojan.Win32.Obfuscated.gx from your system safely and easily.

  1. Click on the Start Menu button, then click on the Control Panel option, and then double-click on the Add or Remove Programs icon or Uninstall a program link.
  2. Locate Trojan.Win32.Obfuscated.gx (or its related variant name) and double-click on it to uninstall the Trojan. Follow the step-by-step on screen instructions to complete uninstallation of the Trojan. If the Trojan.Win32.Obfuscated.gx is not found as one of the uninstallation item, step to step 5.
  3. Restart the computer when prompted.
  4. System will continue uninstalling the Trojan. When uninstallation completed, exit “Add or Remove Programs” and “Control Panel” or “Programs and Features” folder.
  5. Close all programs, especially Internet Explorer and Windows Explorer.
  6. Run Registry Editor (regedit.exe), and then search and delete all of the following infected entries in registry:

    7d4b39e4cab018496e2fe9bf9c3234b2
    69c9be662f7f284aae171adeb136cb24
    1bc5752bd72f44f004d9f061dd7f9e00
    bcf3a381bbe26d9c1ec24bac8b18f567
    8266c79a434aed795a5f3f7abb0aff0d
    696ce23305a35bb118afc42d58845791
    2982068d063848ddb0b8029750411a84
    fe6e6a62a572e84e9eaee12eb3ee8a2b
    1057a2dcd13130963be0a51c41dc4d1c
    396955766b2e512bc3545a24bc485dbe
    5f9523529ce2cac480acbda2b8bf4e1e
    7df5417b22988d88e8080a44392ade95
    cbdc7b3033e82c2065a1b48061b2ca01
    6d3c4dbecf4aaf1ae826a0a7edde5951
    e05997f932f826f0271cf32d00bbd3be
    c18c3b4771120703624baaf835feecd8
    9ceecf911241c9890541167edf53739f
    40613dee6ad5fec910606c25b25262fd
    3ba096caa45ab117721e725079cc53a1
    bb5be1c92c299a1c6bcfe67655b0a0c7
    9a9f57899a28547b04fc2da3700c95cf
    7a329404de21925daacbbbee093ff6dc

  7. Open Task Manager (taskmgr.exe) and terminate any Trojan.Win32.Obfuscated.gx (or its variant) process.
  8. Find and locate the path to the following Trojan infected files. Unregister these DLLs with command below at command prompt, and then rename the infected DLL files as BADFILE1.DLL, BADFILE2.DLL, BADFILE3.DLL and so on:

    Command to unregister DLL (Run the command in the folder which contain the DLL by using “cd” to change directory):

    regsvr32 /u FILENAME.dll (FILENAME is the name of the file that you want to unregister listed below)

    Trojan infect DLLs:

    mlljh.dll
    ibpmxtbv.dll
    ljjhedc.dll
    cabvie.dll
    windivx.dll
    ddayv.dll
    vkcxxfvi.dll
    ssqpo.dll
    stream32a.dll
    vipextqtr.dll
    ecxwp.dll
    gebca.dll
    ddcdedd.dll
    advpac.dll
    tdlRMS.dll
    lcxmehhg.dll
    hdbxuqje.dll
    mljge.dll
    ddcbyvt.dll
    advrepkon.dll
    ddccd.dll
    sgqddvym.dll
    pofwjina.dll
    bkfgnqhm.dll
    orkbobob.dll
    tuvttrr.dll
    cpwvehup.dll
    enhtb.dll

    Note: If you unable to delete or rename the files, try to restart computer in and boot in safe mode to try again.

  9. Go to C:\Program Files\ folder and delete the “IE Defender” folder, if found.

    Note: If you unable to rename the files, try to restart computer in and boot in safe mode to try again.

  10. Restart computer.
  11. If no problem exists, delete all “BADFILE*.DLL” which renamed from infected DLLs.
  12. If IE homepage has been changed or hijacked, go to Start -> Control Panel -> Internet Options, click on the General tab, and then click Use Default under Home Page. Type in the new desired default homepage, then click Apply or OK button. Open a new web browser to check that IE displays the desired default homepage.
  13. To remove Trojan.Win32.Obfuscated.gx or its variant icons from the Desktop, simply delete them or drag and drop thems to the Recycle Bin.

Trojan.Win32.Obfuscated.gx is now completely removed and cleaned from the system. If you prefer a more automated way to delete the virus, use SmithfraudFix (no longer available) or follow guide below to use FixIEDef that specifically removes AntiSpyPro, Files Secure, and IEDefender and thus eliminates the “Fake Alerts” generated by Trojan-Downloader.Win32.Delf. FixIEDef also removes Trojan-Downloader.Win32.Delf from the system.

  1. Download FixIEDef.exe by ShadowPuterDude to the Desktop.

    Note that FixIEDef.exe must be saved to desktop or it may not work properly.

  2. Double-click FixIEDef on desktop.

    FixIEDef

  3. Click OK.

    FixIEDef

  4. Click Scan! to start scanning the system for trace of Trojan.Win32.Obfuscated.gx and related Trojans.

    FixIEDef

  5. Click OK.

    FixIEDef

  6. Wait for the scanning process to finish. Both file system and registry will be scanned.

    FixIEDef Scan

    Note that FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

  7. Click Exit once FixIEDef displays the “All Finished” message.

    FixIEDef

  8. All FixIEDef log will be posted on the desktop. Review the content of the log if needed.

If you’re using HijackThis, there is also a how-to guide to get rid of “IE Defender” or “Files Secure” with HijackThis at Lavasoft Support forum.