The system constantly prompts a “Critical System Error!” pop up message saying “Your browser was infected by Trojan.Win32.Obfuscated.gx. You need to clean your system immediately, in other case it can be crashed soon! Click OK to download the high-tech antispyware protection software! (Recommended).” The pop up appears randomly, such as when opening a URL using IE, clicking on a link on web page or clicking on a file item in Windows Explorer.
If users ‘infected’ click on OK button to download the high-tech antispyware remover, an executable with file name as defender-install.exe will be offered. Beside, the Google, Yahoo! and Windows Live search results may also be hijacked where clicking on links in search results will direct users to incorrect and misleading websites rather than intended sites. Worse of all, the infection warning message may appear in the search results page too.
Trojan.Win32.Obfuscated.gx (can also be known as Trojan.Win32, Trojan.Win32.agent.akk, Trojan.Zlob, Trojan.Zlob-X.a, Trojan.Win32.LinkReplacer, Trojan.Win32.StarField, Trojan.Win32.Startpage.fq, Trojan.Agent, Trojan.Win32.Gorshok.a, Worm.Win32.Sober, Trojan.Vundo, Trojan.KillAV, Trojan.Win32.Patched, Trojan.Win32.CP4000, Trojan Win32/Qoologic, Trojan Win32.Murlo and other unknown Trojans) is in essence not a virus by itself, instead is a malicious trick by new rogue anti-spyware program such as IE Defender or Files Secure to con users by displaying one of the Trojan listed above as their scan results in fake system security alerts, to mislead and trick users into downloading and subsequently paying to buy the rogue antispyware program just to simply remove the Trojan that they planted on users’ computer themselves.
The Trojan.Win32.Obfuscated.gx Trojan or the malware can infect a computer through installing a fake video codec which is asked to install when playing video, usually adult contents and sexually explicit videos downloaded from P2P sharing sites or torrents, such as the infamous Edison Chen sex photos scandal.
There are various way to safely remove Trojan.Win32.Obfuscated.gx, Trojan.Win32, Trojan.Win32.agent.akk or Trojan.Zlob. Most new antivirus and anti-spyware programs updated with latest signature should be able to detect and delete and Trojan horse. If your anti-virus program doesn’t do its job properly, here’s the manual removal instruction to clean and remove trace of Trojan.Win32.Obfuscated.gx from your system safely and easily.
- Click on the Start Menu button, then click on the Control Panel option, and then double-click on the Add or Remove Programs icon or Uninstall a program link.
- Locate Trojan.Win32.Obfuscated.gx (or its related variant name) and double-click on it to uninstall the Trojan. Follow the step-by-step on screen instructions to complete uninstallation of the Trojan. If the Trojan.Win32.Obfuscated.gx is not found as one of the uninstallation item, step to step 5.
- Restart the computer when prompted.
- System will continue uninstalling the Trojan. When uninstallation completed, exit “Add or Remove Programs” and “Control Panel” or “Programs and Features” folder.
- Close all programs, especially Internet Explorer and Windows Explorer.
- Run Registry Editor (regedit.exe), and then search and delete all of the following infected entries in registry:
- Open Task Manager (taskmgr.exe) and terminate any Trojan.Win32.Obfuscated.gx (or its variant) process.
- Find and locate the path to the following Trojan infected files. Unregister these DLLs with command below at command prompt, and then rename the infected DLL files as BADFILE1.DLL, BADFILE2.DLL, BADFILE3.DLL and so on:
Command to unregister DLL (Run the command in the folder which contain the DLL by using “cd” to change directory):
regsvr32 /u FILENAME.dll (FILENAME is the name of the file that you want to unregister listed below)
Trojan infect DLLs:
Note: If you unable to delete or rename the files, try to restart computer in and boot in safe mode to try again.
- Go to C:\Program Files\ folder and delete the “IE Defender” folder, if found.
Note: If you unable to rename the files, try to restart computer in and boot in safe mode to try again.
- Restart computer.
- If no problem exists, delete all “BADFILE*.DLL” which renamed from infected DLLs.
- If IE homepage has been changed or hijacked, go to Start -> Control Panel -> Internet Options, click on the General tab, and then click Use Default under Home Page. Type in the new desired default homepage, then click Apply or OK button. Open a new web browser to check that IE displays the desired default homepage.
- To remove Trojan.Win32.Obfuscated.gx or its variant icons from the Desktop, simply delete them or drag and drop thems to the Recycle Bin.
Trojan.Win32.Obfuscated.gx is now completely removed and cleaned from the system. If you prefer a more automated way to delete the virus, use
SmithfraudFix (no longer available) or follow guide below to use FixIEDef that specifically removes AntiSpyPro, Files Secure, and IEDefender and thus eliminates the “Fake Alerts” generated by Trojan-Downloader.Win32.Delf. FixIEDef also removes Trojan-Downloader.Win32.Delf from the system.
- Download FixIEDef.exe by ShadowPuterDude to the Desktop.
Note that FixIEDef.exe must be saved to desktop or it may not work properly.
- Double-click FixIEDef on desktop.
- Click OK.
- Click Scan! to start scanning the system for trace of Trojan.Win32.Obfuscated.gx and related Trojans.
- Click OK.
- Wait for the scanning process to finish. Both file system and registry will be scanned.
Note that FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.
- Click Exit once FixIEDef displays the “All Finished” message.
- All FixIEDef log will be posted on the desktop. Review the content of the log if needed.
If you’re using HijackThis, there is also a how-to guide to get rid of “IE Defender” or “Files Secure” with HijackThis at Lavasoft Support forum.