win32:WOW-IX & win32:Delf-FLP

[qinkai]

How do i remove this 2 trojans? my avast AV cannot remove it. Please Help.

[Lisandro]

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)

Maybe you can use full computer on-line scanning of BitDefender for free removal of the malware. Or use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

[DavidR]

What Operating System are you using ?
Why can't avast remove it ?

What error messages are you getting or does it keep coming back, we need more information ?
If file in use, etc. if you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php
 
For the file name and location, check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

[polonus]

Hi qinkai,

The removal instruction for the first-mentioned trojan are as follows:
Technical details

This Trojan is a modified Windows %System%\drivers\etc\hosts file, which is used to translate domain names (DNS) to IP addresses. The modified file is 1240 bytes in size. The file is modified in such a way as to prevent the user from viewing the sites listed below.

The following strings are added to the hosts file:
127.0.0.1 cn.47555.cn
127.0.0.1 new3.etsoft.com.cn
127.0.0.1 new3.etsoft.com
127.0.0.1 etsoft.com
127.0.0.1 wl.etsoft.com.cn
127.0.0.1 wl.etsoft.com
127.0.0.1 down.jschina.com.cn
127.0.0.1 down.jschina.com
127.0.0.1 jschina.com
127.0.0.1 wow.etsoft.com.cn
127.0.0.1 wow.etsoft.com
127.0.0.1 new3.etsoft.com.cn
127.0.0.1 new3.etsoft.com
127.0.0.1 sw.etsoft.com.cn
127.0.0.1 mh.etsoft.com.cn
127.0.0.1 wool.etsoft.com.cn
127.0.0.1 zt.soft.com.cn
127.0.0.1 www.gaodumm.com

These modifications mean that all requests to the servers listed above will be blocked.

This is the result of the activity of another malicious program.
Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

   1. Modify the %System%\drivers\etc\hosts file using any standard application (e.g. Notepad). Delete the strings added by the Trojan. The original hosts file has the following contents:
      # Copyright (c) 1993-1999 Microsoft Corp.
      #
      # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
      #
      # This file contains the mappings of IP addresses to host names. Each
      # entry should be kept on an individual line. The IP address should
      # be placed in the first column followed by the corresponding host name.
      # The IP address and the host name should be separated by at least one
      # space.
      #
      # Additionally, comments (such as these) may be inserted on individual
      # lines or following the machine name denoted by a '#' symbol.
      #
      # For example:
      #
      # 102.54.94.97 rhino.acme.com # source server
      # 38.25.63.10 x.acme.com # x client host

      127.0.0.1 localhost
====================================
a removal tool for the second trojan can be downloaded from here:
http://www.gdata.pl/kmdownload/download.php?op=getit&id=61


polonus