I’m having a big problem with a friend’s PC (he doesn’t know anything about computers that’s why I’m writing this). After using an un-updated trial antivirus program, he removed it with the idea to replace it for a new one, the thing its that he didn’t do it until it was too late, and a virus (win32:Nimda[Drp]) infected his machine. So I installed the avast personal edition an after making a full scan, the program let me know the name of the virus and i took the action of repair the infected files. well the problem its that now almost all his word documents has been damage (it opens asking what coding to use to open the .doc file), i try to repair them with a tool, but it told me that the file had a bad header (or something like that).
After this long explanation, I scream for some help to get back this word docs, is there any way? please any help would be really appreciated.
By the way I’m from Peru, just in case my English were not so clear.
That’s rather strange… Nimda [Drp] was a piece of code appended to HTML files on disk, not Word documents (so it’s quite strange it would be detected there).
When repairing such files, it’s checked that that snippet is at the end of the file, so even if the HTML file was embedded in a Word document and detected there, the file wouldn’t be modified (“Cannot be repaired” would probably be the result).
So, I don’t see how Word documents could be affected by the scan & repair (if it really was Win32:Nimda [Drp]). In any case, I’m afraid I don’t know about any way to turn the files back to the original state.
Would it be possible that there’s some other virus active on the computer, overwriting the DOC files? I somehow don’t think this is connected to Nimda infection.
well thanks for replying … acording to the logs of avast: sign of win32:nimda[drp] found in C:~\winword.exe , maybe this cause the problem (sorry if this is a nonsense) … the strange is that some of the .docs open normally … as you say, it migth be another virus … well thanks anyway
Is this the correct path or is the ~ tilda just a means of shortening the path ?
If so it is most certainly an issue and possibly the cause of the problem as it may be intercepting the call to the normal winword.exe.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.
If it is detected by multiple scanners.
Send the sample to virus@avast.com zipped and password protected with password in email body and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (it can do no harm there) and send it from there (right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.
Hi hard2008,
What igor says could also denote a FP because of Panda’s conflicting Avast (Was that the trial proggie?), you should upload the file to jotti or virustotal to see whether it is a genuine malware file.
polonus