Excel files occasionally corrupted by windows xp laptop using flash drive.

This is weird. I have an old hp pavilion dv6 laptop, allegedly windows xp media center edition version 2002 sp3. Yesterday I inserted two different flash drives each containing .xls files as well as other files. I didn't even bother opening the excel files.  I had copied them over from a win 7 pro 64 bit machine, and I am sure they were good. When I tried to eject the flash drives from the xp machine I got a message saying that a program was trying to access them. I stopped the drives again and the message went away. I am sure no files were open. When I tried to open the excel files again, I got a message from office saying they were corrupt and probably malicious. I tried to open them anyway and excel could only partially repair them, though they were still readable.

I scanned the xp laptop for viruses using malwarebytes and ms security essentials, nothing. But today I tried again with the same files and no problems. I checked the size of a good and bad file and they had the exact same number of bytes. I ran the comp command and ten bytes were different out of 70,144 bytes. So somehow the xp laptop corrupted that file by substituting bytes... If It is not a virus what could it possibly be, and how do I make sure that it doesn't happen again?
Each time I properly ejected both flash drives.

Oh, I say it is allegedly media center edition because I just ran sfc /scannow and it prompted me for a windows xp professional disk! Maybe that is the problem.. I got the laptop second hand and don't know what is going on as far as that, my computer says windows media edition. I also checked  manually for this cryptolocker virus but saw no evidence of it in the registry or in %appdata%.
OutOnALimbAlwaysAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

OutOnALimbAlwaysAuthor Commented:
So basically yesterday the laptop changed a few bytes in the excel files without me even opening them, there was a 'program' still accessing them though nothing that I know of was open, and today I get no message about a "program" accessing anything when I first eject the flash drive and everything is fine...
0
nobusCommented:
run this also, maybe a rootkit :
http://majorgeeks.com/RogueKiller_d6983.html                  Roguekiller
0
Danny ChildIT ManagerCommented:
Security Essentials is a bit off the pace these days.  I'd recommend either BitDefender or Kasperskys.  I'd also be careful putting those sticks into other machines until you'd got a clean bill-of-health for them.

For paranoia, you could always use Belarc and Magic Jelly Bean to retrieve all serial numbers, and then wipe and reload the machine.  Probably worth doing for speed reasons alone on a 2nd hand machine of that age.  

You may want to think about an SSD as well to help performance.
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

OutOnALimbAlwaysAuthor Commented:
I just scanned with tddskiller.exe from kaspersky, and got no threats. I'll try the roguekiller later on today.

Could it be a bad or mismatched device driver, but not a malicious one?  I had a similar problem copying pictures from an android phone on my windows 7 machine. The pictures were readable but corrupt. After I downloaded the proper drivers, everything was fine. Also, couldn't the problem with sfc /scannow  indicate some sort of mismatch?

It just seems weird that a device driver, not a virus, would change bytes inside a file.  Maybe I've had some sort of a virus all along on both machines.
0
Danny ChildIT ManagerCommented:
Drivers handle communication between devices.  I can't see how the use of one could change actual file contents.  A 10 byte difference is insignificant in terms of being able to be executable virus code.  However, viruses have been known to hide by suppressing changes to files, so it's still suspicious.  

But if the scans are fine, I'd probably blame some other process.  Can you repeat it with other sticks, perhaps one with just a single TXT file on it?   If that shows the same fault, I'd blame some errant security program on the laptop that's scanning and amending removable media.  I don't think a virus would be dumb enough to try and infect a TXT file...
0
Danny ChildIT ManagerCommented:
The sticks themselves don't try and do any autoruns or anything odd, do they?  Some sticks like to present themselves as CD-ROM drives, etc...
0
OutOnALimbAlwaysAuthor Commented:
No, the sticks don't do anything weird, with the exception of not being able to be ejected because of this 'program' still accessing them. One is a lexar and one is a pny -- they are both old, so I suppose they could be failing hardware wise, but it's just too much of a coincidence that they would both corrupt the excel files at the same time. I have not yet had a chance to download and run the rogue killer suggested by nobus. One thing is almost certain, I think-- this 'program' is the culprit.

The heck of it is, everything is behaving fine today. The 'cannot stop because of program' message did not appear. I am downloading 'process explorer' from ms also to find just what this 'program' is-- I want to know so that I can just disinfect,/fix,  rather than format and reinstall to be safe, as you suggested earlier. I just wish I could get it to act up again!!

I did give some misinformation earlier. The av on the laptop is avast free version, not security essentials. That's on my win 7 desktop.
0
nobusCommented:
probably an autorun
0
OutOnALimbAlwaysAuthor Commented:
Update-
bought a new lexar stick. On this one, it consistently corrupts everything I put on it except txt or .doc files. I have tried .jpg, .pdf, .exe, and .xls.  The other usb sticks (sandisk cruzer, pny, other lexar) seem to be immune to it after the first time they have been inserted into the laptop.  THat is, they corrupt files the first time but not thereafter.

If I copy a file From the laptop onto the new stick and read it in on the other pc it is fine. But After I put it back on the laptop via the new lexar flash drive it is corrupted.

Roguekiller found yahoo toolbar and yahoo helper which I deleted. It also found a registry entry in hklm.....  \HideDesktopIcons\NewStartPanel which I deleted.  I googled newstartpanel and found it could be an indication of a virus.  I will try to find something to disinfect it and post the results.
0
nobusCommented:
the posts i found did not show a clear solution, so it sounds easier to me to reinstall windows - from factory reset - after a backup

be sure to delete the partition, before reinstalling windows
0
BillDLCommented:
I'm curious to know something.  Are the USB Flash Drives formatted as FAT32 or as NTFS?

NTFS supports Alternate Data Streams, whereas NTFS does not.  An ADS is embedded metadata.  When inserted maliciously this is normally referred to as a "rootkit", but some versions of Windows add a security flag in the form of an ADS to indicate when a file has been downloaded over the Internet or is from another computer.  In this event, a security notification is shown when the file is opened.  The user has the option of unticking a box in this security notification that removes the flag from the file, but another giveaway is an additional "unblock" button showing under the normal "Advanced" button in the "General" tab of the file's Right-Click > Properties dialog.

I discussed this in another question quite some time ago:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_24970005.html#a26126057

I know from experience that MS Office on an XP system sometimes takes ages to open a file that has been downloaded from another computer (including the Internet) and which contains this security flag, or else opens Excel to a blank window.

"When I tried to open the excel files again, I got a message from office saying they were corrupt and probably malicious."

Is it possible that what you are perceiving as "corruption" is in fact just an antivirus app plugin in MS Office finding what appears to be a "rootkit" and then blocking the file?

If you copy out a file with this ADS flag from an NTFS drive to a FAT32 one, and then back again, it removes the ADS and you can test this again, or look at the files' "Properties" and "Unblock" if the button is showing.
0
OutOnALimbAlwaysAuthor Commented:
This is true. It would be easier at this point just to reinstall. The thing is, I am actually curious about what it is, and also if it is a virus I would have to format or throw away every usb stick as well as my external hd that has been in this machine, and I am also worried about my win 7 machine. I am also very ocd about some things so I am going to make a vendetta out of this!

But I have scanned both machines with  sophos, windows malicious software tool, malwarebytes, roguekiller, kaspersky tdss killer, security essentials, iobit. All clean except some minor things.
I also successfully updated all the drivers on the laptop including the usb stuff via intel.com, using their analysis tool.

From disk management, the file system of the problem laptop is ntfs. The reserved partition is ntfs. The recovery partition is fat 32. One stick, actually the one that worked the best, was ntfs. The other usb sticks are fat32. Interestingly, the ntfs stick became unreadable and I had to reformat it as fat32. I tried to format another stick as ntfs as a test but couldn't.

But it's not just excel files with the problem-- I wish I would have known that before I wrote the question. The only ones that DO NOT have a problem are .txt and .doc and I just found out .zip. I corrupted the same exe 5 times, even after renaming it to .txt,  then zipped it on my win 7 machine and it was not corrupted when unzipped on the laptop. So .zip seems immune too.
0
nobusCommented:
does it happen if you use an external disk also?
if so- then it looks like a bad usb cable, or connection (chip?)
0
OutOnALimbAlwaysAuthor Commented:
It does happen with an external disk.  It is much better though. I rebooted the laptop again and this time I guess the new intel drivers were REALLY installed. It no longer corrupts excel files on any of my usb sticks. It does slightly corrupt music mp3 files and jpg picture files on all my removable devices. So the updated intel drivers helped a lot.

But I found also that when I copy jpg and mp3 files to any device except my android phone on my win 7 desktop they can be corrupted slightly too. On my last question, which I  thought I solved myself, I updated the drivers for my specific L3 vigor phone, and had no more problems.

The question remains, can a legitimate mismatched or poor device driver legitimately non-maliciously change the contents of a file on a removable device? Or can cheap removable devices do this?  Billdl's comment implies that they can and do and it is not a virus.
0
nobusCommented:
check event viewer for errors, pointing to this
0
OutOnALimbAlwaysAuthor Commented:
Actually, on the win7 machine,  on both the app and system logs:
event id 11 "The driver detected a controller error on \Device\Harddisk2\DR37."

Nothing on the laptop where I first saw the problem, but maybe I missed it.

Harddisk2 must be the usb drive? I could not duplicate it though, and I just copied the same 5 music files perfectly on the 7 machine to the most vulnerable usb stick, so I am back to occasional problems I guess.
0
OutOnALimbAlwaysAuthor Commented:
Ok, the win7 machine is fixed. All the usb disks, even the ancient ones, work fine in it. It was a driver problem. I forgot that I used one of those driver scanning programs, drivereasy, in it about two months ago.  Unfortunately, I can't fix my own bad memory.

Fortunately I had an msi amd driver disk and just used that. The motherboard is an msi and the chipset is amd. I tried first to use those sites and just got frustrated. Intel.com worked well, but amd.com and msi.com are both..frustrating.

I am now taking this advice to heart: http://www.howtogeek.com/198758/never-download-a-driver-updating-utility-theyre-worse-than-useless/ . Also, the old motto about if it ain't broke don't fix it!

I am posting a new question "Can or does a non-malicious device driver change file contents on a removable usb device?"

As far as the ancient laptop, it is better but not fixed. Pictures and music are still occasionally corrupted.
0
OutOnALimbAlwaysAuthor Commented:
The xp laptop is now fixed as well as the win 7 machine.  Sorry for being so wordy. Here is a summary:
Cause of problem: Ran drivereasy driver scanning program on win 7 machine--Result, some jpg and .mp3 file corrupted when copying to any removable device. Fix--reinstalled drivers from cd. Will NEVER run any driver scanning program again.

Cause of problem on laptop: Apparently, outdated/mismatched drivers-result, most files except txt and doc and .zip immediately corrupted upon inserting removable device. Fix--updated drivers through intel.com's scanning tool. Also moved C:\windows...\INFCACHE.1 to desktop and rebooted computer. This updated an ancient usbstor.sys for the root usb's with a more modern version.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OutOnALimbAlwaysAuthor Commented:
Well, it ostensibly solved the problem. I say ostensibly because I am still not sure it wasn't a virus, but it seems to be device drivers.  In any case, there are no more symptoms of anything.  I gave others points because they really did assist me in solving the problem.  But it is always easiest to solve a problem like this if you have the problem right in front of you.
0
BillDLCommented:
Thank you OutOnALimbAlways.  Your well explained feedback is interesting, and may also be of help to others with a similar issue at a later time.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Excel

From novice to tech pro — start learning today.