Excel files occasionally corrupted by windows xp laptop using flash drive.
This is weird. I have an old hp pavilion dv6 laptop, allegedly windows xp media center edition version 2002 sp3. Yesterday I inserted two different flash drives each containing .xls files as well as other files. I didn't even bother opening the excel files. I had copied them over from a win 7 pro 64 bit machine, and I am sure they were good. When I tried to eject the flash drives from the xp machine I got a message saying that a program was trying to access them. I stopped the drives again and the message went away. I am sure no files were open. When I tried to open the excel files again, I got a message from office saying they were corrupt and probably malicious. I tried to open them anyway and excel could only partially repair them, though they were still readable.
I scanned the xp laptop for viruses using malwarebytes and ms security essentials, nothing. But today I tried again with the same files and no problems. I checked the size of a good and bad file and they had the exact same number of bytes. I ran the comp command and ten bytes were different out of 70,144 bytes. So somehow the xp laptop corrupted that file by substituting bytes... If It is not a virus what could it possibly be, and how do I make sure that it doesn't happen again?
Each time I properly ejected both flash drives.
Oh, I say it is allegedly media center edition because I just ran sfc /scannow and it prompted me for a windows xp professional disk! Maybe that is the problem.. I got the laptop second hand and don't know what is going on as far as that, my computer says windows media edition. I also checked manually for this cryptolocker virus but saw no evidence of it in the registry or in %appdata%.
I scanned the xp laptop for viruses using malwarebytes and ms security essentials, nothing. But today I tried again with the same files and no problems. I checked the size of a good and bad file and they had the exact same number of bytes. I ran the comp command and ten bytes were different out of 70,144 bytes. So somehow the xp laptop corrupted that file by substituting bytes... If It is not a virus what could it possibly be, and how do I make sure that it doesn't happen again?
Each time I properly ejected both flash drives.
Oh, I say it is allegedly media center edition because I just ran sfc /scannow and it prompted me for a windows xp professional disk! Maybe that is the problem.. I got the laptop second hand and don't know what is going on as far as that, my computer says windows media edition. I also checked manually for this cryptolocker virus but saw no evidence of it in the registry or in %appdata%.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I just scanned with tddskiller.exe from kaspersky, and got no threats. I'll try the roguekiller later on today.
Could it be a bad or mismatched device driver, but not a malicious one? I had a similar problem copying pictures from an android phone on my windows 7 machine. The pictures were readable but corrupt. After I downloaded the proper drivers, everything was fine. Also, couldn't the problem with sfc /scannow indicate some sort of mismatch?
It just seems weird that a device driver, not a virus, would change bytes inside a file. Maybe I've had some sort of a virus all along on both machines.
Could it be a bad or mismatched device driver, but not a malicious one? I had a similar problem copying pictures from an android phone on my windows 7 machine. The pictures were readable but corrupt. After I downloaded the proper drivers, everything was fine. Also, couldn't the problem with sfc /scannow indicate some sort of mismatch?
It just seems weird that a device driver, not a virus, would change bytes inside a file. Maybe I've had some sort of a virus all along on both machines.
Drivers handle communication between devices. I can't see how the use of one could change actual file contents. A 10 byte difference is insignificant in terms of being able to be executable virus code. However, viruses have been known to hide by suppressing changes to files, so it's still suspicious.
But if the scans are fine, I'd probably blame some other process. Can you repeat it with other sticks, perhaps one with just a single TXT file on it? If that shows the same fault, I'd blame some errant security program on the laptop that's scanning and amending removable media. I don't think a virus would be dumb enough to try and infect a TXT file...
But if the scans are fine, I'd probably blame some other process. Can you repeat it with other sticks, perhaps one with just a single TXT file on it? If that shows the same fault, I'd blame some errant security program on the laptop that's scanning and amending removable media. I don't think a virus would be dumb enough to try and infect a TXT file...
The sticks themselves don't try and do any autoruns or anything odd, do they? Some sticks like to present themselves as CD-ROM drives, etc...
ASKER
No, the sticks don't do anything weird, with the exception of not being able to be ejected because of this 'program' still accessing them. One is a lexar and one is a pny -- they are both old, so I suppose they could be failing hardware wise, but it's just too much of a coincidence that they would both corrupt the excel files at the same time. I have not yet had a chance to download and run the rogue killer suggested by nobus. One thing is almost certain, I think-- this 'program' is the culprit.
The heck of it is, everything is behaving fine today. The 'cannot stop because of program' message did not appear. I am downloading 'process explorer' from ms also to find just what this 'program' is-- I want to know so that I can just disinfect,/fix, rather than format and reinstall to be safe, as you suggested earlier. I just wish I could get it to act up again!!
I did give some misinformation earlier. The av on the laptop is avast free version, not security essentials. That's on my win 7 desktop.
The heck of it is, everything is behaving fine today. The 'cannot stop because of program' message did not appear. I am downloading 'process explorer' from ms also to find just what this 'program' is-- I want to know so that I can just disinfect,/fix, rather than format and reinstall to be safe, as you suggested earlier. I just wish I could get it to act up again!!
I did give some misinformation earlier. The av on the laptop is avast free version, not security essentials. That's on my win 7 desktop.
probably an autorun
ASKER
Update-
bought a new lexar stick. On this one, it consistently corrupts everything I put on it except txt or .doc files. I have tried .jpg, .pdf, .exe, and .xls. The other usb sticks (sandisk cruzer, pny, other lexar) seem to be immune to it after the first time they have been inserted into the laptop. THat is, they corrupt files the first time but not thereafter.
If I copy a file From the laptop onto the new stick and read it in on the other pc it is fine. But After I put it back on the laptop via the new lexar flash drive it is corrupted.
Roguekiller found yahoo toolbar and yahoo helper which I deleted. It also found a registry entry in hklm..... \HideDesktopIcons\NewStart
bought a new lexar stick. On this one, it consistently corrupts everything I put on it except txt or .doc files. I have tried .jpg, .pdf, .exe, and .xls. The other usb sticks (sandisk cruzer, pny, other lexar) seem to be immune to it after the first time they have been inserted into the laptop. THat is, they corrupt files the first time but not thereafter.
If I copy a file From the laptop onto the new stick and read it in on the other pc it is fine. But After I put it back on the laptop via the new lexar flash drive it is corrupted.
Roguekiller found yahoo toolbar and yahoo helper which I deleted. It also found a registry entry in hklm..... \HideDesktopIcons\NewStart
the posts i found did not show a clear solution, so it sounds easier to me to reinstall windows - from factory reset - after a backup
be sure to delete the partition, before reinstalling windows
be sure to delete the partition, before reinstalling windows
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is true. It would be easier at this point just to reinstall. The thing is, I am actually curious about what it is, and also if it is a virus I would have to format or throw away every usb stick as well as my external hd that has been in this machine, and I am also worried about my win 7 machine. I am also very ocd about some things so I am going to make a vendetta out of this!
But I have scanned both machines with sophos, windows malicious software tool, malwarebytes, roguekiller, kaspersky tdss killer, security essentials, iobit. All clean except some minor things.
I also successfully updated all the drivers on the laptop including the usb stuff via intel.com, using their analysis tool.
From disk management, the file system of the problem laptop is ntfs. The reserved partition is ntfs. The recovery partition is fat 32. One stick, actually the one that worked the best, was ntfs. The other usb sticks are fat32. Interestingly, the ntfs stick became unreadable and I had to reformat it as fat32. I tried to format another stick as ntfs as a test but couldn't.
But it's not just excel files with the problem-- I wish I would have known that before I wrote the question. The only ones that DO NOT have a problem are .txt and .doc and I just found out .zip. I corrupted the same exe 5 times, even after renaming it to .txt, then zipped it on my win 7 machine and it was not corrupted when unzipped on the laptop. So .zip seems immune too.
But I have scanned both machines with sophos, windows malicious software tool, malwarebytes, roguekiller, kaspersky tdss killer, security essentials, iobit. All clean except some minor things.
I also successfully updated all the drivers on the laptop including the usb stuff via intel.com, using their analysis tool.
From disk management, the file system of the problem laptop is ntfs. The reserved partition is ntfs. The recovery partition is fat 32. One stick, actually the one that worked the best, was ntfs. The other usb sticks are fat32. Interestingly, the ntfs stick became unreadable and I had to reformat it as fat32. I tried to format another stick as ntfs as a test but couldn't.
But it's not just excel files with the problem-- I wish I would have known that before I wrote the question. The only ones that DO NOT have a problem are .txt and .doc and I just found out .zip. I corrupted the same exe 5 times, even after renaming it to .txt, then zipped it on my win 7 machine and it was not corrupted when unzipped on the laptop. So .zip seems immune too.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It does happen with an external disk. It is much better though. I rebooted the laptop again and this time I guess the new intel drivers were REALLY installed. It no longer corrupts excel files on any of my usb sticks. It does slightly corrupt music mp3 files and jpg picture files on all my removable devices. So the updated intel drivers helped a lot.
But I found also that when I copy jpg and mp3 files to any device except my android phone on my win 7 desktop they can be corrupted slightly too. On my last question, which I thought I solved myself, I updated the drivers for my specific L3 vigor phone, and had no more problems.
The question remains, can a legitimate mismatched or poor device driver legitimately non-maliciously change the contents of a file on a removable device? Or can cheap removable devices do this? Billdl's comment implies that they can and do and it is not a virus.
But I found also that when I copy jpg and mp3 files to any device except my android phone on my win 7 desktop they can be corrupted slightly too. On my last question, which I thought I solved myself, I updated the drivers for my specific L3 vigor phone, and had no more problems.
The question remains, can a legitimate mismatched or poor device driver legitimately non-maliciously change the contents of a file on a removable device? Or can cheap removable devices do this? Billdl's comment implies that they can and do and it is not a virus.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Actually, on the win7 machine, on both the app and system logs:
event id 11 "The driver detected a controller error on \Device\Harddisk2\DR37."
Nothing on the laptop where I first saw the problem, but maybe I missed it.
Harddisk2 must be the usb drive? I could not duplicate it though, and I just copied the same 5 music files perfectly on the 7 machine to the most vulnerable usb stick, so I am back to occasional problems I guess.
event id 11 "The driver detected a controller error on \Device\Harddisk2\DR37."
Nothing on the laptop where I first saw the problem, but maybe I missed it.
Harddisk2 must be the usb drive? I could not duplicate it though, and I just copied the same 5 music files perfectly on the 7 machine to the most vulnerable usb stick, so I am back to occasional problems I guess.
ASKER
Ok, the win7 machine is fixed. All the usb disks, even the ancient ones, work fine in it. It was a driver problem. I forgot that I used one of those driver scanning programs, drivereasy, in it about two months ago. Unfortunately, I can't fix my own bad memory.
Fortunately I had an msi amd driver disk and just used that. The motherboard is an msi and the chipset is amd. I tried first to use those sites and just got frustrated. Intel.com worked well, but amd.com and msi.com are both..frustrating.
I am now taking this advice to heart: http://www.howtogeek.com/198758/never-download-a-driver-updating-utility-theyre-worse-than-useless/ . Also, the old motto about if it ain't broke don't fix it!
I am posting a new question "Can or does a non-malicious device driver change file contents on a removable usb device?"
As far as the ancient laptop, it is better but not fixed. Pictures and music are still occasionally corrupted.
Fortunately I had an msi amd driver disk and just used that. The motherboard is an msi and the chipset is amd. I tried first to use those sites and just got frustrated. Intel.com worked well, but amd.com and msi.com are both..frustrating.
I am now taking this advice to heart: http://www.howtogeek.com/198758/never-download-a-driver-updating-utility-theyre-worse-than-useless/ . Also, the old motto about if it ain't broke don't fix it!
I am posting a new question "Can or does a non-malicious device driver change file contents on a removable usb device?"
As far as the ancient laptop, it is better but not fixed. Pictures and music are still occasionally corrupted.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, it ostensibly solved the problem. I say ostensibly because I am still not sure it wasn't a virus, but it seems to be device drivers. In any case, there are no more symptoms of anything. I gave others points because they really did assist me in solving the problem. But it is always easiest to solve a problem like this if you have the problem right in front of you.
Thank you OutOnALimbAlways. Your well explained feedback is interesting, and may also be of help to others with a similar issue at a later time.
ASKER