Link to home
Start Free TrialLog in
Avatar of OutOnALimbAlways
OutOnALimbAlwaysFlag for United States of America

asked on

Can or does anything but malware change file contents on a removable usb device simply by inserting it?

I recently had a problem with file corruption every time I inserted a usb stick into an old xp laptop and also a win7 machine. (https://www.experts-exchange.com/questions/28634514/Excel-files-occasionally-corrupted-by-windows-xp-laptop-using-flash-drive.html ) .

I fixed both machines by putting the proper drivers on them and deleting the infcache.l file as well on the laptop.  I even had a similar problem with my phone on the win 7 machine, which I fixed by installing the correct phone driver.

The one machine I am pretty sure was messed up by running a driver scanner program. (NEVER AGAIN!) The other I am not sure about, and of course I could have overwritten the virus by reinstalling device drivers. But I did scan with every av I could think of, admittedly free ones.

So what I want to know is whether this could have been legitimate behaviour by a poor/mismatched device driver (s) or would it have been a virus, which I possibly still have? The only symptoms were files on the usb stick and external drive getting corrupted just by putting the usb stick in the computer,  I didn't even have to open the files.

On my last question a guy mentioned that ms puts a security flag on files downloaded from the internet, but I compared a blocked and unblocked file with each other using the comp command in the command prompt, and found no difference. However, when I compared a corrupt with a non-corrupt file,  there was a ten byte difference.
Avatar of jmcg
jmcg
Flag of United States of America image

The indicator that a file was downloaded is a separate NTFS stream for the file, which would not be seen by an ordinary compare.

Your file corruption could well be the result of malware -- they're sometimes ridiculously sneaky -- but the pattern you describe doesn't make very much sense as malware behavior.

I think all of the attempts you made to remove the virus involved running a program on the system with the problem. The next step is to run one of the offline malware check programs that scan the disk without depending on running anything from that disk.

There's a thread at http://www.bleepingcomputer.com/ where somone actually tried a long list of possible programs and mentioned just 3 that did close to what was wanted:

SuperAntiSpyware - allows drive selection
McAfee Stinger - allows drive selection  (amazingly slow, however)
Kapersky Virus Removal Tool - allows drive selection
Microsoft Emergency Repair Tool (MSERT) - allows drive selection

I've used some others that you download and create bootable media for -- these also scan the suspected disk without depending on anything from it. But I'm pretty jaded on these things: seldom does the program actually find the problem and you, out of perhaps an excess of caution, just have to wipe the system and re-install.
Avatar of nobus
i have used drivereasy and slimdrivers; mostly if i cannot find a driver myself.
i am always caustious not to let it install other programs -  and did NEVER have any trouble with these 2.
i'm interested to see what will be suggested

also -  did you look if there is no autorun on the stick(s) ?
Avatar of OutOnALimbAlways

ASKER

I scanned the win 7 pc with eset online, and it did find 12 potentially unwanted programs, but nothing else. I will scan the laptop later today with eset.

Nobus, I'll withhold judgement on drivereasy. I'm sure any program like this can make honest mistakes. My win 7 machine was built by someone and has an msi-7721 motherboard and an amd a55 (at least I think it is) chipset, both cheap, and perhaps it has a screwed up configuration that confused drivereasy. But it really seems like drivereasy  was the culprit in this case.

All of my sticks and the external drive come up with an 'autoplay' dialog (play, copy, view photos, open folder to view files) but I can't see any autorun.inf or whatever on them.
Turn autoplay off in your registry. Install http://fradesch.perso.cegetel.net/transf/setup_USB-set.exe or something similar on the stick. This will put a folder called autorun.inf on the stock with a hidden file in it. It prevents a new autorun file from being easily written to the stick.
could be the owner sold his software, and the buyer installs other software.
in any case - either some software (on stick, or laptop) corrupted the files - or you have hardware failure somewhere, eg bad contacts i n the usb lines.  
the fact it happens on more than 1 usb device points to the laptop itself, and  several (cheap ones) are known for bad quality hardware

i would install a fresh OS (on another disk) to test this, or run your usb sticks from a live ubuntu cd, to eliminate the software route - in case you want to know what's happening
Just to be clear I am having no problems now, after updating drivers etc.
do you know where the problem came from yet?
No I don't know where the problem came from yet, but my personal opinion is that it was mismatched device drivers on both machines,  not malware at all. That is what I am trying to find out though.

 I got hold of another laptop (vista) that I didn't mind formatting and copied files back and forth between all three machines onto three of my  same usb sticks that had problems and my removable drive. There were no more problems whatsoever.

I rebooted the new laptop with the sticks in them and everything else. I did this for about an hour. I was deliberately trying to give the new laptop a virus if I had one. Whatever the problem was it appears to be cured.

I am keeping this question open. I still want to know if anything besides malware can permanently corrupt files on a usb storage device. I mean, if I had malware, it appears to be fixed just because I overwrote it, but I want to know if it could possibly have been anything besides malware in the first place.
ok - lets see and wait
The short answer is yes.  The only thing I know of is improper ejection of the stick (MAC or PC).  This happens rather often.  There is one other possibility, flash drives go bad.  Although the media is rated in number of writes, they invariably have some trouble before they reach that designation.  One usually experiences intermittent problems if a thumbdrive is going bad gradually.   You may also see a notice on windows 8 machines indicating that the removable media inserted needs attention.
i must say i have 10 sticks of different sizes and brands for years - i never had a problem with a stick going bad
At the institution I work at I am the goto person when people have trouble with their USB thumbdrives.  I have encountered everything from totally non working drives (the light doesn't even go on) to drives that are fine but the files have been erased.  I just had a user in here yesterday with a drive that had gone bad - it was in the category of the light doesn't even go on.  Luckily this researcher had almost all his files backed up.  I have had some who come in with a stick that had the only copy of their dissertation on it (who knows why).

It sounds like you are just lucky, or maybe you know something I don't?
Thomas-zucker, do you feel my problem could have been caused by the wrong or outdated drivers? All I know is that after I fiddled around with the drivers I have had no more problems. The problems were permanent file corruption as soon as I inserted the flash drives.  Can the wrong pc drivers do this?
Sorry, I see you already answered with improper removal and bad hardware being the only things you have found in your experience.   The thing is, the symptoms are now completely gone and after scanning with every av I could get my hands on nothing was found except a few PUPS, and removing the pups didn't solve the corruption problem.
I have never heard of drivers causing this type of problem.  I would be interested if this is really the problem.  You may have done something incidentally that affected the drive. Do you remember if that is the case?
I updated the drivers on my win7 machine using drivereasy, and I think it made a mistake.
I did nothing to the laptop, but it was secondhand. I did scan it as soon as I got it.

Let me try to be concise for a change, and repeat the whole saga!

The problem is files being permanently corrupted when a usb device is inserted. After copying to a usb device, I open the file on the usb device, and it looks fine. I take it to another pc and simply insert the device.  I don't even have to open the file. I remove it properly, and when I look at it again on any pc at all, the file is corrupted. The comp command in Dos shows a difference in contents.

I have two machines, a win7 pro desktop and an old xp laptop.

1. About a month ago, my android l3 vigor phone exhibited the same behavior when copying files to it. I solved that one also by downloading the l3 vigor driver. All the pics and music on that phone is fine.

2. I copied an excel file onto a usb stick and inserted into my laptop. Corrupted.

3. I updated the laptop drivers from intel and deleted infcache.1. Laptop is now good. I can copy anything from the three usb sticks that had problems, now there is no problem at all.

4. I noticed when I copied music and pictures onto ANY usb stick or my removable drive (Which now no prob in laptop at all) from my win7 machine they may have been slightly corrupted.

5. I finally remembered, I had used drivereasy to update the win7 machine for no good reason. So I reinstalled from my disk (an MSI mobo disk for amd drivers) and now the win7 machine is good.

6. I forgot, I scanned everything with every scanner I could get my hands on and found nothing but PUPS.

7. I obtained a win vista laptop I didn't mind formatting and deliberately tried to give it a virus by swapping sticks and copying files back and forth between the three machines for an hour. No problem, everything good.
without knowing all that was installed and done - it will be impossible to say for sure what the cause was imo
Nobus-- this is true. Well, my next big problem is finding an oracle ole db driver installation that actually works on my win7 machine. Maybe I have the "oracle screw-up virus"...
beware for the screw-down variant...
Lol nobus. Maybe we will never know. Just now I uninstalled the driver for my L3 vigor phone in device manager, including deleting the files. I was trying to see if I could duplicate the original problem on my phone. But when I plugged the phone back in, I forgot to shut my internet connection off, and Microsoft immediately looked on windows update and downloaded the same exact driver files. The only difference is the device shows up as a microsoft device and not an L3 vigor, under portable devices in device manager. Now when I go back in device manager, it doesn't give me the option to delete the files, and I don't want to fool around too much more for fear of really screwing something up, or down!

I suppose it's very possible When I had the problem with the phone, some malware downloaded a bogus driver and I got rid of it by overwriting or something when I reinstalled from a cd. I say this because this time ms found the right driver, but evidently not before.

I'll keep this question open, it seems a few other people are interested also.
i surely am - if you post something in here - i'll allways see it
I've requested that this question be deleted for the following reason:

It was suggested to me by a moderator since it was abandoned. Plus, you guys aren't letting me ask any more questions until I do something with this one!
Deleting the question is certainly an option, but I would prefer to accept the author's explanation ID: 40673453 as a zero-point answer to leave the discussion available.
jmcg, you mean you want me to accept my own explanation as an answer? What's a zero point answer? Hey, I don't care,  I'll do whatever makes everyone happy....(everyone meaning ee staff and experts)
An answer with zero points! Sorry for being dense.

But I'm a little reluctant to do that because I answered about two questions myself before. All I really want to know is that if any expert has determined if this problem COULD be caused by device drivers, or if it is definitely malware.
ASKER CERTIFIED SOLUTION
Avatar of Thomas Zucker-Scharff
Thomas Zucker-Scharff
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
In that case I'll accept that as an answer and forget about it.  I'm just happy the problem is apparently fixed and I haven't had any more virus-like behavior.