4

Abstract

I have a FAT32 memory card that when inserted into a computer causes Windows to prompt to format it. The card is definitely not supposed to be blank and has a bunch of files on it.

Symptoms

Using a hex-editor/disk-viewer, I examined the card and found that several sectors/clusters have been overwritten with something that has a signature of USBC at the start of the sector. Specifically, the master boot record (and partition table) is gone (hence Windows thinking the card is blank and needing to be formatted), as are the boot sectors (they have the USBC signature and a volume label of NO NAME and partition type of FAT32).

Fortunately, it looks like both copies of the FAT are almost entirely intact (a few FAT entries at the start of a cluster here and there seem to be overwritten by USBC). The root directory is also nearly intact—I can see the volume label entry and subdirectory listings, but one sector is overwritten. (There are no more instances of USBC after the last one in the FAT2.)

Hypothesis

These observations seem to indicate some sort of virus that erases a few key filesystem structures, and then overwrites a few extra sectors here and there. Googling it seems to corroborate the idea of a virus, except that others report a file called USBC which does not apply here, and in fact, could not be possible since there is no filesystem to even see files. I cannot find any information about a virus with these symptoms, nor a removal tool. (I can't help but wonder if it is actually due to an autorun virus prevention tool.)

Question

I can likely fix the FAT corruption since they are mostly contiguous chains and maybe even the lost sector of the root directory, but does anyone know of a convenient way to restore or (re)create the MBR/partition table and boot sectors (without formatting or overwriting the data)?

Improve this question
11
  • 1
    Experienced in bugs.gentoo.org/show_bug.cgi?id=409565 as well.
    – Tamara Wijsman
    Commented Nov 4, 2012 at 23:47
  • Thanks for the link (specifically the relevant comment). Mine was a memory card, not a flash-drive, but they are effectively the same. Moreover, while I don’t recall exactly, I would not be surprised if the circumstances mentioned in that thread (removing a card/drive while the laptop is asleep) did indeed occur at some point for me. This new information makes this question all the more important.
    – Synetech
    Commented Nov 5, 2012 at 0:19
  • Odd that this question got another up-vote this week since it happened to me again recently. I plugged a 2GB SD card into a card-reader (a cheap Chinese one I bought on eBay for a few cents and have been using without issue for a couple of years), and plugged that into the laptop, as I had done many times. Last week, I was only able to read from it; the write function was broken and treated all cards are read-only. The other night, it would not light the LED or register the removable drive in Windows until I removed the card. Obviously it has trouble with the card connector.
    – Synetech
    Commented Jun 27, 2013 at 19:32
  • 1
    I don't seem to have any others, but I could probably create some by using cheap Chinese card-readers and USB hubs from eBay for a bit. I'll see if I still have any, and see if I can trigger it.
    – Synetech
    Commented Apr 29, 2020 at 14:04
  • 1
    See superuser.com/questions/1386707/…
    – Joep van Steen
    Commented Jun 19, 2021 at 21:36

4 Answers 4

Reset to default
2

The first tool you should try for MBR/partition table recovery is testdisk, which has a good documentation and is easy to use. I suggest reading this guide.

Improve this answer
1
  • I already tried it, but it could not find any partitions. I don't agree about the easy-to-use comment, but the example in the documentation looks a bit promising (it seems to focus more on NTFS partitions on a hard-drive). I'll give it another go.
    – Synetech
    Commented Jun 13, 2012 at 21:05
1

I have experienced the same issue. This is not a virus. It's a electronic failure in the memory card reader (at least in my case).

After formatting I have tried to use another card on this computer using another memory card reader without any problem. However, when I insert another memory card with the suspected memory card reader it immediately corrupted it.

Improve this answer
3
  • 2
    COuld you please provide step by step how to recover my memory card 32gb one partition, boot sector became overwritten by this failure.
    – Ryan
    Commented Oct 31, 2012 at 17:32
  • It could indeed be a bad card-reader. I have a cheap Chinese one that I bought on eBay, and while they generally seem to work fine, so does most of the cheap Chinese junk I buy on eBay (at least for while until they start crapping out). In my case, what I did was to use a hex-editor to manually edit the cards. Most of the information for the partition data was still present (just shifted a sector or two away for some reason). So I copied it back to where it belongs. The problem is that the bad data was also copied to a few seemingly random sectors (virus behavior) which corrupted a few files.
    – Synetech
    Commented Oct 31, 2012 at 17:47
  • I’m thinking about writing a full how-to article on this, but that card has since been wiped and the recovered files copied back, so I don’t know if I can remember the technical details necessary for it.
    – Synetech
    Commented Oct 31, 2012 at 17:48
1

I have had and I have again the same problem.

I have external USB HDD from ADATA type NH92. It is formatted as NTFS. Once I discovered that some files are missing and later more and more files were lost. Finally disk was corrupted and Windows requested to format it. I reformatted HDD 2 or 3 times, due problems repeated then I claimed the disk.

New HDD worked a half of year without any issue. Then problems started again. I have discovered using WinHex disk editor that Master Boot record is corrupted. I studied NTFS. I restored Boot record by copying from the other HDD with the same capacity, partitions and NTFS. I verified MFT location. I saw first sector of the table starts with USBC signature. Others MFT files records had the same first sector signature and rest of sector has couple of other bytes and then continue with zeros. I found out that each sector with signature has shifted data to second half of sector. So I moved this data back to original location and did check disk. HDD was recovered. Two weeks later the same happened. I checked PC by antivirus without any result. I used 3 different programs include McAfee. No result. Virus wasn´t found.

I supposed virus is focused on NTFS so I reformatted HDD to FAT32. After some time period some sectors were overwritten by USBC signature again and HDD file system was destroyed. I sent PC to manufacturer, it was fully reformatted and Windows was reinstalled. Also I reformatted HDD and created two logical partitions with same data to have backup.

Today I have problem again. I discovered that second logical disk is destroyed. I checked HDD by winHex and I have found out that also logical disk which looks OK, has more as 100 sectors with USBC signature but all files records in MFT are still OK. I suppose also this logical disk will be destroyed soon.

Interesting point is that ADATA NH92 HDD has problems only and on this PC only. I used ADATA NH92 on other PC without problem; I used other HDD on this PC without problem, too. I am going to do long term observation to use on this PC permanently other HDD and to use ADATA NH92 on different PC only.

Time to time I will search both HDDs for sector signature. So I will see.

Regards, Michal

Improve this answer
5
  • 1
    Hi and Welcome to Super User! Please read the How to Answer a Question Guide. This site is a Q&A site not a forum.
    – slm
    Commented Apr 21, 2013 at 12:19
  • Hello. A friend of mine has exactly the same ADATA NH92 drive with exactly the same problem: after some time his drive gets 'damaged' and the OS refuses to see the partitions. The damage is always the same: the MBR is damaged. Solution is always the same: run TestDisk, and restore MBR from the backup copy. Those "shifted sectors" that you observed is actually a backup of the MBR that every disk holds "just in case". After several such malfunctions I've started to collect images and investigate them. Just like in your case, the MBR was overwritten with an almost-empty block with "USBC" sig.
    – quetzalcoatl
    Commented Jun 24, 2013 at 8:23
  • His drive is in FAT32. Thank you for the notice about NTFS. I was going to suggest him to convert to that system, but from your notes it's clear that it will not help. From my observations, it seemed like a virus (checked thorougly with 3 a-virs, found nothing), but considering that you see the problem with the same exact HDD model, it starts looking like a windows driver failure, or a hardware controller/firmware bug. BTW. my friend that owns the hdd uses WinXP. Unfortunatelly, the machine is several cities away, so I can't investigate it easily :/ Have you found anything new recently?
    – quetzalcoatl
    Commented Jun 24, 2013 at 8:28
  • Eh.. I've mistaken the acronyms. Not MBR was damaged, but BootSector (BS). Here's a similar topic, also on NH92: elektroda.pl/rtvforum/viewtopic.php?p=12450122#12450122 These drives seems to have a problem..
    – quetzalcoatl
    Commented Jun 24, 2013 at 8:49
  • I've looked around a bit more, and found out what is the USBC marker: it's a header from SCSI-over-USB protocol. There's not much to be said more, but you may want to read: quetzalcoatl-pl.blogspot.com/2013/06/…
    – quetzalcoatl
    Commented Jun 25, 2013 at 12:03
0

It's not a virus. The sector with the USBC string is actually containing a USB command block and can be decoded as such. For some reason controller wrote the command block to the drive. To me it sounds like a bug in certain controllers.

USBC sector

We see 'USBC' sector at LBA 63, this is original location of the boot block. In next sector we see actual boot block which "thinks" if we decode it, lives in LBA 63 (0x3F).

IOW the boot block shifted one sector 'down' while the USBC sector was inserted. All sector following the bootblock also shifted one sector and final sector from 16 sector block was 'dropped'.

We can 'decode' the USB command block:

USB command block structure

In my sector dump above it would read something like: “write 16 (10h) sectors starting with LBA 63 (3Fh)” (2Ah is write command)."

We can partially repair by patching the 16 sector block, but we need to be aware of the fact that 16th sector what was intended to be written to drive is lost as it was dropped.

To patch we delete the first of the 16 sectors, fill last sector with zeros and write back to disk. In this video I patched several instances of USBC sectors on an SD Card (disk image file) to allow for file recovery including filenames + folder structure: https://youtu.be/xfhu96N5JR4. Note that these sectors were written on the SD Card, IOW it was not an issue with my card reader.

So in case of OP:

Fortunately, it looks like both copies of the FAT are almost entirely intact (a few FAT entries at the start of a cluster here and there seem to be overwritten by USBC).

Those sectors were not overwritten, but sectors following the USBC sector shifted down. To determine how many sectors, we'd need to decode the USBC sector as if were a USB command block. You can then patch the file allocation tables for the most part.

It can also be an idea to check FAT 2. If that is undamaged you can use that copy (or instruct your file recovery tool to use that copy, DMDE for example allows for this), or if both FAT's are damaged but in different parts you can merge them.

select FAT in DMDE

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .