Restoring MBR, partition table, and boot sector of memory card without data loss ("USBC")

4

1

Abstract

I have a FAT32 memory card that when inserted into a computer causes Windows to prompt to format it. The card is definitely not supposed to be blank and has a bunch of files on it.

Symptoms

Using a hex-editor/disk-viewer, I examined the card and found that several sectors/clusters have been overwritten with something that has a signature of USBC at the start of the sector. Specifically, the master boot record (and partition table) is gone (hence Windows thinking the card is blank and needing to be formatted), as are the boot sectors (they have the USBC signature and a volume label of NO NAME and partition type of FAT32).

Fortunately, it looks like both copies of the FAT are almost entirely intact (a few FAT entries at the start of a cluster here and there seem to be overwritten by USBC). The root directory is also nearly intact—I can see the volume label entry and subdirectory listings, but one sector is overwritten. (There are no more instances of USBC after the last one in the FAT2.)

Hypothesis

These observations seem to indicate some sort of virus that erases a few key filesystem structures, and then overwrites a few extra sectors here and there. Googling it seems to corroborate the idea of a virus, except that others report a file called USBC which does not apply here, and in fact, could not be possible since there is no filesystem to even see files. I cannot find any information about a virus with these symptoms, nor a removal tool. (I can't help but wonder if it is actually due to an autorun virus prevention tool.)

Question

I can likely fix the FAT corruption since they are mostly contiguous chains and maybe even the lost sector of the root directory, but does anyone know of a convenient way to restore or (re)create the MBR/partition table and boot sectors (without formatting or overwriting the data)?

Synetech

Posted 2012-06-13T20:53:01.027

Reputation: 63 242

It happened again recently; another card had the USBC corruption. I had specifically gone out of my way to avoid modifying the card because I had accidentally deleted some files and wanted to avoid overwriting anything on it. Yet somehow, the card suddenly became corrupted (fortunately I had cloned it first). The write-protect switch was useless because the reader I was using was another cheap Chinese reader from eBay which seemed good (certainly much better than the previously used rubbish one), but it did the same thing. Cheap Chinese card-readers are *trash* and should be avoided!!! – Synetech – 2015-02-02T22:00:51.767

Experienced in https://bugs.gentoo.org/show_bug.cgi?id=409565 as well.

– Tamara Wijsman – 2012-11-04T23:47:05.443

Thanks for the link (specifically the relevant comment). Mine was a memory card, not a flash-drive, but they are effectively the same. Moreover, while I don’t recall exactly, I would not be surprised if the circumstances mentioned in that thread (removing a card/drive while the laptop is asleep) did indeed occur at some point for me. This new information makes this question all the more important.

– Synetech – 2012-11-05T00:19:27.510

Odd that this question got another up-vote this week since it happened to me again recently. I plugged a 2GB SD card into a card-reader (a cheap Chinese one I bought on eBay for a few cents and have been using without issue for a couple of years), and plugged that into the laptop, as I had done many times. Last week, I was only able to read from it; the write function was broken and treated all cards are read-only. The other night, it would not light the LED or register the removable drive in Windows until I removed the card. Obviously it has trouble with the card connector. – Synetech – 2013-06-27T19:32:56.560

I then tried another, similar card-reader which did light the LED, let me read the card, and let me write to it. Unfortunately, not long afterwards, it showed a couple of very large junk files that could/should not have existed (they did not even register when I checked the disk-usage). I used the safely-remove-device function to eject the card(reader) and unplugged-replugged it in. Windows now informs me that it is unformatted. I opened it in a disk editor and sure enough, the MBR is gone and overwritten by gibberish that starts with the string USBC. – Synetech – 2013-06-27T19:35:21.553

I have made a sector-dump of the card (fortunately only 2GB) and used PhotoRec to extract the files and a hex-editor to extract the directory entries. I may be able to “restore” most of the card like last time, after a bunch of work but fortunately this one only had a few, large-ish, reproducible/downloadable files (still hours of work).

Obviously these cheap, Chinese readers are crap and unreliable (same error with 2-3 readers and 2-3 cards). They can/do corrupt your data. I highly recommend against using them (other than maybe to rip out the connector for use in electronics projects). – Synetech – 2013-06-27T19:41:21.817

Answers

2

The first tool you should try for MBR/partition table recovery is testdisk, which has a good documentation and is easy to use. I suggest reading this guide.

speakr

Posted 2012-06-13T20:53:01.027

Reputation: 3 379

I already tried it, but it could not find any partitions. I don't agree about the easy-to-use comment, but the example in the documentation looks a bit promising (it seems to focus more on NTFS partitions on a hard-drive). I'll give it another go. – Synetech – 2012-06-13T21:05:31.510

1

I have experienced the same issue. This is not a virus. It's a electronic failure in the memory card reader (at least in my case).

After formatting I have tried to use another card on this computer using another memory card reader without any problem. However, when I insert another memory card with the suspected memory card reader it immediately corrupted it.

Ryan

Posted 2012-06-13T20:53:01.027

Reputation: 11

2COuld you please provide step by step how to recover my memory card 32gb one partition, boot sector became overwritten by this failure. – Ryan – 2012-10-31T17:32:17.670

It could indeed be a bad card-reader. I have a cheap Chinese one that I bought on eBay, and while they generally seem to work fine, so does most of the cheap Chinese junk I buy on eBay (at least for while until they start crapping out). In my case, what I did was to use a hex-editor to manually edit the cards. Most of the information for the partition data was still present (just shifted a sector or two away for some reason). So I copied it back to where it belongs. The problem is that the bad data was also copied to a few seemingly random sectors (virus behavior) which corrupted a few files. – Synetech – 2012-10-31T17:47:44.987

I’m thinking about writing a full how-to article on this, but that card has since been wiped and the recovered files copied back, so I don’t know if I can remember the technical details necessary for it. – Synetech – 2012-10-31T17:48:35.190

1

I have had and I have again the same problem.

I have external USB HDD from ADATA type NH92. It is formatted as NTFS. Once I discovered that some files are missing and later more and more files were lost. Finally disk was corrupted and Windows requested to format it. I reformatted HDD 2 or 3 times, due problems repeated then I claimed the disk.

New HDD worked a half of year without any issue. Then problems started again. I have discovered using WinHex disk editor that Master Boot record is corrupted. I studied NTFS. I restored Boot record by copying from the other HDD with the same capacity, partitions and NTFS. I verified MFT location. I saw first sector of the table starts with USBC signature. Others MFT files records had the same first sector signature and rest of sector has couple of other bytes and then continue with zeros. I found out that each sector with signature has shifted data to second half of sector. So I moved this data back to original location and did check disk. HDD was recovered. Two weeks later the same happened. I checked PC by antivirus without any result. I used 3 different programs include McAfee. No result. Virus wasn´t found.

I supposed virus is focused on NTFS so I reformatted HDD to FAT32. After some time period some sectors were overwritten by USBC signature again and HDD file system was destroyed. I sent PC to manufacturer, it was fully reformatted and Windows was reinstalled. Also I reformatted HDD and created two logical partitions with same data to have backup.

Today I have problem again. I discovered that second logical disk is destroyed. I checked HDD by winHex and I have found out that also logical disk which looks OK, has more as 100 sectors with USBC signature but all files records in MFT are still OK. I suppose also this logical disk will be destroyed soon.

Interesting point is that ADATA NH92 HDD has problems only and on this PC only. I used ADATA NH92 on other PC without problem; I used other HDD on this PC without problem, too. I am going to do long term observation to use on this PC permanently other HDD and to use ADATA NH92 on different PC only.

Time to time I will search both HDDs for sector signature. So I will see.

Regards, Michal

Michal

Posted 2012-06-13T20:53:01.027

Reputation: 11

1

Hi and Welcome to Super User! Please read the How to Answer a Question Guide. This site is a Q&A site not a forum.

– slm – 2013-04-21T12:19:36.313

Hello. A friend of mine has exactly the same ADATA NH92 drive with exactly the same problem: after some time his drive gets 'damaged' and the OS refuses to see the partitions. The damage is always the same: the MBR is damaged. Solution is always the same: run TestDisk, and restore MBR from the backup copy. Those "shifted sectors" that you observed is actually a backup of the MBR that every disk holds "just in case". After several such malfunctions I've started to collect images and investigate them. Just like in your case, the MBR was overwritten with an almost-empty block with "USBC" sig. – quetzalcoatl – 2013-06-24T08:23:10.550

His drive is in FAT32. Thank you for the notice about NTFS. I was going to suggest him to convert to that system, but from your notes it's clear that it will not help. From my observations, it seemed like a virus (checked thorougly with 3 a-virs, found nothing), but considering that you see the problem with the same exact HDD model, it starts looking like a windows driver failure, or a hardware controller/firmware bug. BTW. my friend that owns the hdd uses WinXP. Unfortunatelly, the machine is several cities away, so I can't investigate it easily :/ Have you found anything new recently? – quetzalcoatl – 2013-06-24T08:28:34.303

Eh.. I've mistaken the acronyms. Not MBR was damaged, but BootSector (BS). Here's a similar topic, also on NH92: http://www.elektroda.pl/rtvforum/viewtopic.php?p=12450122#12450122 These drives seems to have a problem..

– quetzalcoatl – 2013-06-24T08:49:28.447

I've looked around a bit more, and found out what is the USBC marker: it's a header from SCSI-over-USB protocol. There's not much to be said more, but you may want to read: http://quetzalcoatl-pl.blogspot.com/2013/06/adata-nh92-recurring-malfunction.html

– quetzalcoatl – 2013-06-25T12:03:46.220

Asked: 2012-06-13T20:53:01.027

Viewed: 28 466 times

Active: 2013-10-26T01:23:46.467