ngpc

USB Access Problem

82 posts in this topic

Hi,

Recently, I got a problem, and see if anyone and expert can help !

When I tried to access my usb finger, I found that my computer cannot read the data although the usb drive No. can be seem on the computer, say G:

As I click on the usb drive icon, the computer told me that my usb drive is not formatted yet and ask if I want to format it .

Then sure I click "No" , all my data is inside.

When I use DOS mode to access the usb G: drive, the computer replied that the "Disk sector do not contain the system file "

I afraid that the boot sector has been damaged by some virus infection.

Can anyone advise how can I save my USB and retrieve the data, any tools and method can help ???

Would appreciate if anyone can offer the help !

Thanks in advance!

ngpc

0

Share this post


Link to post
Share on other sites

Welcome to the forum ngpc, I see that you use a translator but we understand you except for one thing:

Then sure I click "No" , all my data is inside.

So, you say no and you can enter the thumb drive? or you can't access it at all?

Seems that your flash memory has gone bad. Normally those thumb drives are build out of 2 components: The USB controller ship that makes the bridge between the USB connector and the Flash ROM, and the flash ROM itself. In this case I think it's the flash ROM.

0

Share this post


Link to post
Share on other sites

What I mean is my computer can recognise the drive No., but when I click on the icon of the USB, it prompt me to format the USB...

Do you have any software which can help to retrieve the data or recover the data...

Thanks !

ngpc

0

Share this post


Link to post
Share on other sites
What I mean is my computer can recognise the drive No., but when I click on the icon of the USB, it prompt me to format the USB...

Do you have any software which can help to retrieve the data or recover the data...

Thanks !

ngpc

When you double click on a drive letter, a mechanism inside Windows called filesystem recognizer, tries to identify the filesystem and load the appropriate driver (NTFS.SYS, FASTFAT.SYS, etc.).

Possibly "something" misrepresents the filesystem and thus, since no known filesystem is recognized, Windows "assumes" that it is an unformatted partition and prompts for formatting it.

It may be something as trivial as a a missing "55AA" signature in the bootsectors up to a serious case of data /filesystem structure corruption.

You may want to try first TESTDISK:

http://www.cgsecurity.org/wiki/TestDisk

to check if the error is solvable by correcting a few values in MBR or bootsector or use PHOTOREC:

http://www.cgsecurity.org/wiki/PhotoRec

to attempt recovering the data "directly".

jaclaz

0

Share this post


Link to post
Share on other sites

Indeed, you could give it a try, but mostly it's a hardware problem.

I still wish that you can recover your data ngpc.

0

Share this post


Link to post
Share on other sites

Dear Jaclaz,

Thanks very much for your help and resources!

I have tried the TestDisk to scan my problematic USB, TD reported there is a "Invalid FAT Boot sector" after I performed the [Analyse] function.

Then I proceed to do the [Quick Search] and [Deeper Search] function, TD reported structure OK..... I think this is expected as I haven't made any partition for this USB, I just use it for data storage...

Can you further advise what I should do next to solve the problem.... ?

I have also attached the screen of the TD report for reference... Would appreciate if you can further advise......

As the total upload cap. only allow 200k... , so I upload the remaining file in the separate email....

Thanks !

ngpc

Screen_Capture_of_Test_Disk_Result.doc

0

Share this post


Link to post
Share on other sites

From what you posted (second screenshot), it seems to me that you have a "direct" partition i.e. the stick is formattted as super-floppy with no MBR/partition table.

Which usually happens with "brand new" sticks, that are however:

  • formatted as FAT32
  • have 0/0/1 as start sector

From the other screenshot, on the contrary it seems like you you have a single partition FAT16 starting from sector 33 (which would carry as a consequence that you have 32 hidden sectrs and thus a MBR).

It also tells me that you used some formatting utility/method to re-partition/re-format the stick.

Only you can now how the stick was before partitioned/formatted, please post as much information on how the stick it was before (when working) as you can remember.

Also you should read this:

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step

Try the deeper search, and next time, instead of the screenshots, post testdisk.log (of course you should ALWAYS create a Log at the beginning of each seesion with Testdisk)

Cannot say how much you are familiar with PC/filesystems and more precisely with command lines app, but before starting with the "difficult things" do the following:

Get HD hacker:

http://dimio.altervista.org/eng/

and:

  • save first 1 sector of PhysicalDrive to a file named MBR.bin
  • save first sector of LogicalDrive to a file called BS.bin

make sure to select theright drive!

Compress the two files in a .zip archive and post it as an attachment, I'll have a look at them.

jaclaz

0

Share this post


Link to post
Share on other sites

HI Jaclaz,

I have used HDHacker to save the MBR of my USB for your analysis...

They are attached...

Here is my USB History:

I bought this USB drive at about year 2006, only for data storage, it is 1G in size.

Due to my work, I always use this USB in other computers for presentation... So sometimes, virus will be detected, while every time, I use Virus Cleaner to scan and clean the virus. It seems work...

From the scanning history, this virus has attacked my USB before

Trojan-GameThief.Win32.Magania.ahrz G:\yfmqo.cmd

And I think Autorun.ini has also infected my USB also... The infection has been occured several times...

As far as I remember, after one virus cleaning operation, I found that I cannot click-to-open the USB directly, a window pop up to ask me " Which software you are going to use to open the file" , I found that this is strange and different from what I have performed in the past....Then I mostly click IE Explorer to open the access the USB and it worked. Therefore, I ignored what happen and keep using the USB without suspecting any MBR problems ....I think this should be the sign of the problem of my USB at the very beginning.....am I right ?

For this USB, I haven't perform any formatting or partitioning actions after my purchase, I just it as data disk once I bought it..

Hope these info. help

Thanks !

ngpc

File_for_analysis_of_HDHacker_2009_05_21.zip

Edited by ngpc
0

Share this post


Link to post
Share on other sites

I recently experienced close to the same thing with the autorun virus.

When I attached the drive the AV completly even refused to let windows recognized the whole drive.

0

Share this post


Link to post
Share on other sites

There are a number of problems in the files you sent.

Basically:

  • the MBR code is only partially there
  • the MBR "Magic Number" Signature is not there
  • the MBR DATA is - to say the least - "queer":
    Entry|Type|Boot|bCyl|bHead|bSect|eCyl|eHead|eSect|Start Sector|Num Sectors|Size in bytes
    #0|06|80|0|1|1|255|61|0|32|1.966.137|1.006.662.144
  • both files are identical (which is normal, since the MBR is not recognized Physicaldrive=Logicaldrive)

Next steps:

get the dsfok toolkit:

http://members.ozemail.com.au/~nulifetv/freezip/freeware/

unzip in a new directory, say C:\dsfok

Open a command prompt and navigate to that directory.

You want to make a full image of the stick, so you will need roughly 1 Gb free on your hard disk.

Now, you must be sure that you get the "right" physicaldrive number (if you have just one hard disk, it will be "0", and the USB stick will be "1")

Run following command:

dsfo \\.\PHYSICALDRIVEn 0 0 C:\dsfok\USB_full.img

this will create a byte to byte copy of the stick, the program will print on screen something like:

OK, 1006695214 bytes, 56.540s, MD5 = 786a48c5db7548a6bf34cb945b62ae75

Jolt down (and post) the bolded part (actual size of the stick).

This way you have a full copy of the stick and we can start working on it without fear of making anything irreparable.

Run again dsfo as follows:

dsfo \\.\PHYSICALDRIVEn 0 51200 C:\dsfok\USB_100.img

This is a copy of the first 100 sectors of the stick, 51200 bytes in size, that you should compress in a .zip and attach to your next post.

The partition data refers to a 06 i.e. CHS FAT16 partition, starting at sector 33 or sector 64, the first 100 sectors should be enough to see if there are traces of it. (bootsector and start of FAT tables).

jaclaz

0

Share this post


Link to post
Share on other sites

Dear Jaclaz,

Just need to clarify one thing before I performed the copy action because I am not so familiar with that dsfo software..

Do you mean in the below command, I replace the PHYSICALDRIVEn with the number "1" ? as I only have 1 HDD and 1 USB at this moment?

dsfo \\.\PHYSICALDRIVEn 0 0 C:\dsfok\USB_full.img

Thanks!

ngpc

0

Share this post


Link to post
Share on other sites
Dear Jaclaz,

Just need to clarify one thing before I performed the copy action because I am not so familiar with that dsfo software..

Do you mean in the below command, I replace the PHYSICALDRIVEn with the number "1" ? as I only have 1 HDD and 1 USB at this moment?

dsfo \\.\PHYSICALDRIVEn 0 0 C:\dsfok\USB_full.img

Thanks!

ngpc

If your USB is Physicaldrive #1, then the line is:

dsfo \\.\PHYSICALDRIVE1 0 0 C:\dsfok\USB_full.img

but for example if you have one of those multi-card readers, or a virtual disk device installed, this won't be always true.

Do the following:

get beeblebrox:

http://students.cs.byu.edu/~codyb/

try accessing Physicaldrive1 with it (the drop down menu top left).

If you see the same data I posted before:

Entry|Type|Boot|bCyl|bHead|bSect|eCyl|eHead|eSect|Start Sector|Num Sectors|

#0|06|80|0|1|1|255|61|0|32|1.966.137|

then 1 is the right number. ;)

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

Dear Jaclaz,

I finally got it ....

After saving the no. return is 1035206656 bytes.

I have attached the USB_100.IMG file .

Thanks!

ngpc

usb_100.zip

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.