Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

USB Access Problem

- - - - -

  • Please log in to reply
81 replies to this topic

#26
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
Jaclaz,

I just try upto this step and stop because I got the number return that is different from you , can you advise.?

1*FAT16 >32M 0 1 1 987 18 25 2021945 <--you should see this, if not something was made wrong before (Your code)

1*FAT16 >32M 0 1 1 1019 8 25 2021945

Is the no. important?
ngpc


How to remove advertisement from MSFN

#27
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,019 posts
  • OS:none specified
  • Country: Country Flag

Jaclaz,

I just try upto this step and stop because I got the number return that is different from you , can you advise.?

1*FAT16 >32M 0 1 1 987 18 25 2021945 <--you should see this, if not something was made wrong before (Your code)

1*FAT16 >32M 0 1 1 1019 8 25 2021945

Is the no. important?
ngpc


Yep.

You did not make properly the [Geometry] change.
Re-check settings in the [Geometry] section:
Cylinders=1
Heads=64
Sectors=32
Sector Size=512

and you will get the 987/18/25. ;)

jaclaz

#28
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
Hey Jaclaz,

I just take a risk to try the remaining recovery procedure as I am so eager to see the result... So you bet... I finally GOT it... Wow, EXCELLENT !
All the file are back, they are back...... A very BIG THANKS to YOU.... I really appreciate your patience and professional advise...
I learnt a lot from this process and have much fun.... Interesting !

BTW, there is still a few questions here, can you help me to claify a bit:

As I reopened the image file, I found my useful file as well as some Virus files or virus information.

So my question is :
1/ Will the virus file still have effect on my C drive when I copy the data from this USB_full image file back to my C drive ?

2/ When I use the virus cleaning program to scan the G: virtual drive, it detect the Virus (See attached txt file) and going to kill them, so does it mean that the virus will become inactive (seems sleeping) when the USB_full image is not being recovered, but when it is being recovered now, the virus become active and will start to infect other drives who ever came across it ?

3/ Before I format my Defective USB , if I plug it into the computer , will the virus infect my computer ?

4/ Will the stand alone USB_full image file which has the virus file lock inside become active if I keep the image file ?

Curious to know that...

Thanks !
ngpc

Attached Files



#29
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,019 posts
  • OS:none specified
  • Country: Country Flag
Happy to hear about a happy ending. :)

Virii "for USB sticks" are generally triggered by the stupid (I know no better English word to describe it :whistle:) feature of Windows XP (and later I think :unsure: ) that tries to access "automagically" anything connected to the USB port and tries to Print, or Play or Open or whatever.

The culprit is the autorun.inf file, which is executed by the above mentioned stupid feature.

An Image file is not accessed the same way, so it is relatively safe.

Scan files in the image and your anti-virus should get rid of the things allright.

Since Windows cannot read properly your damaged stick, it shouldn't be a problem of reinfection.

Thus answer to all your questions is NO. ;)

What you should do next would be to WIPE your stick (as opposed to re-formatting it)

Get mksparse:
http://www.acc.umu.se/~bosse/
unzip it in the usual directory C:\DSFOK
(I presume that the C:\ volume has a NTFS filesystem, otherwise use a NTFS one)

Create a new sparse file the size you got from dsfo originally:
mksparse C:\dsfok\USB_empty.img 1035206656
The file, being sparse will occupy only a bunch of Kbytes instead of it's full size, and it will be full to the brim of 00's.
If the temporary occupation of about 1 Gb by the file is not a problem, you can use fsz that is already in the DSFOK you have.

Now, use dsfi to completely overwrite your stick:
dsfi \\.\PHYSICALDRIVE1 0 0 C:\dsfok\USB_empty.img

Remove and re-insert stick.

Now, use RMPREPUSB.EXE (advised):
http://www.boot-land...?showtopic=7739
to format your stick. (this will create a "properly formatted" stick including a MBR, i.e. HD-like, if you use XP Disk Management it will format the stick as super-floppy, unless you use a filter driver, that I guess it's out of the scope of this thread)
Using the re-known "HP utility" will work as well, though it will create "better-than-the-current-lousy-one" , but still unbalanced CHS/LBA partition table, which is more likely to cause problems in the future.

Remove and re-insert stick.

Then, get ninja pendisk :thumbup :
http://nunobrito.eu/ninja/
http://www.boot-land...?showtopic=4350
http://nunobrito.eu/ninja/forum/

and use it. ;)

BTW, and just as a general advice for the future, a not-so-well-known "trick" on FAT16 and FAT32 filesystems, in order to increase the possibilities of recovering files is to avoid if possible to put files in the ROOT, but rather use Directories or sub-directories to store them.

:hello:

jaclaz

#30
ngpc

ngpc

    Newbie

  • Member
  • 21 posts

I recently experienced close to the same thing with the autorun virus.

When I attached the drive the AV completly even refused to let windows recognized the whole drive.



Hi,

I finally retrieve all my data from the USB by following the process, you can try and see if this can help your situation...
Jaclaz's trouble shooting is really professional...
You can check it out yourself...

ngpc

#31
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
HI Jaclaz,

Just a curious question !

I just suppose I can use the XP format function to reformat my usb, it seems there is still a lot of steps to reformat it...

May I know that "
What is the difference between using the XP format function to format the usb instead of using the procedure you have mentioned in the last email.

I know your procedure may trying to config the usb in a new structure ...
Sure, I will try your procedure and learn more about that, it is interesting.

While I just want to learn more if there is any technical reasons...

Besides, after the TestDisk recovery, I retrieve all the file data and also see some file named as below
-rwxr-xr-x 0 0 594 22-Oct-2008 18:38 _UTORUN.INF
-rwxr-xr-x 0 0 110654 5-Oct-2008 16:57 _JIEF.CMD

Are they created repeatedly by virus , I saw a lot inside the file usb_full.img.... ?


Like to hear more !
Thanks !
ngpc

Edited by ngpc, 24 May 2009 - 05:28 AM.


#32
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,019 posts
  • OS:none specified
  • Country: Country Flag

What is the difference between using the XP format function to format the usb instead of using the procedure you have mentioned in the last email.

Basically 2K/XP/2003 check if a flag in the controller of the USB device is set as either "Fixed" or "Removable".
If it detects it as "Removable" it won't:
  • allow partitioning the device
  • allow access to any partition but the first (Active) one (if the device is actually partitioned)
BUT, if it finds a MBR, it will "trust" information in it and allow to format the single partition it can access.

99.99% (read ALL) USB sticks have this flag in the controller set as "Removable"
ALL USB Hard Disks and USB Hard Disks enclosures have this flag in the controller set as "Fixed"

99.99% (read ALL, exception made for your stick ;)) are sold WITHOUT partitioning, with the whole stick formatted as "super-floppy"

If you Format from XP a stick that HAS NOT a valid MBR, it will be formatted as "super-floppy".

The given utilities allow partitioning and formatting the stick as a HD-like device.

An alternative is using in Windows XP a "Filter Driver" such as cfadisk.sys or dummydisk.sys that "tricks" XP in seeing the flag in the controller set as "Fixed" and thus allow Disk Management to partition the disk.

So, if you try re-formatting your stick as-is from Windows XP, it will assume the (currently containing "wrong" data) MBR to be a valid one and will re-create a "non-right" filesystem, which may nonetheless work, as it did yours, but that it is NOT advised as it may create problems on some machines, or with other OS.

If you try re-formatting your stick after having wiped it from Windows XP, it will assume that you want to create a "super-floppy" filesystem, which again works allright for the use you make it, but hat may be more problematic to recover in case of failure.

While I just want to learn more if there is any technical reasons...

There is no "needed" technical reason, it as an "advised" technical one.

Besides, after the TestDisk recovery, I retrieve all the file data and also see some file named as below
-rwxr-xr-x 0 0 594 22-Oct-2008 18:38 _UTORUN.INF
-rwxr-xr-x 0 0 110654 5-Oct-2008 16:57 _JIEF.CMD

Which you saw in the testdisk List view being RED:

-rwxr-xr-x 0 0 594 22-Oct-2008 18:38 _UTORUN.INF
-rwxr-xr-x 0 0 110654 5-Oct-2008 16:57 _JIEF.CMD

to evidentiate how they were DELETED files.
When you delete a file on a FAT filesystem it is NOT actually deleted, simply first character of it's name in the FAT table is overwritten by a "special" character (that testdisk shows as an underscore) to signify that that allocation is free and that it can be overwritten.

Are they created repeatedly by virus , I saw a lot inside the file usb_full.img.... ?

Yep, from the date/time of those files, you can track when the Virus wrote them, each _UTORUN.INF file you can see (and that you should delete once finished playing with them) is a single attempt of infection (or re-infection) by the Virus.

jaclaz

#33
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
Hi Jaclaz,

Thanks Again for sharing !

May I know that which tools you are using for viewing the MBR structure/data of my defective usb, can I download it from some sites ?

Is there any recommended site which documented the introduction of MBR or file system structure analysis? I am quite interested in data recovery after this learning experience .

And finally, can I apply the similiar value of my case to some usb which show the same symptoms but with different memory sizes say 2G, 4G, 8G..?
And I only experiment this on the extracted image file.

hope to hear your advise...
ngpc

:w00t:

#34
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,019 posts
  • OS:none specified
  • Country: Country Flag

Thanks Again for sharing !

You are welcome. :)

May I know that which tools you are using for viewing the MBR structure/data of my defective usb, can I download it from some sites ?

I could tell you, but then I would have to kill you...:whistle:

Seriously:

And a number of other tools, depending on what is the problem at hand.

Remember that however usually a skilled carpenter is more important than the actual tools he uses. ;)

You'll need some time to learn and digest the info you can find in the below mentioned site (and it's links) and more generally take your time browsing around in boot-land:
http://www.boot-land.net/forums/

Also remember that the right approach to data recovery is avoiding needing it. (BACKUP!)

Is there any recommended site which documented the introduction of MBR or file system structure analysis? I am quite interested in data recovery after this learning experience .

The "mother of all MBR/filesystems sites", the Starman's Realm:
http://mirror.href.c.../mbr/index.html

And of course the good ol' "Primer":
http://www.ranish.com/part/primer.htm

I would also suggest you getting acquaintaned to "ol' DOS" programs, like Ranish Partition Manager:
http://www.ranish.com/part/
and the several other DOS tools recommended by Daniel B. Sedory (the Starman)

And with Qemu:
http://www.nongnu.org/qemu/

Optionally using Qemu Manager GUI:
http://www.davereyn.co.uk/

And finally, can I apply the similiar value of my case to some usb which show the same symptoms but with different memory sizes say 2G, 4G, 8G..?

You can apply a similar method/approach.
Not a "similar value", a value can be either of two things:
  • Right
  • Wrong
(no space for "similar")

And I only experiment this on the extracted image file.

Sure, that's the "proper" approach, NEVER write anything on the "problematic" device if you are not sure (and double sure) about what you are writing and what effects it may have.

jaclaz

#35
Ponch

Ponch

    MSFN Junkie

  • Patrons
  • 3,238 posts
  • OS:none specified
  • Country: Country Flag

99.99% (read ALL, exception made for your stick ;)) are sold WITHOUT partitioning, with the whole stick formatted as "super-floppy"

"U3" sticks get two drive letters, I guess they have two partitions ? I also saw that for "fingerprint secured" sticks. One partition for the security system, one for data.

#36
ngpc

ngpc

    Newbie

  • Member
  • 21 posts

Thanks Again for sharing !

You are welcome. :)

May I know that which tools you are using for viewing the MBR structure/data of my defective usb, can I download it from some sites ?

I could tell you, but then I would have to kill you...:whistle:

Seriously:

And a number of other tools, depending on what is the problem at hand.

Remember that however usually a skilled carpenter is more important than the actual tools he uses. ;)

You'll need some time to learn and digest the info you can find in the below mentioned site (and it's links) and more generally take your time browsing around in boot-land:
http://www.boot-land.net/forums/

Also remember that the right approach to data recovery is avoiding needing it. (BACKUP!)

Is there any recommended site which documented the introduction of MBR or file system structure analysis? I am quite interested in data recovery after this learning experience .

The "mother of all MBR/filesystems sites", the Starman's Realm:
http://mirror.href.c.../mbr/index.html

And of course the good ol' "Primer":
http://www.ranish.com/part/primer.htm

I would also suggest you getting acquaintaned to "ol' DOS" programs, like Ranish Partition Manager:
http://www.ranish.com/part/
and the several other DOS tools recommended by Daniel B. Sedory (the Starman)

And with Qemu:
http://www.nongnu.org/qemu/

Optionally using Qemu Manager GUI:
http://www.davereyn.co.uk/

And finally, can I apply the similiar value of my case to some usb which show the same symptoms but with different memory sizes say 2G, 4G, 8G..?

You can apply a similar method/approach.
Not a "similar value", a value can be either of two things:
  • Right
  • Wrong
(no space for "similar")

And I only experiment this on the extracted image file.

Sure, that's the "proper" approach, NEVER write anything on the "problematic" device if you are not sure (and double sure) about what you are writing and what effects it may have.

jaclaz


Thanks Jaclaz,

Don't kill me until one day, I become as professional as you are, ha ha ....
Anyway, thanks so much for your help in the past week and your generous sharing of your knowledge ! I did learnt a lot !

ngpc

:hello: :thumbup

#37
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,019 posts
  • OS:none specified
  • Country: Country Flag

99.99% (read ALL, exception made for your stick ;)) are sold WITHOUT partitioning, with the whole stick formatted as "super-floppy"

"U3" sticks get two drive letters, I guess they have two partitions ? I also saw that for "fingerprint secured" sticks. One partition for the security system, one for data.


NO. :(

They have two LUN's:
http://www.911cd.net...o...20186&st=16
http://www.911cd.net...o...20186&st=27

(of which one is a CD-ROM device and the other one is a "normal disk", which may be partitioned, but usually isn't)

Also, FYI:
http://www.msfn.org/...howtopic=121502
http://www.msfn.org/...howtopic=125138

BTW, the bootsector of ngpc's stick was formatted as FAT16 06 (CHS) and had a bootsector invoking DOS system file IO.SYS.
I have NEVER seen myself or read ANY report of such a stick being formatted like that in factory.

The unbalanced CHS/LBA makes me think of the use of the "HP" formatting utility and the n/64/32 of the use of VDK (which defaults to that geometry) or Winimage, that can use that geometry in some cases.


jaclaz

Edited by jaclaz, 26 May 2009 - 05:15 AM.


#38
doniel

doniel
  • Member
  • 6 posts
Hi, jaclaz!

Our USB drive suddenly exhibited the same symptoms as ngpc's: When attempting to access it, Windows claims that it isn't formatted. I assume you want to start with a copy of Testdisk's log report. It's attached. MSFN's attachment system wouldn't allow me to upload it when it was named testdisk.log, so I added .txt to the file name.

Thank you for your help!

Attached Files



#39
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,019 posts
  • OS:none specified
  • Country: Country Flag

When attempting to access it, Windows claims that it isn't formatted. I assume you want to start with a copy of Testdisk's log report.

Got it. :)

But I also need the MBR and bootsector, see second part of this post:
http://www.msfn.org/...o...133933&st=7

jaclaz

#40
doniel

doniel
  • Member
  • 6 posts
Attached - but note:

1) The attachment system didn't like .bin any more than it liked .log, so added .txt to both files.

2) My system contains 2 physical hard drives, a floppy, and a DVD, and, at the moment, a USB drive is attached. I assumed that the floppy and DVD drives are not included in the chain of physical drives, and that the USB drive is physical drive 2.

Attached Files


Edited by doniel, 26 June 2009 - 10:08 AM.


#41
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,019 posts
  • OS:none specified
  • Country: Country Flag

Attached - but note:

1) The attachment system didn't like .bin any more than it liked .log, so added .txt to both files.

Really? :w00t:
Could this connected to this part of the referenced post?: :unsure:

Compress the two files in a .zip archive and post it as an attachment, I'll have a look at them.

:whistle:

2) My system contains 2 physical hard drives, a floppy, and a DVD, and, at the moment, a USB drive is attached. I assumed that the floppy and DVD drives are not included in the chain of physical drives, and that the USB drive is physical drive 2.

It may have been the right choice, but unfortunately, BOTH the files you posted are just a (nice, rounded ;)) collection of digital 00's. :(
This could mean EITHER:
  • that something went wrong while extracting/copying the sectors/files
  • that you got the right \\.\Physicaldrive AND the extracting/copying went allright BUT the sectors on the stick are actually all 00's

My guess is that unfortunately it is #2 above, which can be caused by three things:
  • partial accidental wiping (of some initial sectors) of the device (not good, but leaving some hopes)
  • total accidental wiping of the device (bad)
  • device controller or flash memory malfunctioning (bad)
Can you describe with as much detail as you can remember how this thing happened, if there were previous symptoms of failure, if any particular program was run against the stick, if the stick was EVER attached to an unprotected by antivirus PC, etc.?

Let's try again with a slightly different approach.
Get dsfo (within the DSFOK toolkit):
http://members.ozema...ware/index.html

Open a command prompt and run from the directory where you unzipped dsfo.exe:

dsfo \\.\Physicaldrive2 0 102400 C:\first200.dat

Compress C:\first200.dat to a .zip and attach to your next post the resulting archive.

If you have access to a hosting site of some kind (even a free one like megaupload or rapidshare would do) AND the stick did not contain privete/personal data that I shouldn't see, create a "full" image of the stick (you will need as much available space on your hard disk as the size of the stick + say another half size for the compressed file) by running:
dsfo \\.\Physicaldrive2 0 0 C:\fullima.dat
Compress C:\fullima.dat to a .zip, upload the resulting archive to the filehosting site and send me via PM the download link...

If it's not all 00's some partial recovery may be still possible.

By the way, you didn't need to provide a link - all you had to do was tell me to scroll to the top of this page!

A link is a link, and generally stays linked ;)
"Relative" addresses, such as "look at top of the page" may change depending on which particular view you are seeing this thread with, and from a number of other reasons.

jaclaz

#42
doniel

doniel
  • Member
  • 6 posts
Sorry. I've been checking several times a day for your reply, but never realized that we'd gone to a page 3. I'll post a proper reply as soon as I can.

Thank you!

#43
doniel

doniel
  • Member
  • 6 posts
Really? Could this connected to this part of the referenced post
Compress the two files in a .zip archive and post it as an attachment

Didn't realize that your request for a zip file was to get around attachment system restrictions.


"Relative" addresses, such as "look at top of the page" may change depending on which particular view you are seeing this thread with, and from a number of other reasons.

Point taken.

first200.zip attached.

Hope to be able to u/l full image. Will let you know. But first, I need an answer from you. Winrar won't let me break up the full image into smaller files in zip format. Do you have a problem with rar format?

Thanks again, jaclaz!

doniel

Attached Files



#44
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,019 posts
  • OS:none specified
  • Country: Country Flag
Unfortunately the whole file you sent is made of 00's. :(

No problem with .rar, the good (or bad) thing is that if the whole image is made of 00's the compressed file will be very, very small.

So, try compressing the image in a "monolithic" .zip or .rar, if the result is very small, it means that it contains mostly 00's, on the other hand, if the resulting archive is "biggish" it means that some data is still there, and then you can re-create it in splitted .rar files.

Is there any chance that the \\.\PhysicalDrive2 may be "wrong"?
I don't think so as if the device does not exist dsfo should throw an error.
Which size is the "full" image (without compression)?
Is it compatible with the "label" size of the stick?
It could be that simply something in the controller or in the flash memory has gone "beserk". :unsure:

jaclaz

Edited by jaclaz, 30 June 2009 - 03:00 AM.


#45
doniel

doniel
  • Member
  • 6 posts
Full image uncompressed is about 7.5 GB. Rar is 4.7 GB. It's going to take me quite some time to u/l. Will let you know as it gets done so that you can d/l it as they get posted.

#46
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,019 posts
  • OS:none specified
  • Country: Country Flag

Full image uncompressed is about 7.5 GB. Rar is 4.7 GB. It's going to take me quite some time to u/l. Will let you know as it gets done so that you can d/l it as they get posted.


the 4.7 GB size of the compressed image is (besides being "huge" :blink: ) a good sign that at least some data is still on the stick. :)

jaclaz

#47
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,019 posts
  • OS:none specified
  • Country: Country Flag
Unfortunately it seems like the WHOLE image is made of 00's. :(

I am scanning it right now, but in about first 2/3 of it I couldn't find but zeroes.

This is NOT "normal".

To get to this condition one of the following cases applies:
  • stick has been (accidentally or intentionally) wiped (to wipe a flash memory means writing 00's to it, which for an 8 Gb stick should take several minutes, so you should have noticed it)
  • stick has been "zapped" or "fried" by some overcurrent or overvoltage (but usually when this happens it is the controller that gets fried, see below)
  • something is wrong in the hardware (the controller seems OK, as the stick is recognized by Windows, so it should be the actual flash, but if you are lucky it could also be a "real hardware" failure, such as a cold or broken soldering)

I guess that your only remaining thing to try is to "crack" open the stick enclosure and inspect both visually and with a ohmmeter the continuity of tracks and chips's pins.

If this check reveals no problems, depending on the value you attribute to the data on the stick, it may be the case to ask a professional to try and take off the stick the flash and mount it on another (identical) stick/controller.

Of course you can do this attempt by yourself, but managing surface mounted components (as stick chips usually are) is not that easy for a non-expert and with "rudimental" tools, I guess it depends on your manual skills and experience. :unsure:


jaclaz

P.S.: For the record and for other users, the image once compressed, resulted in a 4.7 Mb file, not as initially posted 4.7 Gb.

Edited by jaclaz, 30 June 2009 - 06:31 PM.


#48
doniel

doniel
  • Member
  • 6 posts
I guess that your only remaining thing to try is to "crack" open the stick enclosure and inspect both visually and with a ohmmeter the continuity of tracks and chips's pins.


I tried to pry the cover off using a small flathead screwdriver, with no success. Is it possible to get the cover off without ruining it, or do I need to break it off?

#49
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,019 posts
  • OS:none specified
  • Country: Country Flag

I tried to pry the cover off using a small flathead screwdriver, with no success. Is it possible to get the cover off without ruining it, or do I need to break it off?


It greatly depends on the actual model of the stick, a few are simply two plastic shells that you can separate by using a knife (you will probably break anyway the case, but if you are careful with these it can be re-glued together) some are more "tough" and need to be cut/broken.

jaclaz

#50
Ludwig Von Cookie Koopa

Ludwig Von Cookie Koopa

    Member

  • Member
  • PipPip
  • 242 posts
I don't know if this is sloved but I am inputting my input.

My USB-pen/stick/flash would do the exact same thing. It would not read on Windows XP, but instead give me a document folder instead. A folder that proclaimed "THE DRIVE IS UNREADABLE". However on my Win98 machine, it would read the drive. When I used it on a Imac machine (white) I was able to read the drive with no problems.

Back on my 98 machine after running Scandisk ( when the drive appeared to have nothing ) it was able to recover disk data. I forget if I did or did not format the disk.

Sometimes when I hook a hardrive to my PC. Especially one that I have not used for ages. It reports a misfire ( whatever) of space. I ran scandisk, and it recovered all my files but left the names with there shorten DOS counterparts.

I could only assume it has something to do with the last computer you used the machine on.

The end result is me getting/finding another USB drive lying around in the street. Since this would occur over and over again when I had to use the USB drive multiuple times, moving from machine to machine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN