[ngpc]

Hi,

Recently, I got a problem, and see if anyone and expert can help !

When I tried to access my usb finger, I found that my computer cannot read the data although the usb drive No. can be seem on the computer, say G:
As I click on the usb drive icon, the computer told me that my usb drive is not formatted yet and ask if I want to format it .
Then sure I click "No" , all my data is inside.

When I use DOS mode to access the usb G: drive, the computer replied that the "Disk sector do not contain the system file "

I afraid that the boot sector has been damaged by some virus infection.

Can anyone advise how can I save my USB and retrieve the data, any tools and method can help ???

Would appreciate if anyone can offer the help !
Thanks in advance!
ngpc

[puntoMX]

Welcome to the forum ngpc, I see that you use a translator but we understand you except for one thing:

ngpc, on May 17 2009, 02:35 AM, said:

Then sure I click "No" , all my data is inside.

So, you say no and you can enter the thumb drive? or you can't access it at all?

Seems that your flash memory has gone bad. Normally those thumb drives are build out of 2 components: The USB controller ship that makes the bridge between the USB connector and the Flash ROM, and the flash ROM itself. In this case I think it's the flash ROM.

[ngpc]

What I mean is my computer can recognise the drive No., but when I click on the icon of the USB, it prompt me to format the USB...

Do you have any software which can help to retrieve the data or recover the data...

Thanks !
ngpc

[jaclaz]

ngpc, on May 20 2009, 12:17 PM, said:

What I mean is my computer can recognise the drive No., but when I click on the icon of the USB, it prompt me to format the USB...

Do you have any software which can help to retrieve the data or recover the data...

Thanks !
ngpc

When you double click on a drive letter, a mechanism inside Windows called filesystem recognizer, tries to identify the filesystem and load the appropriate driver (NTFS.SYS, FASTFAT.SYS, etc.).

Possibly "something" misrepresents the filesystem and thus, since no known filesystem is recognized, Windows "assumes" that it is an unformatted partition and prompts for formatting it.

It may be something as trivial as a a missing "55AA" signature in the bootsectors up to a serious case of data /filesystem structure corruption.

You may want to try first TESTDISK:
http://www.cgsecurit...g/wiki/TestDisk
to check if the error is solvable by correcting a few values in MBR or bootsector or use PHOTOREC:
http://www.cgsecurit...g/wiki/PhotoRec
to attempt recovering the data "directly".

jaclaz

[puntoMX]

Indeed, you could give it a try, but mostly it's a hardware problem.




I still wish that you can recover your data ngpc.

[ngpc]

Dear Jaclaz,

Thanks very much for your help and resources!

I have tried the TestDisk to scan my problematic USB, TD reported there is a "Invalid FAT Boot sector" after I performed the [Analyse] function.
Then I proceed to do the [Quick Search] and [Deeper Search] function, TD reported structure OK..... I think this is expected as I haven't made any partition for this USB, I just use it for data storage...

Can you further advise what I should do next to solve the problem.... ?

I have also attached the screen of the TD report for reference... Would appreciate if you can further advise......

As the total upload cap. only allow 200k... , so I upload the remaining file in the separate email....

Thanks !
ngpc

Attached File(s)

•  Screen_Capture_of_Test_Disk_Result.doc (131.5K)
  Number of downloads: 14

[ngpc]

Hi Jaclaz,

Here is the second captured screen of TD result...

Thanks !
ngpc

Attached File(s)

•  Screen_Capture_of_Test_Disk_Result_part_2.doc (83.5K)
  Number of downloads: 10

[jaclaz]

From what you posted (second screenshot), it seems to me that you have a "direct" partition i.e. the stick is formattted as super-floppy with no MBR/partition table.

Which usually happens with "brand new" sticks, that are however:

• formatted as FAT32
  
• have 0/0/1 as start sector

From the other screenshot, on the contrary it seems like you you have a single partition FAT16 starting from sector 33 (which would carry as a consequence that you have 32 hidden sectrs and thus a MBR).
It also tells me that you used some formatting utility/method to re-partition/re-format the stick.

Only you can now how the stick was before partitioned/formatted, please post as much information on how the stick it was before (when working) as you can remember.

Also you should read this:
http://www.cgsecurit...sk_Step_By_Step

Try the deeper search, and next time, instead of the screenshots, post testdisk.log (of course you should ALWAYS create a Log at the beginning of each seesion with Testdisk)

Cannot say how much you are familiar with PC/filesystems and more precisely with command lines app, but before starting with the "difficult things" do the following:
Get HD hacker:
http://dimio.altervista.org/eng/
and:

• save first 1 sector of PhysicalDrive to a file named MBR.bin
  
• save first sector of LogicalDrive to a file called BS.bin

make sure to select theright drive!

Compress the two files in a .zip archive and post it as an attachment, I'll have a look at them.


jaclaz

[ngpc]

HI Jaclaz,

I have used HDHacker to save the MBR of my USB for your analysis...
They are attached...

Here is my USB History:
I bought this USB drive at about year 2006, only for data storage, it is 1G in size.
Due to my work, I always use this USB in other computers for presentation... So sometimes, virus will be detected, while every time, I use Virus Cleaner to scan and clean the virus. It seems work...

From the scanning history, this virus has attacked my USB before
Trojan-GameThief.Win32.Magania.ahrz G:\yfmqo.cmd
And I think Autorun.ini has also infected my USB also... The infection has been occured several times...

As far as I remember, after one virus cleaning operation, I found that I cannot click-to-open the USB directly, a window pop up to ask me " Which software you are going to use to open the file" , I found that this is strange and different from what I have performed in the past....Then I mostly click IE Explorer to open the access the USB and it worked. Therefore, I ignored what happen and keep using the USB without suspecting any MBR problems ....I think this should be the sign of the problem of my USB at the very beginning.....am I right ?

For this USB, I haven't perform any formatting or partitioning actions after my purchase, I just it as data disk once I bought it..
Hope these info. help

Thanks !
ngpc

Attached File(s)

•  File_for_analysis_of_HDHacker_2009_05_21.zip (558bytes)
  Number of downloads: 12

This post has been edited by ngpc: 20 May 2009 - 11:04 PM

[Kelsenellenelvian]

I recently experienced close to the same thing with the autorun virus.

When I attached the drive the AV completly even refused to let windows recognized the whole drive.

[jaclaz]

There are a number of problems in the files you sent.
Basically:

• the MBR code is only partially there
  
• the MBR "Magic Number" Signature is not there
  
• the MBR DATA is - to say the least - "queer":
  Entry|Type|Boot|bCyl|bHead|bSect|eCyl|eHead|eSect|Start Sector|Num Sectors|Size in bytes
  #0|06|80|0|1|1|255|61|0|32|1.966.137|1.006.662.144
  
  
• both files are identical (which is normal, since the MBR is not recognized Physicaldrive=Logicaldrive)

Next steps:
get the dsfok toolkit:
http://members.ozema...eezip/freeware/
unzip in a new directory, say C:\dsfok
Open a command prompt and navigate to that directory.
You want to make a full image of the stick, so you will need roughly 1 Gb free on your hard disk.
Now, you must be sure that you get the "right" physicaldrive number (if you have just one hard disk, it will be "0", and the USB stick will be "1")
Run following command:

Quote

dsfo \\.\PHYSICALDRIVEn 0 0 C:\dsfok\USB_full.img

this will create a byte to byte copy of the stick, the program will print on screen something like:

Quote

OK, 1006695214 bytes, 56.540s, MD5 = 786a48c5db7548a6bf34cb945b62ae75

Jolt down (and post) the bolded part (actual size of the stick).
This way you have a full copy of the stick and we can start working on it without fear of making anything irreparable.
Run again dsfo as follows:

Quote

dsfo \\.\PHYSICALDRIVEn 0 51200 C:\dsfok\USB_100.img

This is a copy of the first 100 sectors of the stick, 51200 bytes in size, that you should compress in a .zip and attach to your next post.

The partition data refers to a 06 i.e. CHS FAT16 partition, starting at sector 33 or sector 64, the first 100 sectors should be enough to see if there are traces of it. (bootsector and start of FAT tables).

jaclaz

[ngpc]

Dear Jaclaz,

Just need to clarify one thing before I performed the copy action because I am not so familiar with that dsfo software..

Do you mean in the below command, I replace the PHYSICALDRIVEn with the number "1" ? as I only have 1 HDD and 1 USB at this moment?
dsfo \\.\PHYSICALDRIVEn 0 0 C:\dsfok\USB_full.img

Thanks!
ngpc

[jaclaz]

ngpc, on May 21 2009, 02:02 PM, said:

Dear Jaclaz,

Just need to clarify one thing before I performed the copy action because I am not so familiar with that dsfo software..

Do you mean in the below command, I replace the PHYSICALDRIVEn with the number "1" ? as I only have 1 HDD and 1 USB at this moment?
dsfo \\.\PHYSICALDRIVEn 0 0 C:\dsfok\USB_full.img

Thanks!
ngpc

If your USB is Physicaldrive #1, then the line is:
dsfo \\.\PHYSICALDRIVE1 0 0 C:\dsfok\USB_full.img

but for example if you have one of those multi-card readers, or a virtual disk device installed, this won't be always true.

Do the following:
get beeblebrox:
http://students.cs.byu.edu/~codyb/
try accessing Physicaldrive1 with it (the drop down menu top left).
If you see the same data I posted before:
Entry|Type|Boot|bCyl|bHead|bSect|eCyl|eHead|eSect|Start Sector|Num Sectors|
#0|06|80|0|1|1|255|61|0|32|1.966.137|

then 1 is the right number.

jaclaz

This post has been edited by jaclaz: 21 May 2009 - 07:17 AM

[ngpc]

Dear Jaclaz,

I finally got it ....

After saving the no. return is 1035206656 bytes.

I have attached the USB_100.IMG file .

Thanks!
ngpc

Attached File(s)

•  usb_100.zip (32.29K)
  Number of downloads: 4

[ngpc]

Hi Jaclaz ,

I just go to the web link you refer
get beeblebrox:
http://students.cs.byu.edu/~codyb/

I see what you mentioned...

Wait to see the next action!
ngpc

[jaclaz]

Got it.

The sectors as saved by dsfo seem MUCH better than the first ones, BOTH MBR and Bootsector appear to be valid.

It is possible that the stick is really suffering from some intermittent malfunctioning.

Try getting IMDISK:
http://www.ltr-data.se/opencode.html
and try mounting the USB_full.img
if IMDISK does not auto-detect the number of hidden sectors, supply 32 as the number of hidden sectors (skipped blocks)

Hopefully you should be able to find your data in the image mounted as a volume.

If everything is at it should be, we may try wiping the stick with 00's and re-apply to it the saved image.

If anything appears not as it should on the mounted image, next step would be running TESTDISK on the image.

jaclaz

[ngpc]

Hi Jaclaz,

I am a bit stuck at here as I am not quite familiar with the technical operation of the IMDISK, can you explain more about it .

I have captured the screenshot for your reference.

After open the ImDisk, the Mount new virtual disk panel ask me to select a Image file, so I choose the USB_full.IMG which I saved in C:\dsfok.
The ImDisk automatically assign some values below the file selection bar after my selection.

So I come up one question,
Do I need to click check for
the box before "Copy image file to memory"
the box before " Removable media" and "Read Only Media"

Then I tried to ignore the check boxes , I click OK, the second screen come up as in the screenshot ImDisk Virtual Disk Driver
Then what should I do next ?

I am not quite understand when will I see something as you mentioned in your email, can you claify a bit:

if IMDISK does not auto-detect the number of hidden sectors, supply 32 as the number of hidden sectors (skipped blocks)
Hopefully you should be able to find your data in the image mounted as a volume.
If everything is at it should be, we may try wiping the stick with 00's and re-apply to it the saved image.
If anything appears not as it should on the mounted image, next step would be running TESTDISK on the image.

Can you further advise , Thanks you!
ngpc

Attached File(s)

•  IMDISK_operation_Question.doc (158K)
  Number of downloads: 3

This post has been edited by ngpc: 22 May 2009 - 02:52 AM

[jaclaz]

It was a caution.

IMDISK is a virtual drive which works at filesystem level (i.e. it mounts only a partition not the whole physical drive).
Thus when you give it a physicaldrive image (with MBR and hidden sectors) it tries to determine by reading the MBR where the partition starts.
Usually it gets the right values, the suggested 32 was in case it did not.
If you look at the screenshot, you can see how you have in third line from top (Image file offset) a value of 0 bytes.
This should be either 32 blocks or 16384 bytes (32*512=16384).
Do not bother for the moment for the other settings.

From the screenshot, the image was successfully mounted as drive G:, BUT since you see the N/A, no filesystem was recognized.

Try unmounting it and re-mounting supplying the given value.
See screenshot:


If we are lucky, you should see in the other IMDISK window instead of the N/A, FAT or FAT16 (cannot remember).

It is possible that while dsfo copied apparently properly the first 100 sectors, a malfunctioning occurred when you made the "full" image.

Try (without actually mounting it) to start the mounting with IMDISK of the USB_100.img, you should have exactly the same situation as the above screenshot.

If the same does not happen with the "full" image, it means that at leastr it's first sectors are not "good" (just as it was no good the first sector you copied with HDhacker.

jaclaz

[ngpc]

Hi Jaclaz,

As I tried again, I can mount the G: dirve with the value 32 in the image file offset row as you mentioned in the first window.
Then what should I do next in the second windows after I click OK in the first window .

I find there is a file G: c:\dsfok\USB_full.img 987.3MB in the second window...
Do I need to "Format" it or something else..

Besides, do you have an MSN account such that I can send my feedback to you and do the adjustment as soon as possible, what do you think about this.? I am open to this...

Thanks!
ngpc

Attached File(s)

•  IMDISK_operation_Question_1.doc (117K)
  Number of downloads: 2

[ngpc]

Hi Jaclaz,

When tried to open the image file , the ImDisk reported that it cannot open the file, see attached screenshot..

Hope this provide more information to you!

Thanks !
ngpc

Attached File(s)

•  IMDISK_operation_Question_2.doc (111.5K)
  Number of downloads: 6