Restoring MBR, partition table, and boot sector of memory card without data loss ("USBC")

data-recovery mbr fat32 memory-card bootsector
37,535

Solution 1

The first tool you should try for MBR/partition table recovery is testdisk, which has a good documentation and is easy to use. I suggest reading this guide.

Solution 2

I have experienced the same issue. This is not a virus. It's a electronic failure in the memory card reader (at least in my case).

After formatting I have tried to use another card on this computer using another memory card reader without any problem. However, when I insert another memory card with the suspected memory card reader it immediately corrupted it.

Solution 3

I have had and I have again the same problem.

I have external USB HDD from ADATA type NH92. It is formatted as NTFS. Once I discovered that some files are missing and later more and more files were lost. Finally disk was corrupted and Windows requested to format it. I reformatted HDD 2 or 3 times, due problems repeated then I claimed the disk.

New HDD worked a half of year without any issue. Then problems started again. I have discovered using WinHex disk editor that Master Boot record is corrupted. I studied NTFS. I restored Boot record by copying from the other HDD with the same capacity, partitions and NTFS. I verified MFT location. I saw first sector of the table starts with USBC signature. Others MFT files records had the same first sector signature and rest of sector has couple of other bytes and then continue with zeros. I found out that each sector with signature has shifted data to second half of sector. So I moved this data back to original location and did check disk. HDD was recovered. Two weeks later the same happened. I checked PC by antivirus without any result. I used 3 different programs include McAfee. No result. Virus wasn´t found.

I supposed virus is focused on NTFS so I reformatted HDD to FAT32. After some time period some sectors were overwritten by USBC signature again and HDD file system was destroyed. I sent PC to manufacturer, it was fully reformatted and Windows was reinstalled. Also I reformatted HDD and created two logical partitions with same data to have backup.

Today I have problem again. I discovered that second logical disk is destroyed. I checked HDD by winHex and I have found out that also logical disk which looks OK, has more as 100 sectors with USBC signature but all files records in MFT are still OK. I suppose also this logical disk will be destroyed soon.

Interesting point is that ADATA NH92 HDD has problems only and on this PC only. I used ADATA NH92 on other PC without problem; I used other HDD on this PC without problem, too. I am going to do long term observation to use on this PC permanently other HDD and to use ADATA NH92 on different PC only.

Time to time I will search both HDDs for sector signature. So I will see.

Regards, Michal

Share:
37,535
Synetech
Author by

Synetech

Sadly, I’ve become soured by the SE network. It started great, but went downhill. Some mods are too aggressive/bias, policies are arbitrarily/capriciously/selectively applied, and some users treat the sites as MMOGs, “rep-whoring”, copying others’ work, and posting random guesses to game the system by abusing and exploiting auto-bounty assignment. I care(d) about the integrity of the site, so I feel anywhere that allows such disreputable behavior isn’t somewhere worth staying. My OCD not withstanding, I won’t be contributing much here anymore and will find somewhere else to help people. I apologize to all of the people I would have helped here in the future. Press the chemise key to continue… 😈 Images As a visual-learner, I often add images to my posts to make them more effective. Sometimes I take photos, sometimes I create them with software, sometimes I find them through Google Images or Wikipedia. Mod I’ve been asked hey bro, y u no b mod? get u POWR! impr0ve site (or some other variation). I had considered it and was even tempted to run a few times, but I just have too much to do already, so I can’t take on that kind of commitment when I know I won’t be able to do as good a job as I’d like, or as Sweet Brown would say, ain’t nobody got time fo’ dat. Besides, as the behavior of the other mods became more and more apparent, I realized that it would be pointless.

Updated on September 18, 2022

Comments

  • Synetech
    Synetech almost 2 years

    Abstract

    I have a FAT32 memory card that when inserted into a computer causes Windows to prompt to format it. The card is definitely not supposed to be blank and has a bunch of files on it.

    Symptoms

    Using a hex-editor/disk-viewer, I examined the card and found that several sectors/clusters have been overwritten with something that has a signature of USBC at the start of the sector. Specifically, the master boot record (and partition table) is gone (hence Windows thinking the card is blank and needing to be formatted), as are the boot sectors (they have the USBC signature and a volume label of NO NAME and partition type of FAT32).

    Fortunately, it looks like both copies of the FAT are almost entirely intact (a few FAT entries at the start of a cluster here and there seem to be overwritten by USBC). The root directory is also nearly intact—I can see the volume label entry and subdirectory listings, but one sector is overwritten. (There are no more instances of USBC after the last one in the FAT2.)

    Hypothesis

    These observations seem to indicate some sort of virus that erases a few key filesystem structures, and then overwrites a few extra sectors here and there. Googling it seems to corroborate the idea of a virus, except that others report a file called USBC which does not apply here, and in fact, could not be possible since there is no filesystem to even see files. I cannot find any information about a virus with these symptoms, nor a removal tool. (I can't help but wonder if it is actually due to an autorun virus prevention tool.)

    Question

    I can likely fix the FAT corruption since they are mostly contiguous chains and maybe even the lost sector of the root directory, but does anyone know of a convenient way to restore or (re)create the MBR/partition table and boot sectors (without formatting or overwriting the data)?

    • Admin
      Admin over 11 years
      Experienced in bugs.gentoo.org/show_bug.cgi?id=409565 as well.
    • Admin
      Admin over 11 years
      Thanks for the link (specifically the relevant comment). Mine was a memory card, not a flash-drive, but they are effectively the same. Moreover, while I don’t recall exactly, I would not be surprised if the circumstances mentioned in that thread (removing a card/drive while the laptop is asleep) did indeed occur at some point for me. This new information makes this question all the more important.
    • Admin
      Admin almost 11 years
      Odd that this question got another up-vote this week since it happened to me again recently. I plugged a 2GB SD card into a card-reader (a cheap Chinese one I bought on eBay for a few cents and have been using without issue for a couple of years), and plugged that into the laptop, as I had done many times. Last week, I was only able to read from it; the write function was broken and treated all cards are read-only. The other night, it would not light the LED or register the removable drive in Windows until I removed the card. Obviously it has trouble with the card connector.
    • Admin
      Admin almost 11 years
      I then tried another, similar card-reader which did light the LED, let me read the card, and let me write to it. Unfortunately, not long afterwards, it showed a couple of very large junk files that could/should not have existed (they did not even register when I checked the disk-usage). I used the safely-remove-device function to eject the card(reader) and unplugged-replugged it in. Windows now informs me that it is unformatted. I opened it in a disk editor and sure enough, the MBR is gone and overwritten by gibberish that starts with the string USBC.
    • Admin
      Admin almost 11 years
      I have made a sector-dump of the card (fortunately only 2GB) and used PhotoRec to extract the files and a hex-editor to extract the directory entries. I may be able to “restore” most of the card like last time, after a bunch of work but fortunately this one only had a few, large-ish, reproducible/downloadable files (still hours of work). Obviously these cheap, Chinese readers are crap and unreliable (same error with 2-3 readers and 2-3 cards). They can/do corrupt your data. I highly recommend against using them (other than maybe to rip out the connector for use in electronics projects).
    • Admin
      Admin over 9 years
      It happened again recently; another card had the USBC corruption. I had specifically gone out of my way to avoid modifying the card because I had accidentally deleted some files and wanted to avoid overwriting anything on it. Yet somehow, the card suddenly became corrupted (fortunately I had cloned it first). The write-protect switch was useless because the reader I was using was another cheap Chinese reader from eBay which seemed good (certainly much better than the previously used rubbish one), but it did the same thing. Cheap Chinese card-readers are trash and should be avoided!!!
    • Admin
      Admin about 4 years
      Very (very very) late to the party, but ran into a similar issue a few days ago. I implemented a solution in my software. Would love to get images of such memory cards to further fine tune, if possible. I know .. a tad late .. but you never know.
    • Admin
      Admin about 4 years
      @Peter, then I guess it's a good thing I kept a disk image huh? I've uploaded a copy of it. It includes the MBR, FAT, and the first directory entry of the root (it's the volume-label). There's also 4MB of (almost complete) nulls at the start because everything got shifted down 4MB from the corruption.
    • Admin
      Admin about 4 years
      Thanks for that @Synetech I could immediately detect the corruption in the boot sector and in the two FATs. (and work around it - though one FAT block remains bad then) The root appears OK, yet empty. The 4MB shift is normal, it's because the MBR (block 0) says the partition starts there. The MBR is not corrupt btw. Thanks for that ! If you have other images with file content, let me know and I'll have a look.
    • Admin
      Admin about 4 years
      I don't seem to have any others, but I could probably create some by using cheap Chinese card-readers and USB hubs from eBay for a bit. I'll see if I still have any, and see if I can trigger it.
    • Admin
      Admin about 3 years
  • Synetech
    Synetech about 12 years
    I already tried it, but it could not find any partitions. I don't agree about the easy-to-use comment, but the example in the documentation looks a bit promising (it seems to focus more on NTFS partitions on a hard-drive). I'll give it another go.
  • Synetech
    Synetech over 11 years
    I’m thinking about writing a full how-to article on this, but that card has since been wiped and the recovered files copied back, so I don’t know if I can remember the technical details necessary for it.
  • slm
    slm about 11 years
    Hi and Welcome to Super User! Please read the How to Answer a Question Guide. This site is a Q&A site not a forum.
  • quetzalcoatl
    quetzalcoatl about 11 years
    Hello. A friend of mine has exactly the same ADATA NH92 drive with exactly the same problem: after some time his drive gets 'damaged' and the OS refuses to see the partitions. The damage is always the same: the MBR is damaged. Solution is always the same: run TestDisk, and restore MBR from the backup copy. Those "shifted sectors" that you observed is actually a backup of the MBR that every disk holds "just in case". After several such malfunctions I've started to collect images and investigate them. Just like in your case, the MBR was overwritten with an almost-empty block with "USBC" sig.
  • quetzalcoatl
    quetzalcoatl about 11 years
    His drive is in FAT32. Thank you for the notice about NTFS. I was going to suggest him to convert to that system, but from your notes it's clear that it will not help. From my observations, it seemed like a virus (checked thorougly with 3 a-virs, found nothing), but considering that you see the problem with the same exact HDD model, it starts looking like a windows driver failure, or a hardware controller/firmware bug. BTW. my friend that owns the hdd uses WinXP. Unfortunatelly, the machine is several cities away, so I can't investigate it easily :/ Have you found anything new recently?
  • quetzalcoatl
    quetzalcoatl about 11 years
    Eh.. I've mistaken the acronyms. Not MBR was damaged, but BootSector (BS). Here's a similar topic, also on NH92: elektroda.pl/rtvforum/viewtopic.php?p=12450122#12450122 These drives seems to have a problem..
  • quetzalcoatl
    quetzalcoatl about 11 years
    I've looked around a bit more, and found out what is the USBC marker: it's a header from SCSI-over-USB protocol. There's not much to be said more, but you may want to read: quetzalcoatl-pl.blogspot.com/2013/06/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

how to recover damaged memory card with the help of Ubuntu?
Accidentally formatted ext4 partition
Is it possible to recover data after GPT to MBR conversion and repartitioning?
Why can't windows boot from fat32 formatted USB on BIOS computer?
Windows 8: How much bad blocks are there in USB flash drive?
Data recovery needed with a Sector Zero problem on a HDD
Why is my sd card only readable in the camera but not in the computer?
Best alternatives to recover lost directories in FAT32 external hard drive?
Recovering damaged external hard disk by installing internally
Get contents of ddrescue image file