12 GB overwritten s...
 
Notifications
Clear all

12 GB overwritten sequentially with "NDpnt" and other gibberish after CHKDSK (AUTOCHK). [sample included]

Heracleides
(@heracleides)
New Member

After a CHKDSK (Windows AUTOCHK booting), Windows could only boot to a BSOD, meaning at least one crucial operating system file must have been damaged, and the recovery DVD could not repair it, meaning that installing a new operating system would be the only way to make the computer work again.

When examining the system partition from a bootable portable operating system, I have found out that the LBA (logical block address) range from approximately 517 to 543 million has been overwritten with gibberish (sample at post bottom), but the rest appears undamaged. 

This happened few years ago, but I still haven't found a plausible explanation.

The HDD is a 750GB 2.5". I don't have the exact model or vendor in mind, but I don't think that matters much. The system partition was a 270GiB NTFS volume with 4 KB cluster size. It occupied ~580 million LBAs after a small recovery partition. This was the default setting.

Examination

The badblocks utility on Linux does not report any errors on the entire drive, which means that the HDD is technically undamaged, and has no sector-level physical or logical errors.

Some files only had damaged parts rather than being fully overwritten by this gibberish, meaning that they must have had fragments that sat on the parts overwritten by this gibberish.

When examining the file fragmentation in a popular Windows shareware data recovery software by a dutch developer (not named directly to avoid sounding promotional which I guess is against the rules; man, I wish there was something similar for native Linux), I saw that some files had upwards of thousands of fragments, many with 4, 8, 12 and 16 KB (low-end multiples of 4KB)! I guess NTFS is designed to handle it well… In comparison, files on an exFAT memory card with 128 KB cluster size rarely exceed two fragments, and ext4 evades fragmentation as much as possible anyway by writing files spread-out.

In this case, the heavy fragmentation, also caused by frequent space shortage, due to my poor file management back then, might have been somewhat of a blessing. While it has obviously lead to more files being damaged, fewer files are completely overwritten in return, though many of those partially damaged files are videos whose intact files are playable, but many can be re-downloaded.

Some files were also home video recordings (I know, operating system partitions are no appropriate stoage location for that stuff, but back then, my file management skills were abysmal), but also for them, the damage is only intermittent rather than total, and they are playable to the most part. (Mobile phones use program stream video, while dedicated camcorders frequently use transport stream. The former requires an intact moov atom, usually located at the end of the file, which is the reason truncated video files may be unplayable.)

As a side note, when trying to grep through a completely overwritten file in Linux terminal, I sometimes get a "Value too large for defined data type" error. But only for some, not all files. Not sure what causes that, but it never happens with intact or only partially damaged files.

That laptop still had pretty good performance before this incident. It also was equipped with an 8 GB SSD (sic.; normal for early 2010s) occupied by ExpressCache.

Gibberish sample

Here is a sample of what said gibberish looks like:

���@�������ˆ���p���D�R�e�a�l�t�e�k� �P�C�I�e� �G�B�E� �F�a�m�i�l�y��	NDpnt�r�o�l� ôOY‚úÿÿ���C�N�\�^�S�2� òOY‚úÿÿ\�D�e�v�i�c�e�\�{�2�3�8�0�2�0�8�4�-�D�3�8�D�-�4�E�9�3�-�B�4�F�6�-�F�F�2�7�8�4�2�F�3�E�8�A�}�����	�	NDpn��������°ôOY‚úÿÿ�������\�^�����0óOY‚úÿÿ\�D�e�v�i�c�e�\�{�2�3�8�0�2�0�8�4�-�D�3�8�D�-�4�E�9�3�-�B�4�F�6�-�F�F�2�7�8�4�2�F�3�E�8�A�}�����	��NDw3���������òOY‚úÿÿ@õOY‚úÿÿÔ·PkoóÑìá<nó±Ð×�ÀOÃ5Œ����
���@�������ˆ���p���D�R�e�a�l�t�e�k� �P�C�I�e� �G�B�E� �F�a�m�i�l�y��	NDpnt�r�o�l�ÀõOY‚úÿÿ���C�N�\�^�S�2�@ôOY‚úÿÿ\�D�e�v�i�c�e�\�{�2�3�8�0�2�0�8�4�-�D�3�8�D�-�4�E�9�3�-�B�4�F�6�-�F�F�2�7�8�4�2�F�3�E�8�A�}�����	�	NDpnàÃ`0����PöOY‚úÿÿ�������\�^�����ÐôOY‚úÿÿ\�D�e�v�i�c�e�\�{�2�3�8�0�2�0�8�4�-�D�3�8�D�-�4�E�9�3�-�B�4�F�6�-�F�F�2�7�8�4�2�F�3�E�8�A�}�����	��NDw3�������� óOY‚úÿÿàöOY‚úÿÿÔ·PkoóÑìá<nó±Ð×�ÀOÃ5Œ����
���@�������ˆ���p���D�R�e�a�l�t�e�k� �P�C�I�e� �G�B�E� �F�a�m�i�l�y��	NDpnt�r�o�l�`÷OY‚úÿÿ���C�N�\�^�S�2�àõOY‚úÿÿ\�D�e�v�i�c�e�\�{�2�3�8�0�2�0�8�4�-�D�3�8�D�-�4�E�9�3�-�B�4�F�6�-�F�F�2�7�8�4�2�F�3�E�8�A�}�����	�	NDpn¨øNZ����ð÷OY‚úÿÿ���›��ˆ\�^�����pöOY‚úÿÿ\�D�e�v�i�c�e�\�{�2�3�8�0�2�0�8�4�-�D�3�8�D�-�4�E�9�3�-�B�4�F�6�-�F�F�2�7�8�4�2�F�3�E�8�A�}�����	��NDw3ø$W����@õOY‚úÿÿ€øOY‚úÿÿÔ·PkoóÑìá<nó±Ð×�ÀOÃ5Œ����
���@�������ˆ���p���D�R�e�a�l�t�e�k� �P�C�I�e� �G�B�E� �F�a�m�i�l�y��	NDpnt�r�o�l��ùOY‚úÿÿ���C�N�\�^�S�2�€÷OY‚úÿÿ\�D�e�v�i�c�e�\�{�2�3�8�0�2�0�8�4�-�D�3�8�D�-�4�E�9�3�-�B�4�F�6�-�F�F�2�7�8�4�2�F�3�E�8�A�}����ˆ	�	NDpn°Ÿ*L����ùOY‚úÿÿ�������\�^�����øOY‚úÿÿ\�D�e�v�i�c�e�\�{�2�3�8�0�2�0�8�4�-�D�3�8�D�-�4�E�9�3�-�B�4�F�6�-�F�F�2�7�8�4�2�F�3�E�8�A�}�����	��NDw3��������àöOY‚úÿÿ úOY‚úÿÿÔ·PkoóÑìá<nó±Ð×�ÀOÃ5Œ����
���@�������ˆ���p���D�R�e�a�l�t�e�k� �P�C�I�e� �G�B�E� �F�a�m�i�l�y��	NDpnt�r�o�l� úOY‚úÿÿ���C�N�\�^�S�2� ùOY‚úÿÿ\�D�e�v�i�c�e�\�{�2�3�8�0�2�0�8�4�-�D�3�8�D�-�4�E�9�3�-�B�4�F�6�-�F�F�2�7�8�4�2�F�3�E�8�A�}�����	�	NDpn�������0ûOY‚úÿÿ�������\�^�����°ùOY‚úÿÿ\�D�e�v�i�c�e�\�{�2�3�8�0�2�0�8�4�-�D�3�8�D�-�4�E�9�3�-�B�4�F�6�-�F�F�2�7�8�4�2�F�3�E�8�A�}�����	��NDw3ïÈT#›��ˆ€øOY‚úÿÿÀûOY‚úÿÿÔ·PkoóÑìá<nó±Ð×�ÀOÃ5Œ����
���@�������ˆ���p���D�R�e�a�l�t�e�k� �P�C�I�e� �G�B�E� �F�a�m�i�l�y��	NDpnt�r�o�l�@üOY‚úÿÿ���C�N�\�^�S�2�ÀúOY‚úÿÿ\�D�e�v�i�c�e�\�{�2�3�8�0�2�0�8�4�-�D�3�8�D�-�4�E�9�3�-�B�4�F�6�-�F�F�2�7�8�4�2�F�3�E�8�A�}�����	�	NDpnðîZ����ÐüOY‚úÿÿ�������\�^�c�k�PûOY‚úÿÿ\�D�e�v�i�c�e�\�{�2�3�8�0�2�0�8�4�-�D�3�8�D�-�4�E�9�3�-�B�4�F�6�-�F�F�2�7�8�4�2�F�3�E�8�A�}�����	��NDw3�������� úOY‚úÿÿ`ýOY‚úÿÿÔ·PkoóÑìá<nó±Ð×�ÀOÃ5Œ����

Noticeably, all of these lines have at least one "NDpnt" and a "NDpn" string, but also slight variations. This made me nickname it the "NDpnt glitch".

Between the unprintable characters, there is "Realtek PCIe GBE Family [con]troller" (part inside square brackets is guessed). But I have no clue where that gibberish comes from, and how come it slightly varies per each line (e.g. after "NDpn").

Does anyone have an idea of what might have caused this strange error?

Quote
Topic starter Posted : 16/05/2021 11:37 pm
Share:
Share to...