Monday, April 30, 2012

S.M.A.R.T Virus ( Aleuron.E ) hides in a Hidden Partition

Last week a client had gotten the virus that make it appear that you are having hd disk failures (SMART HDD failure) Normally removal of this virus has been simple and well documented as found at reputable websites such as here . And as such, I had removed the virus for the client successfully, or so I thought. a few hours later, he calls me and tells me that is antivirus program, Microsoft Security Essentials is popping up and capturing the “Aleuron.E “ virus and every time he clicks remove,  it pops backup within seconds with the same virus.
 Later that day he drops by with the pc in hand and figure it cannot be that hard, I will simply remove the virus with a root kit remover.   
I proceeded to run the normal tools that I have linked on my site www.cci.net/support   I first tried TDSSKILLER,  the amazing and  reliable tool and this time finds no root kit,  then I went to McAfee and gave STINGER a try as I had an occurrence where it found root kit when TDSSKILLER did not,   still nothing was found.   Hmm I then went thru all the tools, Norton Security sweep, Microsoft Scanner, and lastly COMBOFIX.   But, no positive results,   Microsoft AV is still popping up with the "Aleuron.E " virus warning
So, then I got out the Windows Xp cdrom and booted from it and ran FIXMBR hoping that I can rewrite the master boot record to overwrite the virus, but after the restart, it was still there.
Finally, I brought up the “Disk Manager” in Windows and noticed an “unused” partition at the very end of Drive C.   It was very small, well under 100mb and did not seem to be formatted or have a drive letter associated with it.   But this is where the virus lived.   I highlighted the partition and deleted it.     Rebooted the pc, did a final sweep with my virus scanner tools and verified that it was CLEAN.   
We can expect to see more viruses using this technique.