Virus of the Past Ripper keeps showing up?

[Xander0311 0]

Hi ESET Peeps!

I've been having a strange issue the past week. I'm an administrator for our ESET Endpoint service and noticed that I had a PC showing up as infected with  a MBR infection known as "Ripper".  I've scanned and checked the PC but did not find anything out of the ordinary while physically on it.  Yet, everyday I keep getting the same warning, Ripper keeps showing up everyday in threes, found in file:///1 but there's nothing that shows up when sending out a clean request.

I've investigated what this virus might be about, but I can't find anything that's modern.  The last know "Ripper" seems to be back from 1993 and mainly attacked floppy drives. (which this PC does not have what so ever.)

I'm starting to believe this might be a false positive. It's happening on a Windows 7 Pro machine, and the only conclusion I currently have is that it's finding the HP recovery partitions as a possible infection?  What can I do to either confirm the infection and clean it, or have this PC ignore the error?

 

-Xander

[Peter Randziak 1,130]

Hello Xander,

can you please paste the appropriate lines from the ESET Endpoint's detected threats log?

Regards, P.R.

[itman 1,659]

There was a Ripper outbreak https://www.fireeye.com/blog/threat-research/2016/08/ripper_atm_malwarea.html last year but it targeted ATMs.

Might be that Eset is identifying something is amiss with the MBR on that particular PC but mislabeling the theat. You can always just just repair the MBR to play it safe.  

 

[Xander0311 0]

9 hours ago, Peter Randziak said:

Hello Xander,

can you please paste the appropriate lines from the ESET Endpoint's detected threats log?

Regards, P.R.

Hi Peter!

I'm not sure if these are the lines you're looking for but let me know if this is right:

 

Quote

Threat Details

COMPUTER NAME
verna-hp.companyname.local

COMPUTER DESCRIPTION

THREAT NAME
Ripper

THREAT TYPE
virus

SEVERITY
Critical

OCCURRED
2017 May 17 09:53:27

FIRST SEEN HERE

THREAT HANDLED
No

RESTART NEEDED
No

ACTION TAKEN

ACTION ERROR
unable to clean

OBJECT TYPE
boot sector

OBJECT URI
file:///1

CIRCUMSTANCES

SCANNER
Startup scanner

ENGINE VERSION
15431 (20170517)

PROCESS NAME

USER NAME

HASH
 

 

8 hours ago, itman said:

Might be that Eset is identifying something is amiss with the MBR on that particular PC but mislabeling the theat. You can always just just repair the MBR to play it safe.  

 

Sounds like something to try when I can!

[Peter Randziak 1,130]

Hello Xander,

or you may dump the boot sector and send me it via a private message to check.

One of our tools, which does it is the ESET Olmarik / Olmasco cleaner  https://download.eset.com/com/eset/tools/cleaners/olmarik_olmasco/latest/esetolmarikolmascocleaner.exe

just run it and take to logs produced by it.

Regards, P.R.

[Xander0311 0]

Thank you Peter!  Will report back with the log soon.

[Xander0311 0]

Hi Peter!

Apologies for the delay, but I've got a chance to run the tool you've linked.  It came back stating that Olmarik/Olmasco was not found on the system.  Attached is a screenshot and the logs created by it.

By chance, what's the safest way for me to dump that MBR log? I'm mainly returning search results to use TestDisk, but I'm not 100% comfortable with it since I know of it's destructive power in the wrong hands. Is it still necessary in this case?

esetolmarikolmascocleaner.exe_20170522.141902.4868.log

esetolmarikolmascocleaner.exe_20170522.141902.4868.zip

[Peter Randziak 1,130]

Hello Xander,

thank you for the logs (I recommended that tool because it dumps the boot sector, not to actually check Olmarik / Olmascoi presence on that system), I will check them with the Malware research lab and let you know, it may take some time.

Regards, P.R.