Xander0311 0 Posted May 15, 2017 Share Posted May 15, 2017 Hi ESET Peeps! I've been having a strange issue the past week. I'm an administrator for our ESET Endpoint service and noticed that I had a PC showing up as infected with a MBR infection known as "Ripper". I've scanned and checked the PC but did not find anything out of the ordinary while physically on it. Yet, everyday I keep getting the same warning, Ripper keeps showing up everyday in threes, found in file:///1 but there's nothing that shows up when sending out a clean request. I've investigated what this virus might be about, but I can't find anything that's modern. The last know "Ripper" seems to be back from 1993 and mainly attacked floppy drives. (which this PC does not have what so ever.) I'm starting to believe this might be a false positive. It's happening on a Windows 7 Pro machine, and the only conclusion I currently have is that it's finding the HP recovery partitions as a possible infection? What can I do to either confirm the infection and clean it, or have this PC ignore the error? -Xander Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,163 Posted May 18, 2017 ESET Moderators Share Posted May 18, 2017 Hello Xander, can you please paste the appropriate lines from the ESET Endpoint's detected threats log? Regards, P.R. Link to comment Share on other sites More sharing options...
itman 1,746 Posted May 18, 2017 Share Posted May 18, 2017 There was a Ripper outbreak https://www.fireeye.com/blog/threat-research/2016/08/ripper_atm_malwarea.html last year but it targeted ATMs. Might be that Eset is identifying something is amiss with the MBR on that particular PC but mislabeling the theat. You can always just just repair the MBR to play it safe. Link to comment Share on other sites More sharing options...
Xander0311 0 Posted May 18, 2017 Author Share Posted May 18, 2017 9 hours ago, Peter Randziak said: Hello Xander, can you please paste the appropriate lines from the ESET Endpoint's detected threats log? Regards, P.R. Hi Peter! I'm not sure if these are the lines you're looking for but let me know if this is right: Quote Threat Details COMPUTER NAME verna-hp.companyname.local COMPUTER DESCRIPTION THREAT NAME Ripper THREAT TYPE virus SEVERITY Critical OCCURRED 2017 May 17 09:53:27 FIRST SEEN HERE THREAT HANDLED No RESTART NEEDED No ACTION TAKEN ACTION ERROR unable to clean OBJECT TYPE boot sector OBJECT URI file:///1 CIRCUMSTANCES SCANNER Startup scanner ENGINE VERSION 15431 (20170517) PROCESS NAME USER NAME HASH 8 hours ago, itman said: Might be that Eset is identifying something is amiss with the MBR on that particular PC but mislabeling the theat. You can always just just repair the MBR to play it safe. Sounds like something to try when I can! Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,163 Posted May 19, 2017 ESET Moderators Share Posted May 19, 2017 Hello Xander, or you may dump the boot sector and send me it via a private message to check. One of our tools, which does it is the ESET Olmarik / Olmasco cleaner https://download.eset.com/com/eset/tools/cleaners/olmarik_olmasco/latest/esetolmarikolmascocleaner.exe just run it and take to logs produced by it. Regards, P.R. Link to comment Share on other sites More sharing options...
Xander0311 0 Posted May 19, 2017 Author Share Posted May 19, 2017 Thank you Peter! Will report back with the log soon. Link to comment Share on other sites More sharing options...
Xander0311 0 Posted May 22, 2017 Author Share Posted May 22, 2017 Hi Peter! Apologies for the delay, but I've got a chance to run the tool you've linked. It came back stating that Olmarik/Olmasco was not found on the system. Attached is a screenshot and the logs created by it. By chance, what's the safest way for me to dump that MBR log? I'm mainly returning search results to use TestDisk, but I'm not 100% comfortable with it since I know of it's destructive power in the wrong hands. Is it still necessary in this case? esetolmarikolmascocleaner.exe_20170522.141902.4868.log esetolmarikolmascocleaner.exe_20170522.141902.4868.zip Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,163 Posted May 25, 2017 ESET Moderators Share Posted May 25, 2017 Hello Xander, thank you for the logs (I recommended that tool because it dumps the boot sector, not to actually check Olmarik / Olmascoi presence on that system), I will check them with the Malware research lab and let you know, it may take some time. Regards, P.R. Link to comment Share on other sites More sharing options...
Recommended Posts