Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Bloodhound.Boot.String virus Infection

Created: 01 Oct 2012 • Updated: 27 Nov 2012 | 16 comments
This issue has been solved. See solution.

Last from 1 month we are facing a problem with Bloodhound.Boot.String. We have already Run the NTP and done the safe mode scan to all the system(Around 15 system got infected by same virus) but again and again it reoccurring.All the system are Windows XP.

Please suggest.

Details:-

OS
Windows XP Professional

Virus Name
Bloodhound.Boot.String

File\Entry

Master Boot Record for Physical drive number 0

Comments 16 CommentsJump to latest comment

.Brian's picture

You need to do a repair on the MBR. Check this on how to do it:

http://pcsupport.about.com/od/fixtheproblem/ht/rep...

https://www-secure.symantec.com/norton-support/jsp...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Bloodhound.Boot.String is a heuristic detection for processes based on certain attributes. 

We suggest that you submit any such files to Symantec Security Response. For instructions on how to do this using Scan and Deliver, read Submit Virus Samples.

Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

AND

I would suggest you to run the SERT Utility in this Issue.

If you have access to Fileconnect, the SERT (Symantec Endpoint Recovery Tool) is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. The Consumer version of this tool is the Norton Bootable Recovery Tool.  The tool is free, so there is no need for a Fileconnect account to download the software.

Reference:

Is your system infected? Symantec tools to help clear an infection

Secondly, I would also suggest you to create a case with Symantec Technical Support.

To Create a Case with Symantec Technical Support.

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-
 
Regional Support Telephone Numbers:
 
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
 

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Nagesh Singh's picture

Hi Brian81,

Thanks but how we can trace the root cause analysis.

What could be the reason for it?

And there are around or more then 15 system on remote place so this is very difficult to go with above step.

Is there any other option through which we can solve this case?

Thanks & Regards,

Nagesh Singh

.Brian's picture

You can use Risk Tracer

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

http://www.symantec.com/business/support/index?pag...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Nagesh Singh's picture

 tried but found nothing.

Thanks & Regards,

Nagesh Singh

.Brian's picture

If the MBR has been replaced with an infected one, the only way is to manually repair.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

the boot record itself seems to be affected, suggest to open a support ticket.

Nagesh Singh's picture

Thanks Mithun,

In this case we are not able to find any file. We are getting

Master Boot Record for Physical drive number 0 in file Path so what we should submit to security support team.

Is there any other solution apart from NPE OR SERT OR MBR Recovery?

Thanks & Regards,

Nagesh Singh

Mithun Sanghavi's picture

Hello,

To submit the MBR record to the Symantec Security Response, check this Article:

How to collect Master Boot Record for submission to Symantec Security Response

http://www.symantec.com/docs/TECH93277

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
Nagesh Singh's picture

hi,

I have collect the MBR file through MBRutil. Now i want ot read it.

can you Please help me in this?

Thanks & Regards,

Nagesh Singh

Ashish-Sharma's picture

hi,

You can submit this file

I would request you to submit these files to the Symantec Security Team on 

https://submit.symantec.com/essential

and 

http://www.threatexpert.com/submit.aspx

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Thanks In Advance

Ashish Sharma

Nagesh Singh's picture

Thanks ashish,

But if i want to read then which tools I have to use it?+

Thanks & Regards,

Nagesh Singh

Ashish-Sharma's picture

Hi,

Check this non symantec document may be help

Easy way to read MBR?

http://www.miljan.org/main/2007/09/05/easy-way-to-read-mbr/

Thanks In Advance

Ashish Sharma