Endpoint Protection

Last from 1 month we are facing a problem with Bloodhound.Boot.String. We have already Run the NTP and done the safe mode scan to all the system(Around 15 system got infected by same virus) but again and again it reoccurring.All the system are Windows XP.

Please suggest.

Details:-

OS
Windows XP Professional

Virus Name
Bloodhound.Boot.String

File\Entry

Master Boot Record for Physical drive number 0

You need to do a repair on the MBR. Check this on how to do it:

http://pcsupport.about.com/od/fixtheproblem/ht/repairmbr.htm

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20101021135141EN&lg=english&ct=united+states&product=home&version=1&pvid=f-home&entsrc=redirect_pubweb

check this article

https://www-secure.symantec.com/connect/blogs/how-backup-and-restore-mbr

you need to clean the boot record

Hello,

Bloodhound.Boot.String is a heuristic detection for processes based on certain attributes. 

We suggest that you submit any such files to Symantec Security Response. For instructions on how to do this using Scan and Deliver, read Submit Virus Samples.

Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

• Locate a sample of a threat
• Submit a suspicious file to Symantec
• Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe

AND

I would suggest you to run the SERT Utility in this Issue.

If you have access to Fileconnect, the SERT (Symantec Endpoint Recovery Tool) is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. The Consumer version of this tool is the Norton Bootable Recovery Tool.  The tool is free, so there is no need for a Fileconnect account to download the software.

Reference:

Is your system infected? Symantec tools to help clear an infection

Secondly, I would also suggest you to create a case with Symantec Technical Support.

To Create a Case with Symantec Technical Support.

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Hope that helps!!

Hi Brian81,

Thanks but how we can trace the root cause analysis.

What could be the reason for it?

And there are around or more then 15 system on remote place so this is very difficult to go with above step.

Is there any other option through which we can solve this case?

the boot record itself seems to be affected, suggest to open a support ticket.

You can use Risk Tracer

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

http://www.symantec.com/business/support/index?page=content&id=TECH94526

 tried but found nothing.

If the MBR has been replaced with an infected one, the only way is to manually repair.

Thanks Mithun,

In this case we are not able to find any file. We are getting

Master Boot Record for Physical drive number 0 in file Path so what we should submit to security support team.

Is there any other solution apart from NPE OR SERT OR MBR Recovery?

you need to manually repair the MBR

https://www-secure.symantec.com/connect/blogs/how-backup-and-restore-mbr

Hello,

To submit the MBR record to the Symantec Security Response, check this Article:

How to collect Master Boot Record for submission to Symantec Security Response

http://www.symantec.com/docs/TECH93277

Hope that helps!!

hi,

I have collect the MBR file through MBRutil. Now i want ot read it.

can you Please help me in this?

hi,

You can submit this file

I would request you to submit these files to the Symantec Security Team on 

https://submit.symantec.com/essential

and 

http://www.threatexpert.com/submit.aspx

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Thanks ashish,

But if i want to read then which tools I have to use it?+

Hi,

Check this non symantec document may be help

Easy way to read MBR?

http://www.miljan.org/main/2007/09/05/easy-way-to-read-mbr/

have you submitted the file to Security Response?