Video Screencast Help

Remove Malware http://realtime.services.disqus.com

Created: 19 Dec 2012 • Updated: 20 Dec 2012 | 9 comments

Dear All,

I use Symantec Endpoint Protection Version 12.x.x.x for my office, i have problem with trojan that acces url http://realtime.services.disqus.com/api/2/thread/, all computer user in my office access this URL and this high traffic. Because in log squid, access this URL  continuously

This log my squid :

.....

.....

.....

 

1355980497.949      0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/4...? - NONE/- application/json
1355980497.951      0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/8...? - NONE/- application/json
1355980497.952      0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/4...? - NONE/- application/json
1355980497.955      0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/8...? - NONE/- application/json
1355980497.955      0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/4...? - NONE/- application/json
1355980497.956      1 172.16.64.143 TCP_IMS_HIT/304 288 GET http://www.gstatic.com/bg/vCt3jT-yDKiibCfPvg7VU88K... - NONE/- text/javascript
1355980497.959      0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/8...? - NONE/- application/json
1355980497.962      0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/4...? - NONE/- application/json
1355980497.963      0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/8...? - NONE/- application/json
1355980497.966      0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/4...? - NONE/- application/json
1355980497.968      0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/8...? - NONE/- application/json
1355980497.970      0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/4...? - NONE/- application/json
1355980497.971      0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/8...? - NONE/- application/json
 
....
....
....
 
Oke... Thank's
 

Comments 9 CommentsJump to latest comment

Chetan Savade's picture

Hi,

Could you please confirm name of the Trojan?

SEP is detecting it? Do you see any action against it?

Make sure SEP clients are updated with latest definitions & machines are having latest microsoft patches and service packs.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Moh Johan Rajabi's picture

I don't know name of trojan, because SEP no detect this trojan. and SEP client use latest definitions & machines are having latest microsoft patches and service pack.

 

James007's picture

Hi Moh

If symantec antivirus not detect virus you can submit the file symantec

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

More information

https://www-secure.symantec.com/connect/forums/whats-process-submit

.Brian's picture

Run a full scan in safe mode with latest defs on one of the affected machines.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ashish-Sharma's picture

Hi 

I agree above comments.

you can try symantec tool

Is your system infected? Symantec tools to help clear an infection

 

https://www-secure.symantec.com/connect/forums/rem...

 

Thanks In Advance

Ashish Sharma

 

 

sandra.g's picture

Disqus is used for commenting systems on many reputable websites. Is the traffic to this site the only thing that makes you think there's a trojan, or is there other suspicious behaviour? (Is it possible your end users are visiting and heavily commenting on one or more websites?)

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

cus000's picture

Never heard this... but have you checked the browser add-ons ?

 

It could be the unwanted one...

Ashish-Sharma's picture

 

HI Moh

If any suspicious files symantec antivirus not detect you can submit file in symantec

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Thanks In Advance

Ashish Sharma