We recently discovered session hijacking malware running on a user’s machine. What the malware would do is set your browser’s proxy settings to localhost:9880. System Center Endpoint protection did not pick up that anything was amiss, and even after running Malwarebytes twice (picking up >60 infections) the issue persisted. Here is what I had to do to rectify it:

  1. In cmd prompt: netstat –anob (to find out which app was listening on the port 9880)
  2. I found a service called ctationalisities
  3. Stop and disable the ctationalisities service
  4. Delete the folder on the c drive from cmd line (rmdir /r /q c:\program files(x86)\ctationalisities)
  5. Delete ctationalisities entries in the registry
  6. Scanned with Malwarebytes and rebooted.

Good luck in getting rid of this ridiculous piece of software.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s