We recently discovered session hijacking malware running on a user’s machine. What the malware would do is set your browser’s proxy settings to localhost:9880. System Center Endpoint protection did not pick up that anything was amiss, and even after running Malwarebytes twice (picking up >60 infections) the issue persisted. Here is what I had to do to rectify it:
- In cmd prompt: netstat –anob (to find out which app was listening on the port 9880)
- I found a service called ctationalisities
- Stop and disable the ctationalisities service
- Delete the folder on the c drive from cmd line (rmdir /r /q c:\program files(x86)\ctationalisities)
- Delete ctationalisities entries in the registry
- Scanned with Malwarebytes and rebooted.
Good luck in getting rid of this ridiculous piece of software.