» cltmng.exe
Overview
Analysis
File Details
Programs (2)
Network (32)

cltmng.exe

Search Protect

ClientConnect LTD

The file belongs to the ClientConnect (Conduit/Perion) platform, a utility that bundles and monetizes search toolbars and browser add-ons. The application cltmng.exe by ClientConnect has been detected as adware by 14 anti-malware scanners. Additionally, the file is typically installed by a number of programs including Search Protect by Client Connect LTD and Update for PriceMeter by installCore, both potentially unwanted software.

File name:

cltmng.exe

Publisher:

Client Connect LTD (signed by ClientConnect LTD)

Product:

Search Protect

Version:

2.15.11.3

MD5:

7b14f61d0ebcb0b1e282baca8652e07e

SHA-1:

180e91d83fa14ecde328a46a3e2e0b6f8c94dbcd

SHA-256:

b1096c1f2a9637825a06b262dc17aaff1987a149f114772fd6a8ec9cd189c721

Scanner detections:

14 / 68

Status:

Adware

Explanation:

Part of the Conduit/ClientConnect toolbar/extension distribution.

Analysis date:

11/24/2024 9:58:40 AM UTC (today)

Scan engine

Detection

Engine version

AVG

SearchProtect

2015.0.3430

Baidu Antivirus

Adware.Win32.Conduit

4.0.3.14627

Dr.Web

Trojan.Damaged.1

9.0.1.0213

ESET NOD32

Win32/Conduit.SearchProtect (variant)

8.10004

G Data

Win32.Application.SearchProtect.AA@gen

14.6.24

K7 AntiVirus

Trojan

13.181.12846

Malwarebytes

PUP.Optional.SearchProtect.A

v2014.06.27.02

McAfee

Artemis!B1C796CA2D4E

5600.6995

Panda Antivirus

Trj/Genetic.gen

14.06.27.02

Reason Heuristics

PUP.ClientConnect.G

14.8.1.0

Sophos

Conduit Search Protect

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-Nullo[Short]

10449

Trend Micro House Call

TROJ_GEN.R047H05GO14

7.2.269

VIPRE Antivirus

Conduit

30678

File size:

5.1 MB (5,350,208 bytes)

Product version:

2.15.11.3

Original file name:

SearchProtect (R)

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\searchprotect\searchprotect\bin\cltmng.exe

Digital Signature

Signed by:

ClientConnect LTD

Authority:

VeriSign, Inc.

Valid from:

2/2/2014 7:00:00 PM

Valid to:

2/4/2016 6:59:59 PM

Subject:

CN=ClientConnect LTD, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Search Protect, O=ClientConnect LTD, L=Ness Ziona, S=Israel, C=IL

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

173D1F00E27A9D60265B3AB0B87F2ED8

File PE Metadata

Compilation timestamp:

6/26/2014 5:12:48 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

98304:l8YY/osTgEOrAs51rhkKEa7NuzZMUDqER1hhhh+hhhhUhhhh+hhhhdhhhdtKhhhp:O/osTgfPrpBuzZMUhR1hhhh+hhhhUhhL

Entry address:

0x2D3BD8

Entry point:

E8, 1B, E1, 00, 00, E9, 7F, FE, FF, FF, 6A, 08, 68, 58, B5, 8A, 00, E8, C2, A3, 00, 00, FF, 35, 50, 45, 8C, 00, FF, 15, 5C, E2, 74, 00, 85, C0, 74, 16, 83, 65, FC, 00, FF, D0, EB, 07, 33, C0, 40, C3, 8B, 65, E8, C7, 45, FC, FE, FF, FF, FF, E8, 01, 00, 00, 00, CC, 6A, 08, 68, 38, B5, 8A, 00, E8, 8A, A3, 00, 00, E8, 83, C6, 00, 00, 8B, 40, 78, 85, C0, 74, 16, 83, 65, FC, 00, FF, D0, EB, 07, 33, C0, 40, C3, 8B, 65, E8, C7, 45, FC, FE, FF, FF, FF, E8, BE, 5E, 00, 00, CC, E8, 5B, C6, 00, 00, 8B, 40, 7C, 85, C0... 
[+]

Entropy:

6.7892

Code size:

3.3 MB (3,458,560 bytes)

The file cltmng.exe has been discovered within the following programs.

Search Protect by Client Connect LTD

Search Protect from Client Connect (formally Conduit, now a venture of Perion) is a homepage and search provider modifier that when installed will change the default web browser's home page and search pages to a partner portal such as Trovi.

www.conduit.com/searchprotect

79% remove it

Update for PriceMeter by installCore

"Pricemeter provides you with services which are intended to enhance your online shopping experience, showing you same products or different stores with cheaper prices and exposing you to coupons allowing you to enjoy exclusive discounts when checking out products ("Offers").

www.pricemeter.net

69% remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ec2-184-72-217-85.compute-1.amazonaws.com (184.72.217.85:80)

TCP (HTTP):

Connects to ec2-54-83-197-43.compute-1.amazonaws.com (54.83.197.43:80)

TCP (HTTP):

Connects to ec2-50-16-220-76.compute-1.amazonaws.com (50.16.220.76:80)

TCP (HTTP):

Connects to ec2-107-21-212-85.compute-1.amazonaws.com (107.21.212.85:80)

TCP (HTTP):

Connects to ec2-23-23-100-240.compute-1.amazonaws.com (23.23.100.240:80)

TCP (HTTP SSL):

Connects to a23-6-87-61.deploy.static.akamaitechnologies.com (23.6.87.61:443)

TCP (HTTP SSL):

Connects to a23-222-50-214.deploy.static.akamaitechnologies.com (23.222.50.214:443)

TCP (HTTP SSL):

Connects to a23-218-136-32.deploy.static.akamaitechnologies.com (23.218.136.32:443)

TCP (HTTP):

Connects to ec2-54-243-244-209.compute-1.amazonaws.com (54.243.244.209:80)

TCP (HTTP):

Connects to ec2-54-235-66-89.compute-1.amazonaws.com (54.235.66.89:80)

TCP (HTTP SSL):

Connects to a95-101-199-61.deploy.akamaitechnologies.com (95.101.199.61:443)

TCP (HTTP SSL):

Connects to a95-101-156-11.deploy.akamaitechnologies.com (95.101.156.11:443)

TCP (HTTP SSL):

Connects to a23-72-44-11.deploy.static.akamaitechnologies.com (23.72.44.11:443)

TCP (HTTP SSL):

Connects to a23-65-135-61.deploy.static.akamaitechnologies.com (23.65.135.61:443)

TCP (HTTP):

Connects to a23-62-96-25.deploy.static.akamaitechnologies.com (23.62.96.25:80)

TCP (HTTP):

Connects to a23-62-6-202.deploy.static.akamaitechnologies.com (23.62.6.202:80)

TCP (HTTP SSL):

Connects to a23-6-119-61.deploy.static.akamaitechnologies.com (23.6.119.61:443)

TCP (HTTP SSL):

Connects to a23-60-135-61.deploy.static.akamaitechnologies.com (23.60.135.61:443)

TCP (HTTP SSL):

Connects to a23-53-215-61.deploy.static.akamaitechnologies.com (23.53.215.61:443)

TCP (HTTP SSL):

Connects to a23-45-236-11.deploy.static.akamaitechnologies.com (23.45.236.11:443)

Remove cltmng.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.