home

client.exe

The application client.exe has been detected as a potentially unwanted program by 10 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 49929 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. This file is typically installed with the program Rockettab by Rich River Media, LLC which is a potentially unwanted software program. While running, it connects to the Internet address 184.172.1.98-static.reverse.softlayer.com on port 80 using the HTTP protocol.
MD5:
c816c1b77fcbdb285fecd5f11274a6d6

SHA-1:
4cb6a036374bbf52f5678ca539a64e0df3fcafc2

SHA-256:
be124e83ae9eabf37b3672cace9d65ffef53714eb598c13d5b9928db9ac9fd2d

Scanner detections:
10 / 68

Status:
Potentially unwanted

Analysis date:
4/19/2024 12:48:15 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Graftor.164387
793

avast!
Win32:Adware-CBG [PUP]
2014.9-141204

Bitdefender
Gen:Variant.Adware.Graftor.164387
1.0.20.1690

F-Secure
Gen:Variant.Adware.Graftor.164387
11.2014-04-12_5

G Data
Gen:Variant.Adware.Graftor.164387
14.12.24

MicroWorld eScan
Gen:Variant.Adware.Graftor.164387
15.0.0.1014

Panda Antivirus
Trj/Genetic.gen
14.12.04.01

Reason Heuristics
Threat.Win.Reputation.IMP
14.12.4.1

Sophos
iBryte Desktop
4.98

Vba32 AntiVirus
AdWare.MSIL.RocketTab
3.12.26.3

File size:
5.5 MB (5,812,224 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\search extensions\client.exe

File PE Metadata
Compilation timestamp:
12/3/2014 12:34:55 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:CJ3Wgd96QJyd1NJ7kh4J7Qvs5Y1dQr7TI95or2ldIlZ+m:C8gaQJyd1T7khm7VY1dsIYrQdQE

Entry address:
0x1E8F

Entry point:
E8, 3B, 27, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, 87, 98, 00, FF, 15, 3C, 80, 40, 00, 85, C0, 75, 18, 56, E8, ED, 27, 00, 00, 8B, F0, FF, 15, 38, 80, 40, 00, 50, E8, 9D, 27, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, B0, A4, 40, 00, E8, 01, 25, 00, 00, 6A, 0E, E8, ED, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, 7C, 98, 00, BA, FC, 7B, 98, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A...
 
[+]

Entropy:
4.2245

Code size:
25.5 KB (26,112 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49929/

Local host port:
49929

Default credentials:
No


The file client.exe has been discovered within the following program.

Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP):
Connects to ec2-54-243-33-231.compute-1.amazonaws.com  (54.243.33.231:80)

TCP (HTTP):
Connects to ec2-54-243-102-68.compute-1.amazonaws.com  (54.243.102.68:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-fra3.fbcdn.net  (31.13.93.7:443)

TCP (HTTP SSL):
Connects to wi-in-f94.1e100.net  (173.194.67.94:443)

TCP (HTTP SSL):
Connects to support.lb.innogames.net  (212.48.98.244:443)

TCP (HTTP SSL):
Connects to server-54-230-22-112.ewr2.r.cloudfront.net  (54.230.22.112:443)

TCP (HTTP):
Connects to server12003.teamviewer.com  (37.187.135.22:80)

TCP (HTTP SSL):
Connects to rtr2a.l7.search.vip.bf1.yahoo.com  (98.137.201.165:443)

TCP (HTTP):
Connects to qc-in-f156.1e100.net  (173.194.76.156:80)

TCP (HTTP SSL):
Connects to ord08s11-in-f0.1e100.net  (173.194.46.64:443)

TCP (HTTP SSL):
Connects to mia07s25-in-f5.1e100.net  (216.58.219.101:443)

TCP (HTTP SSL):
Connects to mia07s25-in-f13.1e100.net  (216.58.219.109:443)

TCP (HTTP SSL):
Connects to lga15s47-in-f5.1e100.net  (173.194.123.37:443)

TCP (HTTP SSL):
Connects to lga15s46-in-f1.1e100.net  (173.194.123.1:443)

TCP (HTTP SSL):
Connects to lga15s43-in-f6.1e100.net  (74.125.226.38:443)

TCP (HTTP):
Connects to idrops.terra.com.mx  (208.70.188.81:80)

TCP (HTTP):
Connects to es2nodelb.ds.innogames.net  (212.53.172.11:80)

TCP (HTTP):
Connects to es0nodelb.ds.innogames.net  (212.53.152.253:80)

TCP (HTTP):
Connects to ec2-54-225-202-39.compute-1.amazonaws.com  (54.225.202.39:80)

Remove client.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.