ThreatExpert Report: Trojan.ADH.2, Generic-FAAL!D52361B722FC, AdWare.FineTop..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 1 August 2012, 02:33:38
Processing time: 10 min 45 sec
Submitted sample:

File MD5: 0xD52361B722FC85D2EAAC615F5D1B2D9F
File SHA-1: 0xC82357CBFE9097AC4722592C8B53AFA35CAF5128
Filesize: 288,944 bytes
Alias:

Trojan.ADH.2 [Symantec]
Generic-FAAL!D52361B722FC [McAfee]
AdWare.FineTop [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\inst.xxx	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
2	%ProgramFiles%\FineTop\adc.acc	28,768 bytes	MD5: 0x72B966950A0F53DF4CE2FDB19679C3C6 SHA-1: 0xCCFFF4ECC68608A6231E75E175D2AEBA62D37FA5	AdWare.FineTop [Ikarus]
3	%ProgramFiles%\FineTop\FineTop.dll	133,216 bytes	MD5: 0x82A6904974F4F20C147FCE776663B1B0 SHA-1: 0xEEE8E0A93CB1BE3DCFEF2699F154F0881E68DDA4	Trojan.ADH.2 [Symantec] not-a-virus:AdWare.Win32.SideTab.ap [Kaspersky Lab] Generic PUP.x!vh [McAfee] Adware:Win32/FineTop [Microsoft] Win32.SuspectCrc [Ikarus]
4	%ProgramFiles%\FineTop\FineTop.exe	43,104 bytes	MD5: 0x61C81941B91B1D502971BD42A29806A1 SHA-1: 0x72EE7B2FB665F01415A00267CBC1A5D385D1F0CF	Adware:Win32/FineTop [Microsoft] not-a-virus:AdWare.Win32.SideTab [Ikarus]
5	%ProgramFiles%\FineTop\Uninstall.exe	109,847 bytes	MD5: 0x9336F1BBC4CC97F22EEECE45DA5223B4 SHA-1: 0xBCC060759A114165ECB25CB31923BAFF40C2C344	Generic-FAAL!9336F1BBC4CC [McAfee]
6	[file and pathname of the sample #1]	288,944 bytes	MD5: 0xD52361B722FC85D2EAAC615F5D1B2D9F SHA-1: 0xC82357CBFE9097AC4722592C8B53AFA35CAF5128	Trojan.ADH.2 [Symantec] Generic-FAAL!D52361B722FC [McAfee] AdWare.FineTop [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%ProgramFiles%\FineTop

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	274,432 bytes
FineTop.exe	%ProgramFiles%\FineTop\FineTop.exe	36,864 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBF53489-AD8D-4637-965A-413861EEC7CF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FineTop
HKEY_CURRENT_USER\Software\FineTop

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID]

(Default) = "FineTop.TopBand"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib]

(Default) = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID]

(Default) = "FineTop.TopBand.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32]

(Default) = "%ProgramFiles%\finetop\FineTop.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}]

(Default) = "FineTop"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib]

(Default) = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}]

(Default) = "ITopBand"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32]

(Default) = "%ProgramFiles%\finetop\FineTop.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\finetop\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0]

(Default) = "FineTop 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer]

(Default) = "FineTop.TopBand.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID]

(Default) = "{CBF53489-AD8D-4637-965A-413861EEC7CF}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand]

(Default) = "TopBand Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID]

(Default) = "{CBF53489-AD8D-4637-965A-413861EEC7CF}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand.1]

(Default) = "TopBand Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

TabProcGrowth = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

FineTop = "%ProgramFiles%\finetop\finetop.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FineTop]

DisplayName = "FineTop"
UninstallString = "%ProgramFiles%\FineTop\Uninstall.exe"
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

TabProcGrowth = 0x00000000

[HKEY_CURRENT_USER\Software\FineTop]

id = "FT77"
version = "1.0.0.4"
sp = "20120801023548"

Other details

Analysis of the file resources indicate the following possible country of origin:

Republic of Korea

To mark the presence in the system, the following Mutex object was created:

FineTop

The following Host Name was requested from a host database:

finetop.topguide.co.kr

The following HTTP URLs were started reading:

http://finetop.topguide.co.kr/install.asp?version=1.0.0.4&id=FT77&mac=1
http://finetop.topguide.co.kr/update/FT77/FTU1006.exe

The data identified by the following URLs was then requested from the remote web server:

http://finetop.topguide.co.kr/update/FT77/FineTop.ini
http://finetop.topguide.co.kr/ex.dat
http://finetop.topguide.co.kr/one.dat

Downloaded File Summary:

Download details:

Download retrieved: 1 August 2012 02:44:23
Processing time: 10 min 30 sec
Downloaded sample:

File MD5: 0x64D7A609ACF536282D5D993DB20F6CFE
File SHA-1: 0xE9BADB65A060D99AF8648F0DFCAEB3BEEC681A16
Filesize: 419,328 bytes
Alias:

Trojan.ADH.2 [Symantec]
Adware:Win32/FineTop [Microsoft]
AdWare.FineTop [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\updat.xxx	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
2	%ProgramFiles%\FineTop\adc.acc	28,776 bytes	MD5: 0x756EAA11747BAFFE047FFE505C86DDE3 SHA-1: 0x805CABB03595386977A706648046FF0C649BA2CE	Adware.Popuppers [Symantec] AdWare.FineTop [Ikarus]
3	%ProgramFiles%\FineTop\Cleaner.exe	243,816 bytes	MD5: 0xB8D763BD940FCFCCBD85E32E1213FD81 SHA-1: 0x9B4A2653F47FC9E1F7CEFECA372BC32D4EF1CD3E	(not available)
4	%ProgramFiles%\FineTop\FineTop.dll	153,704 bytes	MD5: 0x8B788681EAB521E56EDAC95101732A56 SHA-1: 0x162DA7F37C8B1F11B7D3B2A033AE45FA5C4DE11E	Trojan.ADH.2 [Symantec] Adware:Win32/FineTop [Microsoft] Win32.SuspectCrc [Ikarus]
5	%ProgramFiles%\FineTop\FineTop.exe	43,112 bytes	MD5: 0xF4A3DBC7943096A7236421EF44F90D44 SHA-1: 0x61976383EFFCEB118271CDF5F939CE83D4470556	Trojan.ADH.2 [Symantec] Adware:Win32/FineTop [Microsoft] AdWare.Win32.FineTop [Ikarus]
6	%ProgramFiles%\FineTop\Uninstall.exe	109,903 bytes	MD5: 0xDD8862918B2C9A63E8E9657232944107 SHA-1: 0xD5D2FF785485E28549BCE251D525211B828BDEED	(not available)
7	[file and pathname of the sample #1]	419,328 bytes	MD5: 0x64D7A609ACF536282D5D993DB20F6CFE SHA-1: 0xE9BADB65A060D99AF8648F0DFCAEB3BEEC681A16	Trojan.ADH.2 [Symantec] Adware:Win32/FineTop [Microsoft] AdWare.FineTop [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%ProgramFiles%\FineTop

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
FineTop.exe	%ProgramFiles%\FineTop\FineTop.exe	36,864 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	270,336 bytes
cleaner.exe	%ProgramFiles%\finetop\cleaner.exe	253,952 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBF53489-AD8D-4637-965A-413861EEC7CF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FineTop
HKEY_CURRENT_USER\Software\FineTop

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID]

(Default) = "FineTop.TopBand"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib]

(Default) = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID]

(Default) = "FineTop.TopBand.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32]

(Default) = "%ProgramFiles%\finetop\FineTop.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}]

(Default) = "FineTop"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib]

(Default) = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}]

(Default) = "ITopBand"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32]

(Default) = "%ProgramFiles%\finetop\FineTop.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\finetop\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0]

(Default) = "FineTop 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer]

(Default) = "FineTop.TopBand.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID]

(Default) = "{CBF53489-AD8D-4637-965A-413861EEC7CF}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand]

(Default) = "TopBand Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID]

(Default) = "{CBF53489-AD8D-4637-965A-413861EEC7CF}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FineTop.TopBand.1]

(Default) = "TopBand Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

TabProcGrowth = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

FineTop = "%ProgramFiles%\finetop\finetop.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FineTop]

DisplayName = "FineTop"
UninstallString = "%ProgramFiles%\FineTop\Uninstall.exe"
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

TabProcGrowth = 0x00000000

[HKEY_CURRENT_USER\Software\FineTop]

version = ""
sp = "20120801024634"

Other details

Analysis of the file resources indicate the following possible country of origin:

Republic of Korea

To mark the presence in the system, the following Mutex objects were created:

FineTop
Cleaner

The following Host Name was requested from a host database:

finetop.topguide.co.kr

The following HTTP URL was started reading:

http://finetop.topguide.co.kr/update.asp?version=&id=&mac=1&oldversion=&iever=6

The data identified by the following URLs was then requested from the remote web server:

http://finetop.topguide.co.kr/update//FineTop.ini
http://finetop.topguide.co.kr/ex.dat
http://finetop.topguide.co.kr/one.dat

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.