QQ.EXE – Trojan Magania removal

QQ.EXE size: 102991 bytes
QQ.EXE hash: E950A1B6ED13F6D06A68CCE7BA3BB1AA

Created files:

C:\qq.exe
%SysDir%\NWCWorkstationUSA.dll
%AllUsersProfile%\svchost.exe
%Temp%\1340767_360.temp

Autostart registry keys:

HKLM\System\CurrentControlSet\Services\BthServ\Type: 10010000
HKLM\System\CurrentControlSet\Services\BthServ\Start: 02000000
HKLM\System\CurrentControlSet\Services\BthServ\DisplayName: Bluetooth Support Service
HKLM\System\CurrentControlSet\Services\BthServ\ImagePath: “%AllUsersProfile%\svchost.exe”
HKLM\System\CurrentControlSet\Services\BthServ\DependOnService: RpcSs
HKLM\System\CurrentControlSet\Services\NWCWorkstation\Type: 04000000
HKLM\System\CurrentControlSet\Services\NWCWorkstation\Start: 02000000
HKLM\System\CurrentControlSet\Services\NWCWorkstation\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\NWCWorkstation\DisplayName: AntiVir
HKLM\System\CurrentControlSet\Services\NWCWorkstation\ImagePath: %sYSTEMrOOT%\sYSTEM32\SVCHOST.EXE -K NETSVCS
HKLM\System\CurrentControlSet\Services\NWCWorkstation\Description: Avira AntiVir
HKLM\System\CurrentControlSet\Services\NWCWorkstation\InstallModule: C:\qq.exe
HKLM\System\CurrentControlSet\Services\NWCWorkstation\Parameters\ServiceDll: 43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C004E005700430057006F0072006B00730074006100740069006F006E005500530041002E0064006C006C000000

Detected by UnHackMe:

QQ.EXE
Default location: C:\QQ.EXE

Dropper information:
MD5: 6554cd1227f68c40d3a29732779f41e2
File size: 130048 bytes