Tencent pc manager is risky and maybe dangerous?

Discussion in 'other anti-virus software' started by taleblou, Mar 10, 2016.

  1. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    Tencent is risky and be-careful. I will not install it anymore. During its install it drops many unwanted "QQ" modules or files and they have bad virustotal rating as adware and PUP and spyware.

    because of these hidden packages, is why several AVs flag tencent installer as malware or PUP.

    Tencent need to clean up. You can check it for yourself to see what it drops during installation.
     
  2. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    The warnings continued as zemana antimalware kept detecting some QQ related files and their location was related to tencent pc manager. Infact at one time the warnings got so bad and the blocking that I uninstalled pc manager immediately and zemana antimalware went quiet.
     
  3. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,250
    @taleblou I've installed PC Manager on a number of computers and have never seen any suspicious behaviour. I just installed both PC Manager and Zemana AntiMalware on a computer and then did a scan with Zemana. Zemana detected 60 components of PC Manager as "Scareware:Win32/FakeAV!Ep." There were no other detections other than the FakeAV ones.

    I find this to be ridiculous considering that PC Manager is a legitimate antivirus (it uses Bitdefender's scan engine alongside its own), and has been performing very well in tests lately. Also, it is free - with no paid version, so it can't exactly be called "scareware." There is nothing "fake" about it. Also, there was no indication of there being anything malicious, considering that the components were only detected as "FakeAV."

    I will continue to install PC Manager on customer's computers, because it is good at detecting malware, and is extremely light (since Tencent switched from Avira to Bitdefender's scan engine). It continues to have minor issues with false positives, but I can live with that as they are only occasional, and I haven't seen any system files being detected.
     
  4. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    561
    Location:
    Baden Germany
    Me too, I installed PC-Manager on ~30 customer machines, to gather experience.
    Haven't noticed any malicious, or suspicious behavior, nor that I got negative feedback.
    PC-Manager must protect these machines well, otherwise I had some feedback.

    VT 1/57 SHA256: 8059fe855e76b27001c41c15f3dd7d440118a86ee11760bcdac763b1c122efc4
    for PC-Manager (TAV version installer)
    Scanned it with Avira-PRO and MBAM: clean

    Afair AdwCleaner started detection first.
    ZAM detects as Scareware WIN32/FakeAV!EP, when installer is scanned.

    I don't know, what's going on behind the scene..., and will not speculate...
     
  5. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,250
    @Hiltihome I just reported the issues to Zemana, and will post here when I get a response. I hope they remove the detection.
     
  6. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    yes adwcleaner also detects along with zemana.
     
  7. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    Also let us know what zemana respond? Zemana antimlware uses many antiviruses, so it could be some of them detect tencent as badware.

    What bothered me was at one time after a week and a new upgrade of tencent, then suddenly zeman gave warnings upon warnings about some QQ modules from tencent? Maybe they were updating. I do not know.

    Anyway I and many of my friends want to be sure 100% that there is no SPYING (call home IP access) and also what gives with names of "QQ" modules? I though QQ was related to Qihoo? SO why would tencent use it??
     
  8. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,250
  9. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
  10. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,250
    @taleblou As far I know, Tencent is safe. QQ Messenger is available in English. I think everything else will be Chinese only.
     
  11. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    I guess I have to wait until zemana antimalware removes its warnings from tencent, then install it. I hate to go through all those warnings again. Let me know please when zemana replied.
     
  12. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,250
    I'll let you know, when I hear from them.
     
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Imo Tencent can't be trusted.
    WeChat (from Tencent) does datamining for commercial reasons, censorship and surveillance for the Chinese government and Tencent is working together with the Chinese government to create the dystopian Citizen Score, where citizens are rated based on how compliant they're with the governments view of an ideal citizen and can earn perks with a high score.

    https://boingboing.net/2015/10/06/reputation-economy-dystopia-c.html
    https://en.wikipedia.org/wiki/WeChat#Security_concerns
     
  14. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,250
    I received a reply from Zemana.
    I have asked them if they can give me some information regarding the hijacks.

    A scan with Zemana shows that components of PC Manager are now detected as PUA:Win32/BrowserHijacker!Ep. In my use of PC Manager I have not seen any evidence of browser hijacking.

    Until I receive further clarification from Zemana, I wil not be removing PC Manager from any computers, as I would like to know exactly what the "sophisticated hijacks" are before I decide to remove it or not.
     
  15. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    Installed it in a VM and sure enough there was a browser helper object added for IE, TSWebMon.dat and TSWebmon64.dat. That doesn't mean it's a baddy by itself though so I dug deeper and while it's hard to know just from checking the strings there seems to be quite a bit of anti-qihoo 360 strings along with some stuff that separates user input into different sections such as text, password, click or keypress and editfocus. Once again there is nothing definitive at that point but then comes the long list of search engines and adfilter strings. The adfilter strings could just be anti-ad stuff but I'm not qualified to say one way or the other. The long list of web strings has me curious though as none of them are actually ad related (a few are related to qihoo again) and so it wouldn't surprise me if it is actually hijacking the user through these sites [to one they operate or otherwise just injecting money making ads via them] and altering content or serving ads since there were no 'known ad server' addresses in that list, just their competition and common search engines such as google!

    Don't take my word for it [I certainly can't be sure just looking at strings] but at this point I'm inclined to trust Zemanas (more in depth research,) findings and label as PUA:Win32/BrowserHijacker!Ep. I certainly wouldn't want a program doing anything like that on my machine!

    Either way, ad hijacking isn't really evil but it wouldn't be acceptable for myself. The most worrying parts were the way it seemed to monitor user input and separate it into categories. What does it do after separating it? I'd assume it phones it home but I was in an offline VM so I can't say for sure. If all it does is turn each user into their own ad related cash source, it might not be that bad assuming that all the ads are legitimate which not even yahoo or google can guarantee these days. A dev taking steps like these, well, I'd rather not take the risk.
     
    Last edited: Mar 14, 2016
  16. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    561
    Location:
    Baden Germany
    @syrinx :
    Nice findings,
    but does this effect other browsers, like Chrome, or Firefox?
    I guess, that intruding Chrome, or Firefox will be much harder than IE, and would be detected by these browsers.

    Even if it may be evil for IE, I don't care, because browsing with IE is like playing russian roulette anyway.
     
  17. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    Not sure, I only tested it in a VM with IE. I'd assume (though can't be sure) that they might have a similar dat (the dat is actually just a renamed dll) for other browsers or it's an AIO type deal but I found enough worrying stuff in that dat file that I can be sure I wouldn't trust their software on my machine so I don't currently intend to take it any further in my tests. Sorry! =(

    I'll agree with that statement!
     
  18. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    so is any other chinese softwares like 360, baidu, etc. are safer the tencent or not? Anyone know which is better or non at all. Are all of them in the same boat as tencent?
     
  19. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,250
    I receivey a replay from Zemana regaring me asking for information on the hijacks:
    I fail to understand why it has to be kept a secret. Anyway for the moment, I'll keep using PC Manager.
     
  20. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    What kind of reply is that from Zemana? What does internal research has to do with the safe rating of a product? Customers need to know if it is a safe product and a straight answer is needed. Zemana is acting strange and this reply under circumstances that has to do with security and safety of customers pc is very odd.
     
  21. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    Tencent PC Manager (Tencent QQPCMgr) is Chinese antivirus and a set of optimization utilities. Very wide spread due to distribution via bundling with freeware. Creates unwanted activity, by displaying pop-ups on Chinese language. Consumes system resources as it creates startup entry and activates antivirus monitors.




    Tencent QQ intrusion method
    Tencent QQ gets installed on your PC along with free software. Tencent QQ copies its file(s) to your hard disk. Its typical file name is SearchSquire*.exe. Sometimes it creates new startup key with name Tencent QQ and value SearchSquire*.exe. You can also find it in your processes list with name SearchSquire*.exe or Tencent QQ. Also, it can create folder with name Tencent QQ under C:\Program Files\ or C:\ProgramData. After installation Tencent QQ starts displaying ads, pop-ups, banners on your PC or in browsers. It is recommended to remove Tencent QQ immediately.





    From: http://www.securitystronghold.com/gates/tencent-qq.html
     
  22. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    How to remove Tencent QQ manually
    This problem can be solved manually by deleting all registry keys and files connected with Tencent QQ, removing it from starup list and unregistering all corresponding DLLs. Additionally missing DLL's should be restored from distribution in case they are corrupted by Tencent QQ.

    To get rid of Tencent QQ, you should:

    1. Kill the following processes and delete the appropriate files:

    • acodec.dll
    • audiodevice.dll
    • bqqapplication.dll
    • cameradll.dll
    • capfilter.dll
    • chatlib.dll
    • cqqapplication.dll
    • fsm.dll
    • gamepublic.dll
    • inplus.dll
    • iphone.dll
    • mfc42.dll
    • muserapplication.dll
    • newskin.dll
    • parser.dll
    • personaldesktop.dll
    • qimage.dll
    • qq.exe
    • qqaddinmanager.dll
    • qqallinone.dll
    • qqavatar.dll
    • qqbaseclassindll.dll
    • qqbuserapplication.dll
    • qqexternal.exe
    • qqhelperindll.dll
    • qqhook.dll
    • qqmail.dll
    • qqmainframe.dll
    • qqmmsender.dll
    • qqplugin.dll
    • qqres.dll
    • qqudpgetfilelib.dll
    • qqzip.dll
    • riched20.dll
    • riched32.dll
    • sharefiles.dll
    • tbrowser.exe
    • vcodec.dll
    • vcodec2.dll
    • videodevice.dll
    • vphone.dll
    • vqqallinone.dll
    • vqqdvcapture.dll
    • vqqset.dll
    • chatdir.htm
    • wait.htm
    • qq.chm
    • camera.mp3
    • owave.mp3
    • night.mp3
    • heart.mp3
    • kiss2.mp3
    • popo.mp3
    • bird.mp3
    • face.ini
    • {7f87247f-d163-4300-8ed1-16c20791492d}.ini
    • example.ini
    • vbscript.vbs
    • run_app_16.exe

    Warning: you should delete only those files which checksums are listed as malicious. There may be valid files with the same names in your system. We recommend you to use Tencent QQ Removal Tool for safe problem solution.


    2. Delete the following malicious folders:

    • %programfiles%\tencent\qq\
    • %programfiles%\tencent\qq\chat\
    • %programfiles%\tencent\qq\dat\
    • %programfiles%\tencent\qq\help\
    • %programfiles%\tencent\qq\imscene\scene\beach\
    • %programfiles%\tencent\qq\imscene\scene\night\
    • %programfiles%\tencent\qq\imscene\scene\sea world\
    • %programfiles%\tencent\qq\imscene\scene\spring\
    • %programfiles%\tencent\qq\newface\
    • %programfiles%\tencent\qq\skins\
    • %programfiles%\tencent\qq\skins\flower language\


    3. Delete the following malicious registry entries and\or values:

    no information

    Warning: if value is listed for some registry entries, you should only clear these values and leave keys with such values untouched. We recommend you to use Tencent QQ Removal Tool for safe problem solution.


    Uninstall Tencent QQ related programs from Control Panel
    We recommend you to check list of installed programs and search for Tencent QQ entry or other unknown and suspicious programs. Below are instructions for different version if Windows. In some cases adware programs are protected by malicious service or process and it will not allow you to uninstall it. If Tencent QQ won't uninstall or gives you error message that you do not have sufficient rights to do this perform below instructions in Safe Mode or Safe Mode with Networking or use Tencent QQ Removal Tool.

    Windows 8

    • Right click on the bottom left corner of the screen (while on your desktop)

    • In the menu choose Control Panel

    • Click Uninstall a program under Programs and Features.

    • Locate Tencent QQ or other related suspicious program.

    • Click Uninstall button.

    • Wait until uninstall process is complete.
    Windows 7

    • Click Start and choose Control Panel.

    • Choose Programs and Features and Uninstall a program.

    • In the list of installed programs find Tencent QQ

    • Click Uninstall button.
    Windows XP

    • Click Start

    • In the menu choose Control Panel

    • Choose Add / Remove Programs.

    • Find Tencent QQ related entries.

    • Click Remove button.
    Remove Tencent QQ extension from your browsers
    Tencent QQ in some cases can create browsers extension. We recommend you to use free option "Toolbar Remover" under "Tools" inStronghold AntiMalware to remove unwanted browser extensions related to Tencent QQ. We recommend you to perform scan your PC with Stronghold AntiMalware. To remove extenions from your browsers manually do the following:


    Tencent QQ Removal Tool.

    Google Chrome

    • Start Google Chrome.

    • In the address bar type chrome://extensions/

    • In the list of add-ons find Tencent QQ and click recycle bin icon.

    • Confirm Tencent QQ removal.
    Mozilla Firefox

    • Open Firefox

    • In the address bar type about:addons

    • Click Extensions tab.

    • In the list of extension locate Tencent QQ.

    • Click Remove button near it.
     
  23. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,250
    Exactly. It's not enought to mention "sophisticated hijacks" but give no information to substantiate the claims.
     
  24. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,250
    That applies to the Chinese version, not the English language version. The English PC Manager is only an antivirus. There can be issues uninstalling the Chinese version, as you can end up getting other Tencent software installed. But, this is not the case with the English version, and I'm sure there is the option in the Chinese version to not install any extras. However, unless you actually can read Chinese then it won't be clear how to do this.
     
  25. marciocruz

    marciocruz Registered Member

    Joined:
    May 7, 2008
    Posts:
    249
    HI, i have send the installer for the tencent, english version, to f-secure virus lab, and the response is:

    "Hello,

    Thank you for your submission.

    The file is a PC Manager Setup by Tencent. It is not malicious and currently not detected by our product.

    Should you have further concerns, please do not hesitate to contact us again.


    Best regards,Alif
    Malware Analyst
    F-Secure Security Labs"
     
Loading...
Similar Threads
  1. chabbo
    Replies:
    10
    Views:
    1,078