Security Incidents mailing list archives
Anyone seen tgcmd.exe before?
From: "Harry Chemin" <hchemin () tgen org>
Date: Tue, 2 Dec 2003 19:05:06 -0700
I found a program on a client's laptop running Windows XP with latest service pack and all hot fixes applied. The client reported that someone was remotely controlling his desktop while he was on his home network. The client had Zone Alarm, Symantec Anti-virus software, and was using a Linksys firewall. I checked several websites for information on tgcmd.exe and possibilities for the source of this software appear to be either for Sony Vaio laptops or @Home support software. Unfortunately, the user's laptop is an IBM Thinkpad and the client had no recollection of installing the Support.com software. Here is the output from fport: Pid Process Port Proto Path 984 -> 3001 TCP 376 -> 5000 TCP 4 System -> 1056 TCP 4 System -> 139 TCP 0 System -> 3119 TCP 0 System -> 3121 TCP 4 System -> 445 TCP 2936 ccApp -> 3099 TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe 2936 ccApp -> 3104 TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe 3900 msmsgs -> 9519 TCP C:\Program Files\Messenger\msmsgs.exe 1144 ccPxySvc -> 1044 TCP C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe 4040 tgcmd -> 641 TCP C:\Program Files\Support.com\bin\tgcmd.exe 1756 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe 1756 svchost -> 3002 TCP C:\WINDOWS\System32\svchost.exe 1756 svchost -> 3003 TCP C:\WINDOWS\System32\svchost.exe 1452 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe 984 -> 10743 UDP 376 -> 3008 UDP 4 System -> 1028 UDP 0 System -> 123 UDP 0 System -> 137 UDP 0 System -> 3081 UDP 4 System -> 3123 UDP 4 System -> 500 UDP 0 System -> 62515 UDP 0 System -> 62517 UDP 0 System -> 62519 UDP 0 System -> 62521 UDP 0 System -> 62523 UDP 0 System -> 62524 UDP 2936 ccApp -> 1049 UDP C:\Program Files\Common Files\Symantec Shared\ccApp.exe 2936 ccApp -> 1900 UDP C:\Program Files\Common Files\Symantec Shared\ccApp.exe 3900 msmsgs -> 138 UDP C:\Program Files\Messenger\msmsgs.exe 1144 ccPxySvc -> 1900 UDP C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe 4040 tgcmd -> 1026 UDP C:\Program Files\Support.com\bin\tgcmd.exe 1756 svchost -> 1027 UDP C:\WINDOWS\System32\svchost.exe 1756 svchost -> 123 UDP C:\WINDOWS\System32\svchost.exe 1756 svchost -> 52070 UDP C:\WINDOWS\System32\svchost.exe 1452 svchost -> 445 UDP C:\WINDOWS\system32\svchost.exe --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Anyone seen tgcmd.exe before? Harry Chemin (Dec 03)
- Re: Anyone seen tgcmd.exe before? Matthew Leeds (Dec 03)
- <Possible follow-ups>
- RE: Anyone seen tgcmd.exe before? Schmehl, Paul L (Dec 03)
- Message not available
- RE: Anyone seen tgcmd.exe before? David Moisan (Dec 03)
- Message not available
- RE: Anyone seen tgcmd.exe before? James C. Slora, Jr. (Dec 03)
- Re: Anyone seen tgcmd.exe before? Angus (Dec 03)