Security Incidents mailing list archives

Re: Anyone seen tgcmd.exe before?

From: "Matthew Leeds" <mleeds () theleeds net>
Date: Wed, 03 Dec 2003 12:56:13 -0800

Also installed by default on many/most Thinkpads.

http://www.sunhelp.org/pipermail/geeks/2003-January/037173.html

---Matthew

*********** REPLY SEPARATOR  ***********

On 12/2/2003 at 7:05 PM Harry Chemin wrote:

I found a program on a client's laptop running Windows XP with latest
service pack and all hot fixes applied.  The client reported that someone
was remotely controlling his desktop while he was on his home network.
The client had Zone Alarm, Symantec Anti-virus software, and was using a
Linksys firewall.  I checked several websites for information on tgcmd.exe
and possibilities for the source of this software appear to be either for
Sony Vaio laptops or @Home support software.  Unfortunately, the user's
laptop is an IBM Thinkpad and the client had no recollection of installing
the Support.com software.  Here is the output from fport:

Pid   Process            Port  Proto Path
984                  ->  3001  TCP
376                  ->  5000  TCP
4     System         ->  1056  TCP
4     System         ->  139   TCP
0     System         ->  3119  TCP
0     System         ->  3121  TCP
4     System         ->  445   TCP
2936  ccApp          ->  3099  TCP   C:\Program Files\Common
Files\Symantec Shared\ccApp.exe
2936  ccApp          ->  3104  TCP   C:\Program Files\Common
Files\Symantec Shared\ccApp.exe
3900  msmsgs         ->  9519  TCP   C:\Program Files\Messenger\msmsgs.exe
1144  ccPxySvc       ->  1044  TCP   C:\Program Files\Norton Internet
Security Professional\ccPxySvc.exe
4040  tgcmd          ->  641   TCP   C:\Program
Files\Support.com\bin\tgcmd.exe
1756  svchost        ->  1025  TCP   C:\WINDOWS\System32\svchost.exe
1756  svchost        ->  3002  TCP   C:\WINDOWS\System32\svchost.exe
1756  svchost        ->  3003  TCP   C:\WINDOWS\System32\svchost.exe
1452  svchost        ->  135   TCP   C:\WINDOWS\system32\svchost.exe

984                  ->  10743 UDP
376                  ->  3008  UDP
4     System         ->  1028  UDP
0     System         ->  123   UDP
0     System         ->  137   UDP
0     System         ->  3081  UDP
4     System         ->  3123  UDP
4     System         ->  500   UDP
0     System         ->  62515 UDP
0     System         ->  62517 UDP
0     System         ->  62519 UDP
0     System         ->  62521 UDP
0     System         ->  62523 UDP
0     System         ->  62524 UDP
2936  ccApp          ->  1049  UDP   C:\Program Files\Common
Files\Symantec Shared\ccApp.exe
2936  ccApp          ->  1900  UDP   C:\Program Files\Common
Files\Symantec Shared\ccApp.exe
3900  msmsgs         ->  138   UDP   C:\Program Files\Messenger\msmsgs.exe
1144  ccPxySvc       ->  1900  UDP   C:\Program Files\Norton Internet
Security Professional\ccPxySvc.exe
4040  tgcmd          ->  1026  UDP   C:\Program
Files\Support.com\bin\tgcmd.exe
1756  svchost        ->  1027  UDP   C:\WINDOWS\System32\svchost.exe
1756  svchost        ->  123   UDP   C:\WINDOWS\System32\svchost.exe
1756  svchost        ->  52070 UDP   C:\WINDOWS\System32\svchost.exe
1452  svchost        ->  445   UDP   C:\WINDOWS\system32\svchost.exe

---------------------------------------------------------------------------
----------------------------------------------------------------------------





---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Anyone seen tgcmd.exe before? Harry Chemin (Dec 03)
- Re: Anyone seen tgcmd.exe before? Matthew Leeds (Dec 03)
- <Possible follow-ups>
- RE: Anyone seen tgcmd.exe before? Schmehl, Paul L (Dec 03)
  - Message not available
    - RE: Anyone seen tgcmd.exe before? David Moisan (Dec 03)
- RE: Anyone seen tgcmd.exe before? James C. Slora, Jr. (Dec 03)
- Re: Anyone seen tgcmd.exe before? Angus (Dec 03)