Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Anyone seen tgcmd.exe before?

From: "Harry Chemin" <hchemin () tgen org>
Date: Tue, 2 Dec 2003 19:05:06 -0700
I found a program on a client's laptop running Windows XP with latest service pack and all hot fixes applied.  The 
client reported that someone was remotely controlling his desktop while he was on his home network.  The client had 
Zone Alarm, Symantec Anti-virus software, and was using a Linksys firewall.  I checked several websites for information 
on tgcmd.exe and possibilities for the source of this software appear to be either for Sony Vaio laptops or @Home 
support software.  Unfortunately, the user's laptop is an IBM Thinkpad and the client had no recollection of installing 
the Support.com software.  Here is the output from fport:

Pid   Process            Port  Proto Path                          
984                  ->  3001  TCP                                 
376                  ->  5000  TCP                                 
4     System         ->  1056  TCP                                 
4     System         ->  139   TCP                                 
0     System         ->  3119  TCP                                 
0     System         ->  3121  TCP                                 
4     System         ->  445   TCP                                 
2936  ccApp          ->  3099  TCP   C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2936  ccApp          ->  3104  TCP   C:\Program Files\Common Files\Symantec Shared\ccApp.exe
3900  msmsgs         ->  9519  TCP   C:\Program Files\Messenger\msmsgs.exe
1144  ccPxySvc       ->  1044  TCP   C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
4040  tgcmd          ->  641   TCP   C:\Program Files\Support.com\bin\tgcmd.exe
1756  svchost        ->  1025  TCP   C:\WINDOWS\System32\svchost.exe
1756  svchost        ->  3002  TCP   C:\WINDOWS\System32\svchost.exe
1756  svchost        ->  3003  TCP   C:\WINDOWS\System32\svchost.exe
1452  svchost        ->  135   TCP   C:\WINDOWS\system32\svchost.exe

984                  ->  10743 UDP                                 
376                  ->  3008  UDP                                 
4     System         ->  1028  UDP                                 
0     System         ->  123   UDP                                 
0     System         ->  137   UDP                                 
0     System         ->  3081  UDP                                 
4     System         ->  3123  UDP                                 
4     System         ->  500   UDP                                 
0     System         ->  62515 UDP                                 
0     System         ->  62517 UDP                                 
0     System         ->  62519 UDP                                 
0     System         ->  62521 UDP                                 
0     System         ->  62523 UDP                                 
0     System         ->  62524 UDP                                 
2936  ccApp          ->  1049  UDP   C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2936  ccApp          ->  1900  UDP   C:\Program Files\Common Files\Symantec Shared\ccApp.exe
3900  msmsgs         ->  138   UDP   C:\Program Files\Messenger\msmsgs.exe
1144  ccPxySvc       ->  1900  UDP   C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
4040  tgcmd          ->  1026  UDP   C:\Program Files\Support.com\bin\tgcmd.exe
1756  svchost        ->  1027  UDP   C:\WINDOWS\System32\svchost.exe
1756  svchost        ->  123   UDP   C:\WINDOWS\System32\svchost.exe
1756  svchost        ->  52070 UDP   C:\WINDOWS\System32\svchost.exe
1452  svchost        ->  445   UDP   C:\WINDOWS\system32\svchost.exe

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: