Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista
Incidents
Anyone seen tgcmd.exe before? Dec 03 2003 02:05AM
Harry Chemin (hchemin tgen org) (1 replies)
I found a program on a client's laptop running Windows XP with latest service pack and all hot fixes applied. The client reported that someone was remotely controlling his desktop while he was on his home network. The client had Zone Alarm, Symantec Anti-virus software, and was using a Linksys firewall. I checked several websites for information on tgcmd.exe and possibilities for the source of this software appear to be either for Sony Vaio laptops or @Home support software. Unfortunately, the user's laptop is an IBM Thinkpad and the client had no recollection of installing the Support.com software. Here is the output from fport:

Pid Process Port Proto Path
984 -> 3001 TCP
376 -> 5000 TCP
4 System -> 1056 TCP
4 System -> 139 TCP
0 System -> 3119 TCP
0 System -> 3121 TCP
4 System -> 445 TCP
2936 ccApp -> 3099 TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2936 ccApp -> 3104 TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
3900 msmsgs -> 9519 TCP C:\Program Files\Messenger\msmsgs.exe
1144 ccPxySvc -> 1044 TCP C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
4040 tgcmd -> 641 TCP C:\Program Files\Support.com\bin\tgcmd.exe
1756 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
1756 svchost -> 3002 TCP C:\WINDOWS\System32\svchost.exe
1756 svchost -> 3003 TCP C:\WINDOWS\System32\svchost.exe
1452 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe

984 -> 10743 UDP
376 -> 3008 UDP
4 System -> 1028 UDP
0 System -> 123 UDP
0 System -> 137 UDP
0 System -> 3081 UDP
4 System -> 3123 UDP
4 System -> 500 UDP
0 System -> 62515 UDP
0 System -> 62517 UDP
0 System -> 62519 UDP
0 System -> 62521 UDP
0 System -> 62523 UDP
0 System -> 62524 UDP
2936 ccApp -> 1049 UDP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2936 ccApp -> 1900 UDP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
3900 msmsgs -> 138 UDP C:\Program Files\Messenger\msmsgs.exe
1144 ccPxySvc -> 1900 UDP C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
4040 tgcmd -> 1026 UDP C:\Program Files\Support.com\bin\tgcmd.exe
1756 svchost -> 1027 UDP C:\WINDOWS\System32\svchost.exe
1756 svchost -> 123 UDP C:\WINDOWS\System32\svchost.exe
1756 svchost -> 52070 UDP C:\WINDOWS\System32\svchost.exe
1452 svchost -> 445 UDP C:\WINDOWS\system32\svchost.exe

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----

[ reply ]
Re: Anyone seen tgcmd.exe before? Dec 03 2003 08:56PM
Matthew Leeds (mleeds theleeds net)







 

Privacy Statement
Copyright 2008, SecurityFocus