Anyone seen tgcmd.exe before?

From: Harry Chemin (hchemin_at_tgen.org)
Date: 12/03/03

  • Next message: Thomas Preissler: "Re: udp and dst port 1026"
    Date: Tue, 2 Dec 2003 19:05:06 -0700
    To: <INCIDENTS@SECURITYFOCUS.COM>
    
    

    I found a program on a client's laptop running Windows XP with latest service pack and all hot fixes applied. The client reported that someone was remotely controlling his desktop while he was on his home network. The client had Zone Alarm, Symantec Anti-virus software, and was using a Linksys firewall. I checked several websites for information on tgcmd.exe and possibilities for the source of this software appear to be either for Sony Vaio laptops or @Home support software. Unfortunately, the user's laptop is an IBM Thinkpad and the client had no recollection of installing the Support.com software. Here is the output from fport:

    Pid Process Port Proto Path
    984 -> 3001 TCP
    376 -> 5000 TCP
    4 System -> 1056 TCP
    4 System -> 139 TCP
    0 System -> 3119 TCP
    0 System -> 3121 TCP
    4 System -> 445 TCP
    2936 ccApp -> 3099 TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    2936 ccApp -> 3104 TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    3900 msmsgs -> 9519 TCP C:\Program Files\Messenger\msmsgs.exe
    1144 ccPxySvc -> 1044 TCP C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
    4040 tgcmd -> 641 TCP C:\Program Files\Support.com\bin\tgcmd.exe
    1756 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
    1756 svchost -> 3002 TCP C:\WINDOWS\System32\svchost.exe
    1756 svchost -> 3003 TCP C:\WINDOWS\System32\svchost.exe
    1452 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe

    984 -> 10743 UDP
    376 -> 3008 UDP
    4 System -> 1028 UDP
    0 System -> 123 UDP
    0 System -> 137 UDP
    0 System -> 3081 UDP
    4 System -> 3123 UDP
    4 System -> 500 UDP
    0 System -> 62515 UDP
    0 System -> 62517 UDP
    0 System -> 62519 UDP
    0 System -> 62521 UDP
    0 System -> 62523 UDP
    0 System -> 62524 UDP
    2936 ccApp -> 1049 UDP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    2936 ccApp -> 1900 UDP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    3900 msmsgs -> 138 UDP C:\Program Files\Messenger\msmsgs.exe
    1144 ccPxySvc -> 1900 UDP C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
    4040 tgcmd -> 1026 UDP C:\Program Files\Support.com\bin\tgcmd.exe
    1756 svchost -> 1027 UDP C:\WINDOWS\System32\svchost.exe
    1756 svchost -> 123 UDP C:\WINDOWS\System32\svchost.exe
    1756 svchost -> 52070 UDP C:\WINDOWS\System32\svchost.exe
    1452 svchost -> 445 UDP C:\WINDOWS\system32\svchost.exe

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Thomas Preissler: "Re: udp and dst port 1026"