RE: Anyone seen tgcmd.exe before?

From: James C. Slora, Jr. (james.slora_at_phra.com)
Date: 12/03/03

  • Next message: Matthew Leeds: "Re: Anyone seen tgcmd.exe before?" 
    Date: Wed, 3 Dec 2003 12:21:07 -0500
To: "Harry Chemin" <hchemin@tgen.org>, <INCIDENTS@SECURITYFOCUS.COM>

    Harry Chemin wrote Tuesday, December 02, 2003 9:05 PM

    > I found a program on a client's laptop running Windows XP
    > with latest service pack and all hot fixes applied. The
    > client reported that someone was remotely controlling his
    > desktop while he was on his home network. The client had
    > Zone Alarm, Symantec Anti-virus software, and was using a
    > Linksys firewall. I checked several websites for information
    > on tgcmd.exe and possibilities for the source of this
    > software appear to be either for Sony Vaio laptops or @Home
    > support software. Unfortunately, the user's laptop is an IBM
    > Thinkpad and the client had no recollection of installing the
    > Support.com software. Here is the output from fport:

    It is Support.com remote control software installed as part of the @Home or Comcast support suite. Comcast uses (used?)it for remote help. @Home also used it. I have not had a reason to research the software's vulnerabilities, its mechanics, or its potential for abuse - but it is normal for an @Home client to have the tgcmd.exe listening on TCP port 641.

    > Pid Process Port Proto Path
    > 984 -> 3001 TCP
    > 376 -> 5000 TCP
    > 4 System -> 1056 TCP
    > 4 System -> 139 TCP
    > 0 System -> 3119 TCP
    > 0 System -> 3121 TCP
    > 4 System -> 445 TCP
    > 2936 ccApp -> 3099 TCP C:\Program Files\Common
    > Files\Symantec Shared\ccApp.exe
    > 2936 ccApp -> 3104 TCP C:\Program Files\Common
    > Files\Symantec Shared\ccApp.exe
    > 3900 msmsgs -> 9519 TCP C:\Program
    > Files\Messenger\msmsgs.exe
    > 1144 ccPxySvc -> 1044 TCP C:\Program Files\Norton
    > Internet Security Professional\ccPxySvc.exe
    > 4040 tgcmd -> 641 TCP C:\Program
    > Files\Support.com\bin\tgcmd.exe

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Matthew Leeds: "Re: Anyone seen tgcmd.exe before?"

    Relevant Pages

    • Re: SBS2000 and a DMZ
      ... > This network is my HOME network that I use as a test bed to learn things ... publish stuff to the DMZ but not to the internet. ... The RDP client for windows? ... If you need RDP client for other OS... ...
      (microsoft.public.backoffice.smallbiz2000)
    • Re: winxp VPN Server/client windows firewall problems
      ... perfectly and I have access to home network. ... When I turn firewall on in client computer the VPN connection works, ... The firewall is blocking something. ... goal is to have vpn working with windows firewall on on server ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: WinME w/NortonAV boots with http to foreign IP address
      ... > Thanks for the prompt response - its a home network and both of the machines ... > worried about and my original post did mention I rebuilt it about 5weeks ago ... When you said "client", I'm picturing client as in one who ... daemon sitting onsite. ...
      (alt.computer.security)
    • ipsec-fbsd-MS
      ... I have a small home network, a dsl connection and 1 static ip. ... ms client to my fbsd gateway with ipsec. ... I am willing to move the nat service to another box and dedicate my gw ...
      (comp.security.firewalls)
    • ipsec-fbsd-MS
      ... I have a small home network, a dsl connection and 1 static ip. ... ms client to my fbsd gateway with ipsec. ... I am willing to move the nat service to another box and dedicate my gw ...
      (microsoft.public.win2000.security)