Re: Anyone seen tgcmd.exe before?
From: Matthew Leeds (mleeds_at_theleeds.net)
Date: 12/03/03
- Previous message: James C. Slora, Jr.: "RE: Anyone seen tgcmd.exe before?"
- In reply to: Harry Chemin: "Anyone seen tgcmd.exe before?"
- Next in thread: David Moisan: "RE: Anyone seen tgcmd.exe before?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 03 Dec 2003 12:56:13 -0800 To: INCIDENTS@SECURITYFOCUS.COM, "Harry Chemin" <hchemin@tgen.org>
Also installed by default on many/most Thinkpads.
http://www.sunhelp.org/pipermail/geeks/2003-January/037173.html
---Matthew
*********** REPLY SEPARATOR ***********
On 12/2/2003 at 7:05 PM Harry Chemin wrote:
>I found a program on a client's laptop running Windows XP with latest
>service pack and all hot fixes applied. The client reported that someone
>was remotely controlling his desktop while he was on his home network.
>The client had Zone Alarm, Symantec Anti-virus software, and was using a
>Linksys firewall. I checked several websites for information on tgcmd.exe
>and possibilities for the source of this software appear to be either for
>Sony Vaio laptops or @Home support software. Unfortunately, the user's
>laptop is an IBM Thinkpad and the client had no recollection of installing
>the Support.com software. Here is the output from fport:
>
>Pid Process Port Proto Path
>984 -> 3001 TCP
>376 -> 5000 TCP
>4 System -> 1056 TCP
>4 System -> 139 TCP
>0 System -> 3119 TCP
>0 System -> 3121 TCP
>4 System -> 445 TCP
>2936 ccApp -> 3099 TCP C:\Program Files\Common
>Files\Symantec Shared\ccApp.exe
>2936 ccApp -> 3104 TCP C:\Program Files\Common
>Files\Symantec Shared\ccApp.exe
>3900 msmsgs -> 9519 TCP C:\Program Files\Messenger\msmsgs.exe
>1144 ccPxySvc -> 1044 TCP C:\Program Files\Norton Internet
>Security Professional\ccPxySvc.exe
>4040 tgcmd -> 641 TCP C:\Program
>Files\Support.com\bin\tgcmd.exe
>1756 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
>1756 svchost -> 3002 TCP C:\WINDOWS\System32\svchost.exe
>1756 svchost -> 3003 TCP C:\WINDOWS\System32\svchost.exe
>1452 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
>
>984 -> 10743 UDP
>376 -> 3008 UDP
>4 System -> 1028 UDP
>0 System -> 123 UDP
>0 System -> 137 UDP
>0 System -> 3081 UDP
>4 System -> 3123 UDP
>4 System -> 500 UDP
>0 System -> 62515 UDP
>0 System -> 62517 UDP
>0 System -> 62519 UDP
>0 System -> 62521 UDP
>0 System -> 62523 UDP
>0 System -> 62524 UDP
>2936 ccApp -> 1049 UDP C:\Program Files\Common
>Files\Symantec Shared\ccApp.exe
>2936 ccApp -> 1900 UDP C:\Program Files\Common
>Files\Symantec Shared\ccApp.exe
>3900 msmsgs -> 138 UDP C:\Program Files\Messenger\msmsgs.exe
>1144 ccPxySvc -> 1900 UDP C:\Program Files\Norton Internet
>Security Professional\ccPxySvc.exe
>4040 tgcmd -> 1026 UDP C:\Program
>Files\Support.com\bin\tgcmd.exe
>1756 svchost -> 1027 UDP C:\WINDOWS\System32\svchost.exe
>1756 svchost -> 123 UDP C:\WINDOWS\System32\svchost.exe
>1756 svchost -> 52070 UDP C:\WINDOWS\System32\svchost.exe
>1452 svchost -> 445 UDP C:\WINDOWS\system32\svchost.exe
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: James C. Slora, Jr.: "RE: Anyone seen tgcmd.exe before?"
- In reply to: Harry Chemin: "Anyone seen tgcmd.exe before?"
- Next in thread: David Moisan: "RE: Anyone seen tgcmd.exe before?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
