Re: Anyone seen tgcmd.exe before?
From: Angus (angus_md_at_yahoo.com)
Date: 12/03/03
- Previous message: David Moisan: "RE: Anyone seen tgcmd.exe before?"
- Maybe in reply to: Harry Chemin: "Anyone seen tgcmd.exe before?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 3 Dec 2003 17:35:04 -0000 To: incidents@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <8614FCA8E4FB3C4A9ED38BBD9C7D38C405B118@azc-m3.ad.tgen.org>
It is spyware. Rumor has it, Comcast installs it w/ cable modems, and some laptop vendors install it as well.
http://www.winpatrol.com/db/freesample/tgcmd.html
>Received: (qmail 21989 invoked from network); 3 Dec 2003 16:50:32 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 3 Dec 2003 16:50:32 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id D937BA30CF; Wed, 3 Dec 2003 09:59:18 -0700 (MST)
>Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <incidents.list-id.securityfocus.com>
>List-Post: <mailto:incidents@securityfocus.com>
>List-Help: <mailto:incidents-help@securityfocus.com>
>List-Unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:incidents-subscribe@securityfocus.com>
>Delivered-To: mailing list incidents@securityfocus.com
>Delivered-To: moderator for incidents@securityfocus.com
>Received: (qmail 1131 invoked from network); 3 Dec 2003 02:16:49 -0000
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
>content-class: urn:content-classes:message
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="iso-8859-1"
>Content-Transfer-Encoding: quoted-printable
>Subject: Anyone seen tgcmd.exe before?
>Date: Tue, 2 Dec 2003 19:05:06 -0700
>Message-ID: <8614FCA8E4FB3C4A9ED38BBD9C7D38C405B118@azc-m3.ad.tgen.org>
>X-MS-Has-Attach:
>X-MS-TNEF-Correlator:
>Thread-Topic: Same sequence...
>Thread-Index: AcO4g799ukgvnBVGTfysJbQnMhXWowAvBDHA
>From: "Harry Chemin" <hchemin@tgen.org>
>To: <INCIDENTS@SECURITYFOCUS.COM>
>
>I found a program on a client's laptop running Windows XP with latest =
>service pack and all hot fixes applied. The client reported that =
>someone was remotely controlling his desktop while he was on his home =
>network. The client had Zone Alarm, Symantec Anti-virus software, and =
>was using a Linksys firewall. I checked several websites for =
>information on tgcmd.exe and possibilities for the source of this =
>software appear to be either for Sony Vaio laptops or @Home support =
>software. Unfortunately, the user's laptop is an IBM Thinkpad and the =
>client had no recollection of installing the Support.com software. Here =
>is the output from fport:
>
>Pid Process Port Proto Path =20
>984 -> 3001 TCP =20
>376 -> 5000 TCP =20
>4 System -> 1056 TCP =20
>4 System -> 139 TCP =20
>0 System -> 3119 TCP =20
>0 System -> 3121 TCP =20
>4 System -> 445 TCP =20
>2936 ccApp -> 3099 TCP C:\Program Files\Common =
>Files\Symantec Shared\ccApp.exe
>2936 ccApp -> 3104 TCP C:\Program Files\Common =
>Files\Symantec Shared\ccApp.exe
>3900 msmsgs -> 9519 TCP C:\Program =
>Files\Messenger\msmsgs.exe
>1144 ccPxySvc -> 1044 TCP C:\Program Files\Norton Internet =
>Security Professional\ccPxySvc.exe
>4040 tgcmd -> 641 TCP C:\Program =
>Files\Support.com\bin\tgcmd.exe
>1756 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
>1756 svchost -> 3002 TCP C:\WINDOWS\System32\svchost.exe
>1756 svchost -> 3003 TCP C:\WINDOWS\System32\svchost.exe
>1452 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
>
>984 -> 10743 UDP =20
>376 -> 3008 UDP =20
>4 System -> 1028 UDP =20
>0 System -> 123 UDP =20
>0 System -> 137 UDP =20
>0 System -> 3081 UDP =20
>4 System -> 3123 UDP =20
>4 System -> 500 UDP =20
>0 System -> 62515 UDP =20
>0 System -> 62517 UDP =20
>0 System -> 62519 UDP =20
>0 System -> 62521 UDP =20
>0 System -> 62523 UDP =20
>0 System -> 62524 UDP =20
>2936 ccApp -> 1049 UDP C:\Program Files\Common =
>Files\Symantec Shared\ccApp.exe
>2936 ccApp -> 1900 UDP C:\Program Files\Common =
>Files\Symantec Shared\ccApp.exe
>3900 msmsgs -> 138 UDP C:\Program =
>Files\Messenger\msmsgs.exe
>1144 ccPxySvc -> 1900 UDP C:\Program Files\Norton Internet =
>Security Professional\ccPxySvc.exe
>4040 tgcmd -> 1026 UDP C:\Program =
>Files\Support.com\bin\tgcmd.exe
>1756 svchost -> 1027 UDP C:\WINDOWS\System32\svchost.exe
>1756 svchost -> 123 UDP C:\WINDOWS\System32\svchost.exe
>1756 svchost -> 52070 UDP C:\WINDOWS\System32\svchost.exe
>1452 svchost -> 445 UDP C:\WINDOWS\system32\svchost.exe
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: David Moisan: "RE: Anyone seen tgcmd.exe before?"
- Maybe in reply to: Harry Chemin: "Anyone seen tgcmd.exe before?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
