We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


What is curl.exe used for?

3fingerbrown asked
Medium Priority
Last Modified: 2008-01-09
What is curl.exe and why would I have it on my computer>  I was going through my firewall settings and saw that a program curl.exe had full access to do whatever it wanted.  
Is it possible that its presence on my machine is malicious in nature?
Thank you, Ari
Watch Question

There are a few diffrent curl.exe programs out there some are used for web development.
]FIrst go here and download this utility called hijackthis! Once you download it run it and save scan then copy and past the scan here
Then have it scan what is listed, and post any of the nasty's here and I can help you more from there.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Thank you llaf, the hijackthis log is below.

Logfile of HijackThis v1.99.1
Scan saved at 10:54:33 AM, on 10/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Google\Gmail Notifier\G001-\gnotify.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Swarmcast\swarmcast.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\netterm\netterm.exe
C:\Program Files\netterm\netterm.exe
C:\Program Files\netterm\netterm.exe
C:\Documents and Settings\ari\Desktop\utorrent.exe
C:\Program Files\PowerArchiver\POWERARC.EXE

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browster BrwIEConnector - {908A31E8-2A6E-4736-8E8A-AAF00C4AE38F} - C:\Program Files\Browster\Browster.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7
O4 - Startup: BAMMediaPlayerUpdater.lnk = C:\Program Files\BAMMediaPlayer\updater.exe
O4 - Startup: swarmcast.lnk = C:\Program Files\Swarmcast\swarmcast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Browster Prefetch On/Off - res://C:\Program Files\Browster\Browster.dll/CustomPrefetchMenu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://sbserver.sbroome.local:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://sbserver.sbroome.local:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://sbserver.sbroome.local:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://sbserver.sbroome.local:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://sbserver.sbroome.local:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141838068469
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142448203718
O16 - DPF: {E78DE03F-DC83-40DB-B590-8FD80BE5F7C8} (Security Server Management Console) - https://sbserver.sbroome.local:4343/SMB/console/html/root/AtxConsole.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SBroome.local
O17 - HKLM\Software\..\Telephony: DomainName = SBroome.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SBroome.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

C:\Program Files\Swarmcast\swarmcast.exe
C:\Program Files\netterm\netterm.exe
Extra context menu item: Browster Prefetch On/Off - res://C:\Program Files\Browster\Browster.dll/CustomPrefetchMenu.htm
DPF: {E78DE03F-DC83-40DB-B590-8FD80BE5F7C8} (Security Server Management Console) - https://sbserver.sbroome.local:4343/SMB/console/html/root/AtxConsole.cab 

These are the only ones that are in question, if you know what they are then it is fine, but if you do not you sould do something about them. Please let me know if you have any ideas what these might be.


Well, I did some searching and all of these seem to check out ok, you have a clean system, congrats.



Thank you very much llaf.
Netterm is a terminal emulator I use to use my UNIX system and browster is an add-on for firefox that allows you to preview websites.
Swarmcast... I have no idea and will deal with accordingly.

Any idea what the last DPF entry is for?  It looks like it could have something to do with my exchange server
Thanks again, Ari


Thanks again llaf!  What is swarmcast used for?

It is a peer2peer program much like Utorrent, which i saw that you have. You might have installed it at one time, but have forgotten about it.

http://en.wikipedia.org/wiki/Swarmcast Wiki on sarmcast.

My first port of call would be to do a search on your hard drive for curl.exe. This may help in pinpointing it's use and whether you can live without it.
Curl.exe is not a spam or virus... it is a yahoo widgets...

check the link. http://www.fbmsoftware.com/spyware-net/Process/curl_exe/3125/


thank you most kindly!
Running processes:

Umm, I would be a little worried about C:\WINDOWS\TEMP\ZHBCD7.EXE, but if llafnwod says he checked it out, then...  umm, where did that check out at?

Just my personal experience, things running from the temp dir, as not always bad, for example installing a program that may copy itself to the /temp dir generally are not good.  But then I could be wrong, thing that scares me, is Google turns up nothing on this file name.  :-/

Just my .02

Not realated at all to your curl.exe question,  just a FYI.  =)

Nice try, trying to make me look like a moron, but if you google HBCD7 (remove the z) you will find that it can be many things, none which are bad.
Was not calling you any names, just was merely saying that you know more than I.  And since the user had posted a question about one file, leads me to believe that something is wrong, I was just trying to show that I would be more concerned with processes that are running from a TEMP folder and are still active.  If not installing anything, in my head it puts up a flag.  But I could be wrong, that is why it was a FYI and I stated that it had no relevance to this question about curl.exe.
If you are still worried about your system possibly having something malicious then I personal would go to http://www.prevx.com and install it,  it has a free 30 days to try out,  the good thing about this try out, is it will tell you what’s wrong with your system and also clean it even if in the 30 day trial mode.  It is the best product I know of, and it works well with other programs to help protect you.  

After the 30 days if you decide not to keep it, well then just install it, at least it will fix or let you know what is wrong with your system today.

Tell me how that works out for you.  I wish you the best, but am still a little concerned about C:\WINDOWS\TEMP\ZHBCD7.EXE



I am very thankful for the help.  I saw some files with very wierd names with weird aplhanumeric extensions along with yahoo widget extensions and acrobat files and html files... I deleted them all and hopefully won't see them again so i don't have more exact info.  At times, my laptop also starts using up all the available memory and all available processor cycles... somethimes is a rndll32, sometimes its another otherwise known or harmless process that looks stuck...  curl.exe was one of the things I saw in the task manager and when i googled it and saw what it was used for I couldn't figure out why i had it running.  I searched and can't find a curl.exe file anywhere on my computer.
I reguarly run spybot and adaware, update my antivirus nightly and scan weekly and I am behind firewalls wherever I go.  I of course also keep the machine fully patched.
That reminds me... MS update keeps trying to give me a patch that fails to install, yet it keeps tring over and over...  816093: Security Update Microsoft Virtual Machine (Microsoft VM)
I'm suspicious of this as well.

Any ideas would be / have been greatly appreciated.


Swarmcast seems to be part of MLB Mosaic TV...
An application from Major league Baseball that allows you to stream and view up to 6 live baseball games simultaneously.
If you are trying to install it from the M$ update page it is possible it could be conflicting, if your auto update has already downloaded it and awaiting install,  check your icons on your lower right of your computer, and just give a quick look to see if you are awaiting a install,  I will keep looking for you.

I can not get my mind off ZHBCD7.EXE and the fact Google reports nothing bothers me, and if you do take the Z off the file name you do get results but they are all/mostly rar (type of zip) files that have nothing of relevance to anything except for being file names some people put on rapidshare which is used for uploading files too as a one of those single click download hosting companies used mainly these days for warez.  

Have you tried to end the task ZHBCD7.EXE in your task manager, and if so does it go away or just come back with the same name or possibly a new name?  I can not help but think this file is malicious.

Sorry for the continuation on this its just bugging me.  lol, I will not talk about this file any more unless you want.

As for rndll32.exe (not rundll32.exe)

rndll32.exe is NOT a valid Win32 application as far as I can see.
This should not be confused with rundll32.exe

Do you ever get an error message when you try to change program settings or add/remove programs?

I noticed you have a service called wltrysvc.exe running and although it looks to be genuine there are reports of system 'slow down' caused by it.

See this and make your own judgement as to whether to stop it or not.

Curl.exe is also part of the Tivo Desktop Program.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.