3fingerbrown
asked on
What is curl.exe used for?
What is curl.exe and why would I have it on my computer> I was going through my firewall settings and saw that a program curl.exe had full access to do whatever it wanted.
Is it possible that its presence on my machine is malicious in nature?
Thank you, Ari
Is it possible that its presence on my machine is malicious in nature?
Thank you, Ari
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
C:\WINDOWS\TEMP\ZHBCD7.EXE
C:\Program Files\Swarmcast\swarmcast. exe
C:\Program Files\netterm\netterm.exe
Extra context menu item: Browster Prefetch On/Off - res://C:\Program Files\Browster\Browster.dl l/CustomPr efetchMenu .htm
DPF: {E78DE03F-DC83-40DB-B590-8 FD80BE5F7C 8} (Security Server Management Console) - https://sbserver.sbroome.local:4343/SMB/console/html/root/AtxConsole.cab
These are the only ones that are in question, if you know what they are then it is fine, but if you do not you sould do something about them. Please let me know if you have any ideas what these might be.
llaf
C:\Program Files\Swarmcast\swarmcast.
C:\Program Files\netterm\netterm.exe
Extra context menu item: Browster Prefetch On/Off - res://C:\Program Files\Browster\Browster.dl
DPF: {E78DE03F-DC83-40DB-B590-8
These are the only ones that are in question, if you know what they are then it is fine, but if you do not you sould do something about them. Please let me know if you have any ideas what these might be.
llaf
Well, I did some searching and all of these seem to check out ok, you have a clean system, congrats.
llaf
llaf
ASKER
Thank you very much llaf.
Netterm is a terminal emulator I use to use my UNIX system and browster is an add-on for firefox that allows you to preview websites.
Swarmcast... I have no idea and will deal with accordingly.
Any idea what the last DPF entry is for? It looks like it could have something to do with my exchange server
Thanks again, Ari
Netterm is a terminal emulator I use to use my UNIX system and browster is an add-on for firefox that allows you to preview websites.
Swarmcast... I have no idea and will deal with accordingly.
Any idea what the last DPF entry is for? It looks like it could have something to do with my exchange server
Thanks again, Ari
ASKER
Thanks again llaf! What is swarmcast used for?
It is a peer2peer program much like Utorrent, which i saw that you have. You might have installed it at one time, but have forgotten about it.
My first port of call would be to do a search on your hard drive for curl.exe. This may help in pinpointing it's use and whether you can live without it.
Curl.exe is not a spam or virus... it is a yahoo widgets...
check the link. http://www.fbmsoftware.com/spyware-net/Process/curl_exe/3125/
check the link. http://www.fbmsoftware.com/spyware-net/Process/curl_exe/3125/
ASKER
thank you most kindly!
Running processes:
C:\WINDOWS\TEMP\ZHBCD7.EXE
Umm, I would be a little worried about C:\WINDOWS\TEMP\ZHBCD7.EXE , but if llafnwod says he checked it out, then... umm, where did that check out at?
Just my personal experience, things running from the temp dir, as not always bad, for example installing a program that may copy itself to the /temp dir generally are not good. But then I could be wrong, thing that scares me, is Google turns up nothing on this file name. :-/
Just my .02
Not realated at all to your curl.exe question, just a FYI. =)
C:\WINDOWS\TEMP\ZHBCD7.EXE
Umm, I would be a little worried about C:\WINDOWS\TEMP\ZHBCD7.EXE
Just my personal experience, things running from the temp dir, as not always bad, for example installing a program that may copy itself to the /temp dir generally are not good. But then I could be wrong, thing that scares me, is Google turns up nothing on this file name. :-/
Just my .02
Not realated at all to your curl.exe question, just a FYI. =)
Nice try, trying to make me look like a moron, but if you google HBCD7 (remove the z) you will find that it can be many things, none which are bad.
llaf
llaf
Was not calling you any names, just was merely saying that you know more than I. And since the user had posted a question about one file, leads me to believe that something is wrong, I was just trying to show that I would be more concerned with processes that are running from a TEMP folder and are still active. If not installing anything, in my head it puts up a flag. But I could be wrong, that is why it was a FYI and I stated that it had no relevance to this question about curl.exe.
If you are still worried about your system possibly having something malicious then I personal would go to http://www.prevx.com and install it, it has a free 30 days to try out, the good thing about this try out, is it will tell you what’s wrong with your system and also clean it even if in the 30 day trial mode. It is the best product I know of, and it works well with other programs to help protect you.
After the 30 days if you decide not to keep it, well then just install it, at least it will fix or let you know what is wrong with your system today.
Tell me how that works out for you. I wish you the best, but am still a little concerned about C:\WINDOWS\TEMP\ZHBCD7.EXE
Travis
After the 30 days if you decide not to keep it, well then just install it, at least it will fix or let you know what is wrong with your system today.
Tell me how that works out for you. I wish you the best, but am still a little concerned about C:\WINDOWS\TEMP\ZHBCD7.EXE
Travis
ASKER
I am very thankful for the help. I saw some files with very wierd names with weird aplhanumeric extensions along with yahoo widget extensions and acrobat files and html files... I deleted them all and hopefully won't see them again so i don't have more exact info. At times, my laptop also starts using up all the available memory and all available processor cycles... somethimes is a rndll32, sometimes its another otherwise known or harmless process that looks stuck... curl.exe was one of the things I saw in the task manager and when i googled it and saw what it was used for I couldn't figure out why i had it running. I searched and can't find a curl.exe file anywhere on my computer.
I reguarly run spybot and adaware, update my antivirus nightly and scan weekly and I am behind firewalls wherever I go. I of course also keep the machine fully patched.
That reminds me... MS update keeps trying to give me a patch that fails to install, yet it keeps tring over and over... 816093: Security Update Microsoft Virtual Machine (Microsoft VM)
I'm suspicious of this as well.
Any ideas would be / have been greatly appreciated.
I reguarly run spybot and adaware, update my antivirus nightly and scan weekly and I am behind firewalls wherever I go. I of course also keep the machine fully patched.
That reminds me... MS update keeps trying to give me a patch that fails to install, yet it keeps tring over and over... 816093: Security Update Microsoft Virtual Machine (Microsoft VM)
I'm suspicious of this as well.
Any ideas would be / have been greatly appreciated.
ASKER
Swarmcast seems to be part of MLB Mosaic TV...
An application from Major league Baseball that allows you to stream and view up to 6 live baseball games simultaneously.
An application from Major league Baseball that allows you to stream and view up to 6 live baseball games simultaneously.
If you are trying to install it from the M$ update page it is possible it could be conflicting, if your auto update has already downloaded it and awaiting install, check your icons on your lower right of your computer, and just give a quick look to see if you are awaiting a install, I will keep looking for you.
Travis
Travis
I can not get my mind off ZHBCD7.EXE and the fact Google reports nothing bothers me, and if you do take the Z off the file name you do get results but they are all/mostly rar (type of zip) files that have nothing of relevance to anything except for being file names some people put on rapidshare which is used for uploading files too as a one of those single click download hosting companies used mainly these days for warez.
Have you tried to end the task ZHBCD7.EXE in your task manager, and if so does it go away or just come back with the same name or possibly a new name? I can not help but think this file is malicious.
Sorry for the continuation on this its just bugging me. lol, I will not talk about this file any more unless you want.
Travis
Have you tried to end the task ZHBCD7.EXE in your task manager, and if so does it go away or just come back with the same name or possibly a new name? I can not help but think this file is malicious.
Sorry for the continuation on this its just bugging me. lol, I will not talk about this file any more unless you want.
Travis
As for rndll32.exe (not rundll32.exe)
rndll32.exe is NOT a valid Win32 application as far as I can see.
This should not be confused with rundll32.exe
Do you ever get an error message when you try to change program settings or add/remove programs?
Travis
rndll32.exe is NOT a valid Win32 application as far as I can see.
This should not be confused with rundll32.exe
Do you ever get an error message when you try to change program settings or add/remove programs?
Travis
I noticed you have a service called wltrysvc.exe running and although it looks to be genuine there are reports of system 'slow down' caused by it.
See this and make your own judgement as to whether to stop it or not.
http://www.neuber.com/taskmanager/process/wltrysvc.exe.html
See this and make your own judgement as to whether to stop it or not.
http://www.neuber.com/taskmanager/process/wltrysvc.exe.html
Curl.exe is also part of the Tivo Desktop Program.
Steve
Steve
ASKER
Logfile of HijackThis v1.99.1
Scan saved at 10:54:33 AM, on 10/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\CTsvcC
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc3
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\system32\ZoneLa
C:\WINDOWS\System32\wltrys
C:\WINDOWS\system32\MsPMSP
C:\WINDOWS\System32\bcmwlt
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\ZHBCD7.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\QuickS
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gno
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Java\jre1.5.0_06\bin
C:\Program Files\iPod\bin\iPodService
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\rundll
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Creative\MediaSource
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QB
C:\Program Files\Swarmcast\swarmcast.
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.
C:\WINDOWS\system32\wuaucl
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Program Files\netterm\netterm.exe
C:\PROGRA~1\MICROS~3\OFFIC
C:\Program Files\netterm\netterm.exe
C:\Program Files\netterm\netterm.exe
C:\PROGRA~1\MOZILL~1\FIREF
C:\Documents and Settings\ari\Desktop\utorr
C:\Program Files\PowerArchiver\POWERA
C:\DOCUME~1\ari\LOCALS~1\T
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Browster BrwIEConnector - {908A31E8-2A6E-4736-8E8A-A
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickS
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MS
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateMana
O4 - Startup: BAMMediaPlayerUpdater.lnk = C:\Program Files\BAMMediaPlayer\updat
O4 - Startup: swarmcast.lnk = C:\Program Files\Swarmcast\swarmcast.
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O8 - Extra context menu item: Browster Prefetch On/Off - res://C:\Program Files\Browster\Browster.dl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {00134F72-5284-44F7-95A8-5
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0
O16 - DPF: {35C3D91E-401A-4E45-88A5-F
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {E78DE03F-DC83-40DB-B590-8
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcC
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLa
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrys