Solved

What is curl.exe used for?

Posted on 2006-10-24
25
22,571 Views
Last Modified: 2008-01-09
What is curl.exe and why would I have it on my computer>  I was going through my firewall settings and saw that a program curl.exe had full access to do whatever it wanted.  
Is it possible that its presence on my machine is malicious in nature?
Thank you, Ari
0
Comment
Question by:3fingerbrown
  • 6
  • 6
  • 6
  • +3
25 Comments
 
LVL 3

Accepted Solution

by:
llafnwod earned 250 total points
ID: 17796167
There are a few diffrent curl.exe programs out there some are used for web development.
http://www.majorgeeks.com/download3155.html
]FIrst go here and download this utility called hijackthis! Once you download it run it and save scan then copy and past the scan here
http://hijackthis.de/
Then have it scan what is listed, and post any of the nasty's here and I can help you more from there.

llaf
0
 

Author Comment

by:3fingerbrown
ID: 17796362
Thank you llaf, the hijackthis log is below.

Logfile of HijackThis v1.99.1
Scan saved at 10:54:33 AM, on 10/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\ZHBCD7.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Swarmcast\swarmcast.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\netterm\netterm.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\netterm\netterm.exe
C:\Program Files\netterm\netterm.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\ari\Desktop\utorrent.exe
C:\Program Files\PowerArchiver\POWERARC.EXE
C:\DOCUME~1\ari\LOCALS~1\Temp\_PA762\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browster BrwIEConnector - {908A31E8-2A6E-4736-8E8A-AAF00C4AE38F} - C:\Program Files\Browster\Browster.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7
O4 - Startup: BAMMediaPlayerUpdater.lnk = C:\Program Files\BAMMediaPlayer\updater.exe
O4 - Startup: swarmcast.lnk = C:\Program Files\Swarmcast\swarmcast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Browster Prefetch On/Off - res://C:\Program Files\Browster\Browster.dll/CustomPrefetchMenu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://sbserver.sbroome.local:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://sbserver.sbroome.local:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://sbserver.sbroome.local:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://sbserver.sbroome.local:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://sbserver.sbroome.local:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141838068469
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142448203718
O16 - DPF: {E78DE03F-DC83-40DB-B590-8FD80BE5F7C8} (Security Server Management Console) - https://sbserver.sbroome.local:4343/SMB/console/html/root/AtxConsole.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SBroome.local
O17 - HKLM\Software\..\Telephony: DomainName = SBroome.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SBroome.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

0
 
LVL 3

Expert Comment

by:llafnwod
ID: 17796422
C:\WINDOWS\TEMP\ZHBCD7.EXE
C:\Program Files\Swarmcast\swarmcast.exe
C:\Program Files\netterm\netterm.exe
Extra context menu item: Browster Prefetch On/Off - res://C:\Program Files\Browster\Browster.dll/CustomPrefetchMenu.htm
DPF: {E78DE03F-DC83-40DB-B590-8FD80BE5F7C8} (Security Server Management Console) - https://sbserver.sbroome.local:4343/SMB/console/html/root/AtxConsole.cab

These are the only ones that are in question, if you know what they are then it is fine, but if you do not you sould do something about them. Please let me know if you have any ideas what these might be.

llaf
0
 
LVL 3

Expert Comment

by:llafnwod
ID: 17796457
Well, I did some searching and all of these seem to check out ok, you have a clean system, congrats.


llaf
0
 

Author Comment

by:3fingerbrown
ID: 17796483
Thank you very much llaf.
Netterm is a terminal emulator I use to use my UNIX system and browster is an add-on for firefox that allows you to preview websites.
Swarmcast... I have no idea and will deal with accordingly.

Any idea what the last DPF entry is for?  It looks like it could have something to do with my exchange server
Thanks again, Ari
0
 

Author Comment

by:3fingerbrown
ID: 17796517
Thanks again llaf!  What is swarmcast used for?
0
 
LVL 3

Expert Comment

by:llafnwod
ID: 17796546
It is a peer2peer program much like Utorrent, which i saw that you have. You might have installed it at one time, but have forgotten about it.
0
 
LVL 3

Expert Comment

by:llafnwod
ID: 17796598
http://en.wikipedia.org/wiki/Swarmcast Wiki on sarmcast.

llaf.
0
 

Expert Comment

by:grahamdon
ID: 17796608
My first port of call would be to do a search on your hard drive for curl.exe. This may help in pinpointing it's use and whether you can live without it.
0
 
LVL 5

Expert Comment

by:Yogalingam
ID: 17797605
Curl.exe is not a spam or virus... it is a yahoo widgets...

check the link. http://www.fbmsoftware.com/spyware-net/Process/curl_exe/3125/
0
 

Author Comment

by:3fingerbrown
ID: 17797727
thank you most kindly!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Expert Comment

by:battitude
ID: 17799506
Running processes:
C:\WINDOWS\TEMP\ZHBCD7.EXE

Umm, I would be a little worried about C:\WINDOWS\TEMP\ZHBCD7.EXE, but if llafnwod says he checked it out, then...  umm, where did that check out at?

Just my personal experience, things running from the temp dir, as not always bad, for example installing a program that may copy itself to the /temp dir generally are not good.  But then I could be wrong, thing that scares me, is Google turns up nothing on this file name.  :-/

Just my .02

Not realated at all to your curl.exe question,  just a FYI.  =)
0
 
LVL 3

Expert Comment

by:llafnwod
ID: 17800837
Nice try, trying to make me look like a moron, but if you google HBCD7 (remove the z) you will find that it can be many things, none which are bad.
llaf
0
 

Expert Comment

by:battitude
ID: 17801126
Was not calling you any names, just was merely saying that you know more than I.  And since the user had posted a question about one file, leads me to believe that something is wrong, I was just trying to show that I would be more concerned with processes that are running from a TEMP folder and are still active.  If not installing anything, in my head it puts up a flag.  But I could be wrong, that is why it was a FYI and I stated that it had no relevance to this question about curl.exe.
0
 

Expert Comment

by:battitude
ID: 17813121
If you are still worried about your system possibly having something malicious then I personal would go to http://www.prevx.com and install it,  it has a free 30 days to try out,  the good thing about this try out, is it will tell you what’s wrong with your system and also clean it even if in the 30 day trial mode.  It is the best product I know of, and it works well with other programs to help protect you.  

After the 30 days if you decide not to keep it, well then just install it, at least it will fix or let you know what is wrong with your system today.

Tell me how that works out for you.  I wish you the best, but am still a little concerned about C:\WINDOWS\TEMP\ZHBCD7.EXE


Travis
0
 

Author Comment

by:3fingerbrown
ID: 17813290
I am very thankful for the help.  I saw some files with very wierd names with weird aplhanumeric extensions along with yahoo widget extensions and acrobat files and html files... I deleted them all and hopefully won't see them again so i don't have more exact info.  At times, my laptop also starts using up all the available memory and all available processor cycles... somethimes is a rndll32, sometimes its another otherwise known or harmless process that looks stuck...  curl.exe was one of the things I saw in the task manager and when i googled it and saw what it was used for I couldn't figure out why i had it running.  I searched and can't find a curl.exe file anywhere on my computer.
I reguarly run spybot and adaware, update my antivirus nightly and scan weekly and I am behind firewalls wherever I go.  I of course also keep the machine fully patched.
That reminds me... MS update keeps trying to give me a patch that fails to install, yet it keeps tring over and over...  816093: Security Update Microsoft Virtual Machine (Microsoft VM)
I'm suspicious of this as well.

Any ideas would be / have been greatly appreciated.
0
 

Author Comment

by:3fingerbrown
ID: 17813549
Swarmcast seems to be part of MLB Mosaic TV...
An application from Major league Baseball that allows you to stream and view up to 6 live baseball games simultaneously.
0
 

Expert Comment

by:battitude
ID: 17813889
If you are trying to install it from the M$ update page it is possible it could be conflicting, if your auto update has already downloaded it and awaiting install,  check your icons on your lower right of your computer, and just give a quick look to see if you are awaiting a install,  I will keep looking for you.

Travis
0
 

Expert Comment

by:battitude
ID: 17814018
I can not get my mind off ZHBCD7.EXE and the fact Google reports nothing bothers me, and if you do take the Z off the file name you do get results but they are all/mostly rar (type of zip) files that have nothing of relevance to anything except for being file names some people put on rapidshare which is used for uploading files too as a one of those single click download hosting companies used mainly these days for warez.  

Have you tried to end the task ZHBCD7.EXE in your task manager, and if so does it go away or just come back with the same name or possibly a new name?  I can not help but think this file is malicious.

Sorry for the continuation on this its just bugging me.  lol, I will not talk about this file any more unless you want.

Travis
0
 

Expert Comment

by:battitude
ID: 17814137
As for rndll32.exe (not rundll32.exe)

rndll32.exe is NOT a valid Win32 application as far as I can see.
This should not be confused with rundll32.exe

Do you ever get an error message when you try to change program settings or add/remove programs?

Travis
0
 

Expert Comment

by:grahamdon
ID: 17816162
I noticed you have a service called wltrysvc.exe running and although it looks to be genuine there are reports of system 'slow down' caused by it.

See this and make your own judgement as to whether to stop it or not.

http://www.neuber.com/taskmanager/process/wltrysvc.exe.html
0
 

Expert Comment

by:steveurich
ID: 21653590
Curl.exe is also part of the Tivo Desktop Program.

Steve
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now