Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


What is curl.exe used for?

Posted on 2006-10-24
Medium Priority
Last Modified: 2008-01-09
What is curl.exe and why would I have it on my computer>  I was going through my firewall settings and saw that a program curl.exe had full access to do whatever it wanted.  
Is it possible that its presence on my machine is malicious in nature?
Thank you, Ari
Question by:3fingerbrown
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 6
  • +3

Accepted Solution

llafnwod earned 1000 total points
ID: 17796167
There are a few diffrent curl.exe programs out there some are used for web development.
]FIrst go here and download this utility called hijackthis! Once you download it run it and save scan then copy and past the scan here
Then have it scan what is listed, and post any of the nasty's here and I can help you more from there.


Author Comment

ID: 17796362
Thank you llaf, the hijackthis log is below.

Logfile of HijackThis v1.99.1
Scan saved at 10:54:33 AM, on 10/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Google\Gmail Notifier\G001-\gnotify.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Swarmcast\swarmcast.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\netterm\netterm.exe
C:\Program Files\netterm\netterm.exe
C:\Program Files\netterm\netterm.exe
C:\Documents and Settings\ari\Desktop\utorrent.exe
C:\Program Files\PowerArchiver\POWERARC.EXE

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browster BrwIEConnector - {908A31E8-2A6E-4736-8E8A-AAF00C4AE38F} - C:\Program Files\Browster\Browster.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7
O4 - Startup: BAMMediaPlayerUpdater.lnk = C:\Program Files\BAMMediaPlayer\updater.exe
O4 - Startup: swarmcast.lnk = C:\Program Files\Swarmcast\swarmcast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Browster Prefetch On/Off - res://C:\Program Files\Browster\Browster.dll/CustomPrefetchMenu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://sbserver.sbroome.local:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://sbserver.sbroome.local:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://sbserver.sbroome.local:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://sbserver.sbroome.local:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://sbserver.sbroome.local:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141838068469
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142448203718
O16 - DPF: {E78DE03F-DC83-40DB-B590-8FD80BE5F7C8} (Security Server Management Console) - https://sbserver.sbroome.local:4343/SMB/console/html/root/AtxConsole.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SBroome.local
O17 - HKLM\Software\..\Telephony: DomainName = SBroome.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SBroome.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Expert Comment

ID: 17796422
C:\Program Files\Swarmcast\swarmcast.exe
C:\Program Files\netterm\netterm.exe
Extra context menu item: Browster Prefetch On/Off - res://C:\Program Files\Browster\Browster.dll/CustomPrefetchMenu.htm
DPF: {E78DE03F-DC83-40DB-B590-8FD80BE5F7C8} (Security Server Management Console) - https://sbserver.sbroome.local:4343/SMB/console/html/root/AtxConsole.cab 

These are the only ones that are in question, if you know what they are then it is fine, but if you do not you sould do something about them. Please let me know if you have any ideas what these might be.

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Expert Comment

ID: 17796457
Well, I did some searching and all of these seem to check out ok, you have a clean system, congrats.


Author Comment

ID: 17796483
Thank you very much llaf.
Netterm is a terminal emulator I use to use my UNIX system and browster is an add-on for firefox that allows you to preview websites.
Swarmcast... I have no idea and will deal with accordingly.

Any idea what the last DPF entry is for?  It looks like it could have something to do with my exchange server
Thanks again, Ari

Author Comment

ID: 17796517
Thanks again llaf!  What is swarmcast used for?

Expert Comment

ID: 17796546
It is a peer2peer program much like Utorrent, which i saw that you have. You might have installed it at one time, but have forgotten about it.

Expert Comment

ID: 17796598
http://en.wikipedia.org/wiki/Swarmcast Wiki on sarmcast.


Expert Comment

ID: 17796608
My first port of call would be to do a search on your hard drive for curl.exe. This may help in pinpointing it's use and whether you can live without it.

Expert Comment

ID: 17797605
Curl.exe is not a spam or virus... it is a yahoo widgets...

check the link. http://www.fbmsoftware.com/spyware-net/Process/curl_exe/3125/

Author Comment

ID: 17797727
thank you most kindly!

Expert Comment

ID: 17799506
Running processes:

Umm, I would be a little worried about C:\WINDOWS\TEMP\ZHBCD7.EXE, but if llafnwod says he checked it out, then...  umm, where did that check out at?

Just my personal experience, things running from the temp dir, as not always bad, for example installing a program that may copy itself to the /temp dir generally are not good.  But then I could be wrong, thing that scares me, is Google turns up nothing on this file name.  :-/

Just my .02

Not realated at all to your curl.exe question,  just a FYI.  =)

Expert Comment

ID: 17800837
Nice try, trying to make me look like a moron, but if you google HBCD7 (remove the z) you will find that it can be many things, none which are bad.

Expert Comment

ID: 17801126
Was not calling you any names, just was merely saying that you know more than I.  And since the user had posted a question about one file, leads me to believe that something is wrong, I was just trying to show that I would be more concerned with processes that are running from a TEMP folder and are still active.  If not installing anything, in my head it puts up a flag.  But I could be wrong, that is why it was a FYI and I stated that it had no relevance to this question about curl.exe.

Expert Comment

ID: 17813121
If you are still worried about your system possibly having something malicious then I personal would go to http://www.prevx.com and install it,  it has a free 30 days to try out,  the good thing about this try out, is it will tell you what’s wrong with your system and also clean it even if in the 30 day trial mode.  It is the best product I know of, and it works well with other programs to help protect you.  

After the 30 days if you decide not to keep it, well then just install it, at least it will fix or let you know what is wrong with your system today.

Tell me how that works out for you.  I wish you the best, but am still a little concerned about C:\WINDOWS\TEMP\ZHBCD7.EXE


Author Comment

ID: 17813290
I am very thankful for the help.  I saw some files with very wierd names with weird aplhanumeric extensions along with yahoo widget extensions and acrobat files and html files... I deleted them all and hopefully won't see them again so i don't have more exact info.  At times, my laptop also starts using up all the available memory and all available processor cycles... somethimes is a rndll32, sometimes its another otherwise known or harmless process that looks stuck...  curl.exe was one of the things I saw in the task manager and when i googled it and saw what it was used for I couldn't figure out why i had it running.  I searched and can't find a curl.exe file anywhere on my computer.
I reguarly run spybot and adaware, update my antivirus nightly and scan weekly and I am behind firewalls wherever I go.  I of course also keep the machine fully patched.
That reminds me... MS update keeps trying to give me a patch that fails to install, yet it keeps tring over and over...  816093: Security Update Microsoft Virtual Machine (Microsoft VM)
I'm suspicious of this as well.

Any ideas would be / have been greatly appreciated.

Author Comment

ID: 17813549
Swarmcast seems to be part of MLB Mosaic TV...
An application from Major league Baseball that allows you to stream and view up to 6 live baseball games simultaneously.

Expert Comment

ID: 17813889
If you are trying to install it from the M$ update page it is possible it could be conflicting, if your auto update has already downloaded it and awaiting install,  check your icons on your lower right of your computer, and just give a quick look to see if you are awaiting a install,  I will keep looking for you.


Expert Comment

ID: 17814018
I can not get my mind off ZHBCD7.EXE and the fact Google reports nothing bothers me, and if you do take the Z off the file name you do get results but they are all/mostly rar (type of zip) files that have nothing of relevance to anything except for being file names some people put on rapidshare which is used for uploading files too as a one of those single click download hosting companies used mainly these days for warez.  

Have you tried to end the task ZHBCD7.EXE in your task manager, and if so does it go away or just come back with the same name or possibly a new name?  I can not help but think this file is malicious.

Sorry for the continuation on this its just bugging me.  lol, I will not talk about this file any more unless you want.


Expert Comment

ID: 17814137
As for rndll32.exe (not rundll32.exe)

rndll32.exe is NOT a valid Win32 application as far as I can see.
This should not be confused with rundll32.exe

Do you ever get an error message when you try to change program settings or add/remove programs?


Expert Comment

ID: 17816162
I noticed you have a service called wltrysvc.exe running and although it looks to be genuine there are reports of system 'slow down' caused by it.

See this and make your own judgement as to whether to stop it or not.


Expert Comment

ID: 21653590
Curl.exe is also part of the Tivo Desktop Program.


Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Often we come across situations wherein our batch files would be needing to reboot Windows for a variety of reasons. A few of them would be like: (1) Setup files have been updated whose changes can take effect only after a reboot …
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question