1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

processes question coo.exe, nic.exe, dnar.exe as well as csrss.exe question

Discussion in 'All Other Software' started by gw2kman, May 13, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. gw2kman

    gw2kman Thread Starter

    Joined:
    May 13, 2004
    Messages:
    8
    Hi all, I was wondering if someone could inform me on what nic.exe, coo.exe, and dnar.exe are and if they are something to raise an eyebrow at. I have them showing up in processes on some of the computers I work on and not on some of the others. I can't seem to find any information on these processes and what their purpose are. Any information would be greatly appreciated.

    Also on a machine I work on, its an IBM Netvista, the machine comes up w/ an error related to csrss.exe. After some research I learned that this is a name which many hacks will use to disguise programs. I did some checking and in the processes I have two csrss.exe processes running. I can not end either one - I get the message they can't close they are windows blah blah blah's. However, on some of my other machines, my Dell Optiplex GX400 for example only shows up w/ one csrss.exe process. One other thing i noticed is that on the machines that have two csrss.exe processes running, one is running at about 1600k - 3000k and the other approx 180k, making me believe that the 180k one is not supposed to be there, when on my other machines, the csrss.exe process runs approx the same as the 1600k-3000k process on the NetVista. Any information would be greatly appreciated.

    thanks
    -JEREMY
     
  2. gw2kman

    gw2kman Thread Starter

    Joined:
    May 13, 2004
    Messages:
    8
    **bump**
     
  3. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Easiest thing to do wuld be to run a hjt scan:

    Download 'Hijack This to its own folder http://www.tomcoyote.org/hjt/
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
     
  4. gw2kman

    gw2kman Thread Starter

    Joined:
    May 13, 2004
    Messages:
    8
    Logfile of HijackThis v1.97.7
    Scan saved at 12:37:02 PM, on 5/13/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
    C:\WINNT\System32\CTsvcCDA.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\DMI\bin\dmisrv.exe
    C:\DMI\bin\delldmi.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\DMI\bin\win32sl.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\XSM.EXE
    C:\DMI\bin\nic.exe
    C:\DMI\bin\coo.exe
    C:\DMI\bin\dnar.exe
    C:\DMI\bin\nodemngr.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\devldr32.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
    C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Documents and Settings\backdoor\Desktop\Regprot\regprot.exe
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATR32.EXE
    C:\WINNT\msagent\AgentSvr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\backdoor\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.4049421296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://nav.mnsu.edu/WebInst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lib.campus.mnsu.edu
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mnsu.edu
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lib.campus.mnsu.edu
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mnsu.edu
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lib.campus.mnsu.edu
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = mnsu.edu
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mnsu.edu
     
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
  6. gw2kman

    gw2kman Thread Starter

    Joined:
    May 13, 2004
    Messages:
    8
    Ok, did the housecall scan as well as and updated norton scan, ran adaware, as well as spybot S&D.

    -coo.exe: We don't have the software as http://www.primasoft.com/deluxeprg/coodx_try.htm suggests, still puzzled on this process.

    -dnar.exe: How can i get rid of this process for good? according to http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM it is a virus, however is not picked up via norton, housecall scan, adaware, or spybot S&D.

    -nic.exe: TY for sigh of relief that this is not a bad process.

    New HJ Log:
    Logfile of HijackThis v1.97.7
    Scan saved at 1:24:34 PM, on 5/13/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
    C:\WINNT\System32\CTsvcCDA.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\DMI\bin\dmisrv.exe
    C:\DMI\bin\delldmi.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\DMI\bin\win32sl.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\XSM.EXE
    C:\DMI\bin\nic.exe
    C:\DMI\bin\coo.exe
    C:\DMI\bin\dnar.exe
    C:\DMI\bin\nodemngr.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\devldr32.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
    C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Documents and Settings\backdoor\Desktop\Regprot\regprot.exe
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATR32.EXE
    C:\WINNT\msagent\AgentSvr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\backdoor\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.4049421296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://nav.mnsu.edu/WebInst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lib.campus.mnsu.edu
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mnsu.edu
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lib.campus.mnsu.edu
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mnsu.edu
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lib.campus.mnsu.edu
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = mnsu.edu
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mnsu.edu


    any idea what my csrss.exe problem may be?
    thanks
    -JEREMY
     
  7. downtime

    downtime

    Joined:
    Oct 21, 2002
    Messages:
    759
  8. gw2kman

    gw2kman Thread Starter

    Joined:
    May 13, 2004
    Messages:
    8
    TY, I have now concluded that the csrss.exe IS in fact related to the [email protected] virus found @ http://it.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=115

    Now I just gotta figure out what I got to do to get rid of it.

    You guys are great, any more ideas on my coo.exe and dnar.exe troubles?
    thanks
    -JEREMY

    edit: :eek: :eek: go figure the [email protected] virus was on the image i used for all my NetVistas :eek: :eek:

    luckily I run a centurion guard therfore fixing any deletions the virus may cause the system, hence why it was never detected it for so long.

    just gotta make a new image and re image the 30 or so Netvistas I have. :(
    /runs away
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/228919

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice