processes question coo.exe, nic.exe, dnar.exe as well as csrss.exe question

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

gw2kman

Thread Starter
Joined
May 13, 2004
Messages
8
Hi all, I was wondering if someone could inform me on what nic.exe, coo.exe, and dnar.exe are and if they are something to raise an eyebrow at. I have them showing up in processes on some of the computers I work on and not on some of the others. I can't seem to find any information on these processes and what their purpose are. Any information would be greatly appreciated.

Also on a machine I work on, its an IBM Netvista, the machine comes up w/ an error related to csrss.exe. After some research I learned that this is a name which many hacks will use to disguise programs. I did some checking and in the processes I have two csrss.exe processes running. I can not end either one - I get the message they can't close they are windows blah blah blah's. However, on some of my other machines, my Dell Optiplex GX400 for example only shows up w/ one csrss.exe process. One other thing i noticed is that on the machines that have two csrss.exe processes running, one is running at about 1600k - 3000k and the other approx 180k, making me believe that the 180k one is not supposed to be there, when on my other machines, the csrss.exe process runs approx the same as the 1600k-3000k process on the NetVista. Any information would be greatly appreciated.

thanks
-JEREMY
 
Joined
Feb 23, 2003
Messages
16,274
Easiest thing to do wuld be to run a hjt scan:

Download 'Hijack This to its own folder http://www.tomcoyote.org/hjt/
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
 

gw2kman

Thread Starter
Joined
May 13, 2004
Messages
8
Logfile of HijackThis v1.97.7
Scan saved at 12:37:02 PM, on 5/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\DMI\bin\dmisrv.exe
C:\DMI\bin\delldmi.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\DMI\bin\win32sl.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\XSM.EXE
C:\DMI\bin\nic.exe
C:\DMI\bin\coo.exe
C:\DMI\bin\dnar.exe
C:\DMI\bin\nodemngr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Documents and Settings\backdoor\Desktop\Regprot\regprot.exe
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATR32.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\backdoor\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.4049421296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://nav.mnsu.edu/WebInst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lib.campus.mnsu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mnsu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lib.campus.mnsu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mnsu.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lib.campus.mnsu.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = mnsu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mnsu.edu
 

gw2kman

Thread Starter
Joined
May 13, 2004
Messages
8
Ok, did the housecall scan as well as and updated norton scan, ran adaware, as well as spybot S&D.

-coo.exe: We don't have the software as http://www.primasoft.com/deluxeprg/coodx_try.htm suggests, still puzzled on this process.

-dnar.exe: How can i get rid of this process for good? according to http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM it is a virus, however is not picked up via norton, housecall scan, adaware, or spybot S&D.

-nic.exe: TY for sigh of relief that this is not a bad process.

New HJ Log:
Logfile of HijackThis v1.97.7
Scan saved at 1:24:34 PM, on 5/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\DMI\bin\dmisrv.exe
C:\DMI\bin\delldmi.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\DMI\bin\win32sl.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\XSM.EXE
C:\DMI\bin\nic.exe
C:\DMI\bin\coo.exe
C:\DMI\bin\dnar.exe
C:\DMI\bin\nodemngr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Documents and Settings\backdoor\Desktop\Regprot\regprot.exe
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATR32.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\backdoor\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.4049421296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://nav.mnsu.edu/WebInst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lib.campus.mnsu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mnsu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lib.campus.mnsu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mnsu.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lib.campus.mnsu.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = mnsu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mnsu.edu


any idea what my csrss.exe problem may be?
thanks
-JEREMY
 

gw2kman

Thread Starter
Joined
May 13, 2004
Messages
8
TY, I have now concluded that the csrss.exe IS in fact related to the [email protected] virus found @ http://it.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=115

Now I just gotta figure out what I got to do to get rid of it.

You guys are great, any more ideas on my coo.exe and dnar.exe troubles?
thanks
-JEREMY

edit: :eek: :eek: go figure the [email protected] virus was on the image i used for all my NetVistas :eek: :eek:

luckily I run a centurion guard therfore fixing any deletions the virus may cause the system, hence why it was never detected it for so long.

just gotta make a new image and re image the 30 or so Netvistas I have. :(
/runs away
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top