Nslookup.exe keeps opening and using high cpu

Status
Not open for further replies.

dedelamisto

New Member
Thread author
Mar 13, 2022
3
I need help to remove nslookup.exe it doesnt let me do anything to it because i need permision from TrustedInstaller? Can anyone help me.
 

nasdaq

Super Moderator
Verified
Staff Member
Nov 5, 2019
1,597
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

You must be booted in an Administrator account.

The Right click on the nslookup.exe file and run it as as administrator.

If that fails please donwload and scan the computer with this tool.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:
L7kNU5y.jpg

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs for my review.

Wait for further instructions

p.s.

The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
<<<>>>
 

dedelamisto

New Member
Thread author
Mar 13, 2022
3
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

You must be booted in an Administrator account.

The Right click on the nslookup.exe file and run it as as administrator.

If that fails please donwload and scan the computer with this tool.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:
L7kNU5y.jpg

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs for my review.

Wait for further instructions

p.s.

The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
<<<>>>
I think i resolved it ill update you if it comes back.
 

nasdaq

Super Moderator
Verified
Staff Member
Nov 5, 2019
1,597
Hi,

Is this what you found and removed?
You were hit by a Bitcoin minier

Are you sure you have a clean slate?
===

This fix will remove any remnant entries and do some maintenance.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.

Code:
start

Comment: For your security a new restore point will be created.
CreateRestorePoint:
Comment: We need to close all processes to complete the fix.
CloseProcesses:

Comment: Items from the FRST.TXT log that will be removed from the Registry.
() [File not signed] C:\Users\dedem\AppData\Roaming\Windows\Telemetry\sihost64.exe
HKLM-x32\...\Run: [SunJavaUpdateSched] => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" (No File)
ask: {504C1AEE-4703-4480-B539-03367E2C92FD} - System32\Tasks\nslooksvc32 => powershell "function Local:bUCAsVGCRTfr{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KMKMWtIzBTcAWB,[Parameter(Position=1)][Type]$PINxOcpEGv)$YjvhWiCeuzn=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAcces (the data entry has 2227 more characters).
HKU\S-1-5-21-2102731840-3601014382-886833625-1001\...\Run: [update_er] => "C:\Program Files (x86)\EasyRemove\universal.exe" /SCHEDULED (No File)
Task: {A9D47079-A916-4E21-B964-D40A2B8980F2} - System32\Tasks\nslooksvc64 => powershell "function Local:rjUtsQbvamlI{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$JrlKCCyJrgjwHW,[Parameter(Position=1)][Type]$lIWmJMGGvM)$XxPVOVBJJog=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAcces (the data entry has 2220 more characters).
Task: C:\WINDOWS\Tasks\nslooksvc32.job => C:\Windows\SysWOW64\WindowsPowerShell\v1.0DESKTOP-PQFEP8M\dedem0
Task: C:\WINDOWS\Tasks\nslooksvc64.job => powershell function Local rjUtsQbvamlI Param OutputType Type Parameter Position Type JrlKCCyJrgjwHW Parameter Position Type lIWmJMGGvM XxPVOVBJJog AppDomain CurrentDomain DefineDynamicAssembly New Object Reflection AssemblyName ReflectedDelegate Reflection Emit AssemblyBuilderAccess Run DefineDynamicModule InMe mory Module False DefineType MyDelegateType Class Public Sealed AnsiClass AutoClass MulticastDelegate XxPVOVBJJog DefineConst... (long line)
CHR HKLM-x32\...\Chrome\Extension: [aegnopegbbhjeeiganiajffnalhlkkjb]
S3 MpKsl3f4a84ec; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C213BA0A-B955-4363-82E4-B5C34B8DD155}\MpKslDrv.sys [X]

Comment: Items from the Addition.txt log that will be removed from the Registry.
AlternateDataStreams: C:\desktop.ini:CachedTiles [6902]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini:B1DA6C571C [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Health Check.lnk:F20EF51E1F [10]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [7064]
AlternateDataStreams: C:\Users\Public\Documents\config_backup.xml:F0CCC82AFA [10]
FirewallRules: [TCP Query User{EF4240D4-EC6F-4D4A-8596-BA7951B6DFD1}C:\users\dedem\desktop\bloons-td-6-steamrip.com\bloons td 6 v30.1.4987\bloonstd6.exe] => (Allow) C:\users\dedem\desktop\bloons-td-6-steamrip.com\bloons td 6 v30.1.4987\bloonstd6.exe => No File
FirewallRules: [UDP Query User{5A6ECB5A-F3CD-4CE0-ADC9-2EA953CA5E0A}C:\users\dedem\desktop\bloons-td-6-steamrip.com\bloons td 6 v30.1.4987\bloonstd6.exe] => (Allow) C:\users\dedem\desktop\bloons-td-6-steamrip.com\bloons td 6 v30.1.4987\bloonstd6.exe => No File
FirewallRules: [TCP Query User{A9DD2061-9699-49AE-9090-E751BF81C421}C:\users\dedem\appdata\local\discord\app-1.0.9003\discord.exe] => (Allow) C:\users\dedem\appdata\local\discord\app-1.0.9003\discord.exe => No File
FirewallRules: [UDP Query User{7907CA1E-EC48-43A8-A8E8-35198979641B}C:\users\dedem\appdata\local\discord\app-1.0.9003\discord.exe] => (Allow) C:\users\dedem\appdata\local\discord\app-1.0.9003\discord.exe => No File
FirewallRules: [{4C3DBA4B-82CA-4158-85A6-E98E6A337BD0}] => (Allow) C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe => No File
FirewallRules: [{E3053B53-60F1-4151-A925-1E1BD084AEF6}] => (Allow) C:\Program Files (x86)\BlueStacks X\Cloud Game.exe => No File
FirewallRules: [{0FD8D4D9-ED6F-4878-8D02-7F6696AA57DC}] => (Allow) C:\Program Files\BlueStacks_nxt\HD-Player.exe => No File


Comment: Files/Folders that will be deleted.
C:\Users\dedem\AppData\Roaming\Windows\Telemetry
C:\WINDOWS\system32\Tasks\nslooksvc32
C:\WINDOWS\system32\Tasks\nslooksvc64
C:\WINDOWS\Tasks\nslooksvc32.job
C:\WINDOWS\Tasks\nslooksvc64.job
C:\Users\dedem\AppData\Roaming\Windows
C:\WINDOWS\MEMORY.DMP
C:\WINDOWS\Minidump\022522-57171-01.dmp

Comment: TCP/IP Reset
CMD: netsh int ip reset
CMD: ipconfig /flushDNS

Comment: To rebuild the performance counter library values.
CMD: "%WINDIR%\SYSTEM32\lodctr.exe /R"
CMD: "%WINDIR%\SysWOW64\lodctr.exe /R"
CMD: "C:\Windows\SYSTEM32\lodctr.exe /R"
CMD: "C:\Windows\SysWOW64\lodctr.exe /R"

Comment: Use Farbar routine to delete temp files
C:\Windows\Temp\*.*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp

Comment: The system will restart.
Reboot:

End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top