2

I've noticed in my task manager, an unclosable instance of server side Node.js running on my HP Laptop (running windows 10), after a little digging around I was wondering if it means I'm now unwillingly taking part in a botnet, and if so, if I can I trace the server it's coming from?

  • What d you mean by *uncloseable*? If you have a task manager I assume that your OS is MS Windows, correct? – grochmal Oct 26 '16 at 01:37
  • @grochmal yes, that is correct – MountainSide Studios Oct 26 '16 at 01:38
  • @grochmal If i close the program with force, via task manager it reappears, I can't delete the file because when I try to find the file location windows says, file location does not exist try reinstalling the program to fix the problem. – MountainSide Studios Oct 26 '16 at 01:42
  • To find the destination/source address of that node process on windows you can use `netstat -o` to list your connections and PIDs associated with them. You can also try [Microsoft Network Monitor 3.4](https://www.microsoft.com/en-us/download/details.aspx?id=4865), first capture your traffic for a while and then check the `cap` capture file. – Marcs Oct 26 '16 at 02:50
  • This is most likely part of HP's bloatware. Their engineers are getting lazy amd drop node and cef-apps everywhere. – John Keates Oct 26 '16 at 06:45

4 Answers4

1

If you do have a process that starts automatically and that cannot be properly traced to a binary you installed or configured I would suspect malware alright. Just note that a complex OS like Windows 10 do have several ways of building a service, the most common way should be the Startup directory (which has its own tab in the task manager).

Nevertheless, you should install Wireshark (or similar) and monitor the traffic of the machine in question. Although competent malware (e.g. rootkits) can hide itself from monitoring made on the same machine, your malware does not appear to be very good at hiding anyway.

(By monitoring traffic on an intermediate machine, e.g. a machine acting a s a router, you can even find traffic generated by well hidden malware.)

Monitoring the traffic you can show to what your machine is talking and (often) what is the content of the communication. Yet that does not really provide a solution to the problem of having malware (for that see: Help! My home PC has been infected by a virus! What do I do now?)

Extra note: I'll repeat again, check first all the system services. Notable the Startup tab. Installers of a good deal of software today do install a Node instance, and make it run on startup.

grochmal
  • 5,677
  • 2
  • 19
  • 30
  • Another note: I'm pretty bad at debugging MS Windows, I may be wrong about that tab in the task manager (but it was there the last time I used Windows). – grochmal Oct 26 '16 at 02:14
0

For those who suspect the Node.Js, it's something Adobe uses. You can check where this process is originating from by right-clicking the process > Properties. You will then see the path of the process...

0

FWIW I would take the malware comment with a grain of salt. A lot of Electron-based apps will spawn NodeJS threads. 100% to @Roi The King's point, I was able to track this to Adobe's CC Updater. Even when it's not executing anything it spawns 2 Node processes. If you kill them in the task manager(the Adobe CC processes) and then run taskkill /im node.exe /F as admin it will clear the task manager of NodeJS instances spawned by Adobe CC. I also found processes spawned by Slack's desktop app (Electron app).

It could be malware, but it could also be completely normal behavior in the modern software ecosystem.

@grochmal does have some sound advice that you really don't know what is spawning those threads until you dig around in the task manager and find what service or apps spawned your NodeJS PID(s).

Shoe
  • 1
  • 1
-1

Just got into the same issue but right click -> properties showed me it's just Prey disguising itself as Node.js so not an actual problem in my case

Pawel
  • 99
  • 1