is this malware? node.exe Node.js JavaScript Runtime - C:\Windows\System32\DomainAuthHost

Question

Out of the nowhere I see this process now, node.js or node.exe I know its been only like 3 or 4 days bc I always check my processes on a daily basis. I found little information about this folder and process.

The alarming part is at the same time I got this process Google sent "suspicious activity for all my gmail accounts".

Could someone please help me with more information about this issue?

Thank you in advance.

Answer 1

It's most likely a Trojan:PowerShellDownInfo.BA infection.

Please share your Farbar scan logs for analysis.

1. Download Farbar Recovery Scan Tool 64-bit (FRST64.exe)

https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Note: If Microsoft Edge or Chrome mislabels the Farbar Scanner executable as PUA/malware, choose to keep it by tapping … in the bottom bar, choosing Keep, and then choosing Keep anyway in the dialog that appears.

See this screenshot: https://learn.microsoft.com/en-us/deployedge/media/microsoft-edge-security-download-interruptions/dowload-was-blocked.png. It's a safe tool used in most antimalware forums.

2. If the OS language is not English, rename FRST64.exe to FRST64English.exe.
3. Run the program. Don't check or uncheck any options. Click "Scan".
4. Add the two logs, FRST.txt and Addition.txt, to a Zip archive, share them on OneDrive or GoFile.io and post the link here.

Answer 2

Hi there, you're right to be cautious.

Node.exe is usually safe because it's part of Node.js. But if it suddenly showed up in a strange folder like C:\Windows\System32\DomainAuthHost and you also got a Google security alert, that could mean something's wrong.

Here's what you can do:

1. Checkif Nde.js is installed

• Go to Control Panel > Programs
• If you didn't install it, that's a red flag

2. Run a full antivirus scan

• Use Windows Defender, which is built into Windows and provides strong, real-time protection.

3. Secure your Google account

• Change your password
• Turn on two-factor authentication

4. If you are still unsure

• Stop the node.exe process in Task Manager and delete the suspicious file
• Or ask a Professional to take a close look

Let me know if you want help with any steps.

Answer 3

Hello Ramesh,

Here are the files requested:

https://gofile.io/d/Bxi4Fc

Thank you in advance.

By the way, I ended up resetting my PC; that's why I took some time to reply, but the issue persisted. Now Malwarebytes is flagging the below:

Malwarebytes keeps blocking this:

-Website Data-

Category: RiskWare

Domain: test-ex-1.pages.dev

IP Address: 2606:4700:310c::ac42:2c59

Port: 443

Type: Outbound

File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Answer 4

Thank you for your advice. I have done all these as well.

Answer 5

Hi Jose,

1. Open admin Command Prompt and run this command:

• schtasks /delete /f /tn OneDriveVersionUpdaterV1Task

Post the output.

2. Run the fixlist below.

Download fixlist.txt

Save Fixlist.txt to the same folder as FRST64.exe.

Close all programs.

Launch the Farbar Scanner tool and click "Fix".

Restart Windows when prompted.

Upload the output log file (FixLog.txt).