Nwjs (Nwjs.exe) is the name of a group of Trojan Horse malware processes that start automatically and run in the background without user permission. The Trojan’s purpose could differ from one instance to the other. Some of the more common goals are to exploit system resources for cryptomining or to spam the user with misleading scam notifications that look like legitimate warnings from McAfee, Norton/Symantec, or other well-known antivirus solutions.
Nwjs is associated with many other common forms of malware like the rogue PC App Store program and the DSR Search browser hijacker search engine.
NW.js is not to be confused with malware associated with the Nwjs family. The NW.js runtime is a legitimate tool used to develop desktop applications with web technologies, and malicious applications using this runtime represent only a small fraction of the software built with NW.js.
Regardless, should you notice any strange “Nwjs” processes running in the background without having any idea what software is behind them, I strongly recommend you take the necessary steps to clean your system because it’s likely been infected.
Nwjs Removal Steps
The removal process of this malware is quite lengthy and involves cleaning several system locations and setting categories. I’ve provided a detailed explanation of every step further down this page, but if you are confident that you don’t need the full details, here’s a quick outline of the steps that you must perform to remove the Nwjs virus:
- Check the Task Scheduler for suspicious tasks that might be set to run or reinstall Nwjs.
- Go to your Startup Apps and disable anything you don’t recognize or that seems linked to the malware.
- Use the Task Manager to go to the File Location folder of the Nwjs process, then kill the process, and quickly delete its folder. If you aren’t allowed to delete it, use LockHunter.
- Search the registry for “Nwjs” and delete any related keys.
- Perform a full browser cleanup – browsing data, site permissions, search engines, homepage, new tab page, etc.
If you perform all of these steps correctly, I am pretty confident that Nwjs will be gone by the time you are done. However, I understand that this abridged version of the removal process might be confusing to less experienced users, which is why I’ve explained each step in more detail in the next full Nwjs removal tutorial.
SUMMARY:
Name | Nwjs |
Type | Trojan |
Detection Tool |
Although the next guide offers a detailed explanation of the Nwjs removal process, it is still recommended that you have at least some basic experience with troubleshooting. Also, know that this process will take some time, likely an hour or more.
Due to these two factors, some of you might prefer to opt for a quicker and easier solution. One such solution is to use the powerful removal program SpyHunter 5. It successfully deals with the Nwjs malware while also providing future protection against such threats. You can find the tool linked on this page if you are interested in trying it out.
How to Remove the Nwjs Virus: Detailed Guide
Each step of this guide must be completed in the exact way they are shown if you want to fully get rid of the malware. Don’t skip any step and if you think a part of the process is too challenging or confusing, consider using SpyHunter 5 to delete the malware automatically
Also, before starting, make sure that the following two conditions are met:
- You have LockHunter installed on your PC – This free app is essential to the success of this guide. It enables you to delete files that might otherwise be unremovable due to being locked by Nwjs processes. Use the provided link to download and install the tool.
- The hidden files and folders on your PC are visible – Some of the malware files might be hidden. To make them visible, you need to search for Folder Options in the Start Menu, open it, open View, enable Show Hidden Files, Folders, and Drives, and click Apply > OK.
Once these prerequisites are fulfilled, you are ready to begin.
Video walkthrough for this step:
Get Rid of Nwjs Scheduled Tasks
You must begin at the Task Scheduler. It might contain rogue tasks that automatically start the Nwjs processes or even re-install the malware if it gets deleted.
Use the Start Menu to search for and access the Task Scheduler.
- Open the Task Scheduler Library folder you’ll see in the top-right.
- Now explore the tasks that appear in the central panel of the Task Scheduler. You must check each one by clicking it and selecting the Actions tab.
- Pay attention to the path and file that the task is set to execute.
- If you see a task that runs a suspicious executable or script file or anything else that looks potentially linked to the malware, remember the file’s location (write it down if needed), and then delete the task.
- After that, go to the saved location in your system and delete the file that the task was set to run.
Go through all of the tasks in this way and delete the ones that seem related to Nwjs. Also delete their files.
Video walkthrough for this step:
Delete the Nwjs.exe Malware Processes in the Task Manager
Now it’s time to visit the Task Manager and clean it of Nwjs processes.
Go to the Task Manager by pressing Ctrl + Shift + Esc. If it’s in compact view mode (i.e. not all processes are visible), click More Details to reveal the full list.
Then sort the items by name (so that they don’t constantly change positions) and search for the Nwjs process or processes.
In many cases, there will be multiple instances of that process. Also, note that the name of the rogue process could be disguised and appear under a different name. Here are several other names you must look out for:
- Enlightenment Tech 2023! – this one is especially common.
- fa_rss
- NW_store.exe
- BazBesSAS
- nw_store
- Pc App/Pc App Store
- PCapp.exe
If you notice any of these processes or some other process that looks suspicious, do the following:
- Right-click the rogue process and select Open File Location.
- Minimize the folder that appears and return to the Task Manager.
- Select the process again and click End Process.
- Quickly bring the file location folder back up and delete everything stored in it.
- Press the arrow pointing up that’s in the top-left of the folder window to go up one level and then delete the folder itself.
- If you are prevented from deleting a particular file or folder because it’s in use by other software, use LockHunter to unblock it. First, make sure that the tool is installed on your PC.
- Then right-click the blocked item, click “What’s locking this file/folder?“, and then click Delete in the new window.
Repeat these steps for each rogue process you see within the Task Manager.
Video walkthrough for this step:
How to Delete Persistent Files with Lock Hunter
Get Rid of Nwjs Virus Files and Folders
You deleted the folders of the rogue processes, but there’s likely more malware data in various locations in your PC that must be removed.
Keep an eye out for any files or folders that have the same names as the example process names I listed above. Also look out for any other items with unfamiliar or suspicious names.
I’ll now give you the specific locations where you should look for malware data:
- C:\Users\%USERNAME%
- C:\Users\%USERNAME%\AppData\Roaming
- C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
- C:\Program Files
- C:\Program Files (x86)
As before, if you attempt to delete a particular file/folder and it gives you an error, use LockHunter.
Also, I strongly recommend that you go to C:\Users\*YOUR USERNAME*\AppData\Local\Temp and empty the folder of its contents. Just delete everything there (Ctrl + A -> Del).
This folder contains only temporary files that are safe to delete, but some of them might be left behind by the malware.
Disable Nwjs in the Startup Apps
By this point most of the malware should be gone and Nwjs shouldn’t start automatically, but I still recommend cleaning up your Startup apps.
Type Startup in the Start Menu and open the first item.
Look through the list of programs and apps that are automatically launched when your PC boots up.
If you see Nwjs or any other suspicious item, disable it. In general, the only items that should be left enabled are ones you recognize and actually want to launch automatically when Windows loads.
Remove Nwjs Malware Keys From the Registry
The one place where there are still probably remnants of the malware is your System Registry:
- Search for “regedit” in the Start Menu and open the Registry Editor with Admin privileges.
- Click the Edit menu, open Find, and search for Nwjs.
- When/if the search finds a relevant item, delete it in the left panel and then search again.
- Perform another search each time you delete an item to see if any more remain.
Once you’ve deleted all Nwjs items, do the same for each of the process names listed earlier: search for them in the Registry and delete any related items.
One crafty way some forms of malware try to obstruct the removal process is by restricting access to their registry keys. This results in an error when you try to delete said keys, but there’s a simple solution:
You must right-click the key in question, open Permissions > Advanced > Change, type “everyone” in the text field, and click Check Names.
Then click OK, check both “Replace” settings in the previous window, and then click Apply and OK again.
This frees the key and lets you delete it.
Once you are done with the Registry cleanup, there’s only one more step left in this guide.
Video walkthrough for this step:
How to Remove the Nwjs Malware From Your Browser
Nwjs doesn’t normally attach itself to the browser but it might install rogue extensions or make various unwanted changes to its settings.
For this reason, I strongly recommend that you also check your browser for unauthorized modifications and reverse any undesired changes.
Launch your main browser and open its menu.
Go to Settings > Extensions, open the Extensions Manager, and remove any items that you didn’t add yourself.
Next, go to Privacy and Security, click the Delete/Clear browsing data option, and set the time range to “All Time“. Then check all that types except Passwords, and click Delete.
If you are using Google Chrome, go to Site Settings (found under Privacy and Security). Edge users must instead open Cookies and Site Permissions.
Then check the different types of site permissions – all of them. Search them for unfamiliar URLs that have somehow acquired the respective permission.
If you see anything suspicious, click the three dots next to it and then click Block.
Remember to also visit the Search Engine settings, where you must make sure that the browser’s default search provider is set to something reliable.
Then check the Manage Search Engines section and if you see any rogue or unfamiliar URLs, delete them.
The last two places you must explore are the On Startup and Appearance settings. Again, see if there are any suspicious site addresses there and if you see anything sketchy, delete it.
Video walkthrough for this step:
Chrome
Microsoft Edge
Mozilla Firefox
Nwjs is not a virus, its a development kit for developer to make GUI app in nodeJS (Javacsript), dont mislead people to think that its main purpose is virus.
Yes Lucas, you are right. It is mentioned that this is a popular platform for building desktop applications, but that is the main problem with Trojans, they can disguise and trick people into that it is the legitimate NWjs process. And this article is about that.
some programs will appear as nwjs in the task bar and not be a virus one must check that the name of your application appears in the components of the nwjs in the task bar and that it doesn’t consume more memory than the one your application is supposed too, detection tools don’t do that you have to do it manually
i have about 7 nwjs running in task manager and they all say gallery.exe is this somthing i should worry about
Hi Reese,
yes you have to follow the guide and remove them.