A malicious Trojan, often identified by the folder name wsvcz and a process like XMRig miner, is spreading rapidly, causing extreme CPU slowdowns by secretly mining cryptocurrency. Many students have found their lab PCs, laptops, and pendrives infected.

This guide provides a direct, manual method to remove this malware from your system. The technical solution was found by Rupom.

⚠️ IMPORTANT DISCLAIMER: This process involves modifying the Windows Registry and using the Command Prompt. Please follow the steps precisely. Incorrect changes can harm your operating system. Proceed at your own risk. It is always a good idea to back up important data first.

Step 1: Isolate Your PC

Before you begin, disconnect your computer from the internet. Unplug the Ethernet cable or turn off your Wi-Fi. This stops the malware from communicating with its server.

Step 2: Open an Administrator Command Prompt

To perform the next steps, you need a Command Prompt with administrative rights. You will use this window for all commands before you restart.

Press the Windows key, type cmd, then right-click on “Command Prompt” in the search results and select “Run as administrator.”

Step 3: Schedule the Malicious File for Deletion

The core malware file is often locked while Windows is running. This command tells Windows to delete the file automatically on the next restart, before it has a chance to load.

In the Administrator Command Prompt window you just opened, copy and paste the following command and press Enter:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v PendingFileRenameOperations /t REG_MULTI_SZ /d "\??\C:\Windows\System32\wsvcz\u862812.exe" /f

Step 4: CRITICAL STEP – Restart Your Computer

You must restart your computer now. This allows Windows to process the command from the previous step and delete the main Trojan file during startup.

Step 5: Remove Malware Persistence (Tasks & Run Keys)

After your PC has restarted, the malware’s persistence mechanisms must be removed to prevent it from coming back. Open a new Administrator Command Prompt just like you did in Step 2 for the following commands.

A. Find and Delete the Scheduled Task

First, find the name of the malicious task by running this command:

schtasks /query /fo LIST /v | find "wsvcz"

The output will show a “TaskName”. Now, use that exact task name to delete it. Replace "taskname" in the command below with what you found.

Example: schtasks /delete /TN "\Microsoft\Windows\wsvcz\wsvcz" /F

schtasks /delete /TN "taskname" /F

B. Check Registry Run Keys

Now, check for startup entries in the registry. Run these two commands to see if the malware added itself there. Look for any values mentioning “wsvcz”.

Check for the current user:

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Check for all users:

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

If you find a suspicious entry, you can remove it using the reg delete command.

Step 6: Delete the Malware Folder

With all persistence mechanisms removed, you can now safely delete the folder where the malware was stored. Open File Explorer, navigate to C:\Windows\System32\ and permanently delete the entire wsvcz folder (Shift + Delete).

Done! Your PC Should Be Clean.

The malware should now be completely removed from your system. As a final check, please complete these verification steps:

1. Reconnect to the Internet.
2. Open Windows Security, go to “Virus & threat protection,” and click to check for protection updates.
3. Once updated, run a Full Scan to ensure no remnants of the malware are left behind.
4. As a critical precaution, change the passwords for your important online accounts (email, social media, banking).

How to Prevent This From Happening Again

This virus spreads by tricking you. Understanding its method is the key to staying safe.

⚠️ BE CAREFUL WITH PENDRIVES: The virus hides the real files on a pendrive and creates a shortcut instead. When you click this shortcut to open your files, a script tries to run. Windows will then ask for administrator permission with a User Account Control (UAC) prompt.

If you ever plug in a pendrive and it asks for administrator permission to open or view files, NEVER CLICK “YES”! This is the exact moment the virus infects your PC. Always click “No,” safely eject the drive, and scan it on a secure computer.

How to Clean an Infected Pendrive (Formatting)

If your pendrive is infected, simply deleting the files is not enough. The only guaranteed way to remove the virus from the drive itself is to perform a full format. This will erase everything on the drive and restore it to a clean state.

⚠️ WARNING: This process will permanently erase ALL data on your pendrive. If there are any important files, try to back them up using a secure computer first. The safest method is to consider all data on the infected drive lost.

Follow these steps on a computer that you know is 100% clean:

1. Insert the infected pendrive into the clean computer.
2. Open File Explorer (or “This PC”).
3. Right-click on the icon for your pendrive and select Format… from the dropdown menu.
4. In the format window that appears, look for the section called “Format options.”
5. This is the most important step: Make sure the checkbox next to Quick Format is UNCHECKED.

Unchecking this option performs a “Full Format.” A Quick Format only deletes the file index, which can leave the virus files recoverable on the drive. A Full Format, however, thoroughly overwrites every sector. While it takes much longer, it is essential for ensuring the malware is completely wiped out.

6. Click the Start button. You will see a final warning that all data will be erased. Click OK to proceed.
7. Be patient. A full format can take a significant amount of time, from several minutes to over an hour, depending on the size and speed of your pendrive. Do not unplug it until the process is complete.

Once the format is finished, your pendrive will be completely clean, free of the virus, and safe to use again.

Stay safe, and be cautious when using public PCs or shared pendrives!