Trojan:Script/Wacatac.B!ml stuck in Windows Defender scans? Here's the fix

When this thing shows up and won't go away

You've run Windows Defender full scan three times. Each time it finds Trojan:Script/Wacatac.B!ml and claims to have removed it. But the next day — boom — same detection. Or worse, Defender says it's quarantined but real-time protection keeps flagging it. Here's what's really happening.

I saw this last month with a small law firm's admin PC. The user had clicked a sketchy email attachment, and Defender caught the script. But after a quick scan and "clean" report, the trojan reappeared every time they opened Chrome. Took me 20 minutes to nail it.

Root cause: Wacatac.B!ml hides where Defender doesn't look deeply

Wacatac.B!ml isn't a file — it's a script trojan, usually JavaScript or VBS, that runs in memory or from cache. Defender can detect it when it executes, but if the script is stored in your browser cache (Chrome, Edge, Firefox) or in a temp folder that Defender doesn't scan by default, it'll keep coming back. The file itself might be deleted, but the cached copy triggers the alert again on reboot.

Another sneaky spot: Windows Temp folders and user AppData\Local\Temp. These are low-privilege areas where scripts can hide and re-infect via scheduled tasks or browser startup.

Step-by-step fix: Kill Wacatac.B!ml for good

Step 1: Run Microsoft Defender Offline Scan

Skip the normal scans — they miss cache files. Offline scan boots before Windows loads, so it can delete locked files.

1. Open Windows Security (shield icon in taskbar).
2. Click Virus & threat protection.
3. Click Scan options, then select Microsoft Defender Offline Scan.
4. Click Scan now. Your PC will restart and take about 15 minutes.
5. After reboot, check the scan history. If it found Wacatac, great — but we're not done yet.

Step 2: Nuke browser caches manually

Defender offline won't always touch browser caches because they're user-specific. Delete them manually:

• Chrome: Press Ctrl+Shift+Del, set time range to All time, check Cached images and files, delete.
• Edge: Same shortcut, same settings.
• Firefox: Press Ctrl+Shift+Del, uncheck everything except Cache, clear.

Step 3: Wipe temp files like your job depends on it

This is where the trojan often hangs out. Open a Run dialog (Win+R), type %temp%, and hit Enter. Select all files inside (Ctrl+A), then Shift+Delete to permanently remove them. Some files will say "in use" — skip those. Then do the same with temp (without the percent signs) in the root of your C drive.

Step 4: Check startup and scheduled tasks

Wacatac sometimes sets a trigger to re-appear. Open Task Scheduler (search for it), look for any tasks with suspicious names — random letters like asdflkj or Updater. Disable them. Then open Task Manager > Startup tab, disable anything you don't recognize.

Step 5: Run a second offline scan

After cleaning caches and temp files, run Microsoft Defender Offline Scan one more time. This catches any remnants that were hiding in those folders before.

Still failing? Here's what to check next

• Check browser extensions: The trojan can inject into extensions. Go to chrome://extensions or edge://extensions, remove anything you didn't install.
• Run a second opinion scanner: I've had good luck with Malwarebytes free scan — it catches things Defender misses. Run a scan after steps 1-3.
• Check for a persistent scheduled task: Open PowerShell as admin, run Get-ScheduledTask | Where-Object {$_.TaskPath -ne "\Microsoft\"} | Format-Table TaskName,TaskPath. If you see weird tasks, disable them.
• Reset browser completely: In Chrome, go to Settings > Reset settings > Restore settings to their original defaults. This kills any sneaky scripts hiding in the browser profile.
• Last resort: Check JavaScript files in downloads: Wacatac often comes from malicious .js files. Search your Downloads folder for *.js files and delete anything you don't trust.

One tip from experience: after you've cleaned everything, reboot and immediately run a Defender quick scan. If it stays clean for 24 hours, you're golden. If it comes back again, you've got a more deeply embedded infection — consider a full Windows reset from Settings > Update & Security > Recovery.