Remote control scams are still very common, and I get to help people everyday in recovering from them. It’s pretty straightforward, most of the time: I explain the scam. Before we deal with the computer, the client secures their finances with their banks. Next, we go over their PC or phone to uninstall the scammer’s software. I quickly make sure the system is clean and safe and we all move on with our lives. But remote control scams using ScreenConnect are changing, and complicating, this type of cybercrime.
I need to write out what I’m seeing here, and I apologize if it seems a bit dry or technical. Much of my readership may not need this info, but that’s OK. My hope is that this helps other technicians in recognizing this issue on other PCs.
ConnectWise and ScreenConnect
There are many software programs that allow one computer to remotely control another. ScreenConnect is one such app, and it is now owned and developed by ConnectWise, LLC.
Full disclosure: I use the ScreenConnect product for most of my remote support work. It is a solid product that meets and exceeds my needs to deliver legitimate computer assistance. In describing here how their product is being misused, I do not intend any disparagement or criticism towards ConnectWise. They appear to be a law-abiding and quality company.
The ScreenConnect software has many features to it that set it apart from other remote control apps, and also make it attractive for scammers to use. When a bad actor employs ConnectWise, they tend to install it such that:
- “ScreenConnect Client” is hidden/missing from the Programs or Apps list, making it impossible to uninstall
- There is no taskbar icon, to indicate that the program is running and active
- It won’t easily terminate from within the Task Manager
- ConnectWise/ScreenConnect files and folders are not installed in the Program Files or ProgramData directories.
I don’t use ScreenConnect in this manner. When customers install my remote control app, my logo is obvious in the taskbar, and it can be quickly uninstalled through the regular Apps list. But when the scammers use ScreenConnect, it makes for a difficult scenario. The computer may seem haunted, as you cannot easily detect, find or remove the remote control software!
How to Find and Defeat a Hidden ScreenConnect Installation
ScreenConnect is a normal and acceptable software program, so it will not turn up on any virus or malware scan. To remove a hidden SC installation, you must go looking for it and be ready to get surgical.
The files, if not shown under C:\Program Files (x86), are tucked away in the hidden AppData user account directory. I would recommend you right-click the Start button, open the Run prompt and type in %appdata% to get to that location. That will probably land you in the Roaming subfolder, but you want to go to the Local subfolder. In the address bar of File Explorer, click “AppData” and then double-click the Local folder, below.
If ScreenConnect is hiding on that machine, you’ll find it by drilling down into the Apps folder, then the 2.0 folder. ScreenConnect’s files will be in the folder with the random-hash name, as well as the Data folder. Here’s an example from my computer:
Please note: these files are sometimes present on computers where I have legitimately installed ScreenConnect. If you have worked with me, these files should not be an immediate cause for concern. But you are also welcome to proceed in removing them, if that gives you peace of mind!
Deleting the 2.0 folder and all of its contents is what is needed to sever a scammer’s unwanted ScreenConnect app. But if that app is still running, you won’t succeed. You have to first Stop the ScreenConnect Service:
Right-click the Start button and open a Run prompt. Type in services.msc and click OK. Scroll down the list, looking for any entry beginning with ScreenConnect. If you find it, double-click on it and then click the Stop button. Now you may return to File Explorer and remove that 2.0 folder!
But Wait, There’s More
If you’ve had the privilege of hunting down and terminating this scammy use of an otherwise great software tool, you may want to go the extra mile. Report it to the ConnectWise company, so they can go after the miscreant behind that installation! If you want to put in the time and effort:
- Copy that 2.0 folder and its contents (before deleting it) into a cloud storage location that you control (Dropbox, Google Drive, OneDrive, etc.)
- Create a shareable link to that glob of files and send it in to ConnectWise
ScreenConnect techs can dig through those files, find the perpetrator and their websites, and put the kibosh on their activities.