ScreenConnect Client Scam: Remove Unexpected Remote Access

Daniel Zimmermann
Daniel Zimmermann
12 Min Read
ScreenConnect scam warning showing unexpected remote access on a Windows PC
Unexpected ScreenConnect remote access should be treated as a security incident until the owner confirms it.

ScreenConnect is legitimate remote support software, but ScreenConnect Client on a PC you did not authorize is a remote-access incident. If it appeared after a phone call, fake support page, email attachment, PDF download, or fake Adobe/update prompt, assume someone may have been able to view the screen, move the mouse, run commands, and install more tools.

The safe response is not just deleting ScreenConnect.ClientSetup.exe. The installer is usually only the delivery file. After installation, the client may leave a background service such as ScreenConnect Client Service, an executable such as ScreenConnect.ClientService.exe, and a session component such as ScreenConnect.WindowsClient.exe. Stop the connection first, remove the client, then scan for the scam payloads that came with it.

ScreenConnect cleanup map with steps to stop access, remove the client, and scan with Gridinsoft Anti-Malware
A quick cleanup map for stopping unexpected ScreenConnect access, removing the client service, and scanning for leftover threats.

Why unexpected ScreenConnect is risky

ConnectWise ScreenConnect, formerly ConnectWise Control, is built for remote support and unattended access. That is useful when your IT provider installs it with permission. It is dangerous when a scammer convinces a victim to install it during a fake bank, Microsoft, Adobe, Social Security, invoice, refund, or tech-support scenario.

In that situation, the question is not whether ScreenConnect itself is malware. The real question is whether the person controlling the session had permission and what they did while connected. Remote access can be used to open banking pages, collect documents, run scripts, disable security settings, add startup items, install password stealers, or create persistence that survives a reboot.

Signs the install was part of a scam

  • You downloaded ScreenConnect.ClientSetup.exe from a random website, short link, fake document portal, or browser pop-up.
  • A caller or chat agent told you to install a “viewer”, “security update”, “PDF update”, “support tool”, or “verification app”.
  • Apps & Features shows ScreenConnect Client, ConnectWise Control Client, or a similar remote support entry you do not recognize.
  • Services shows ScreenConnect Client Service or a ScreenConnect service with an instance ID in parentheses.
  • Task Manager shows ScreenConnect.ClientService.exe, ScreenConnect.WindowsClient.exe, or related ConnectWise/ScreenConnect processes while nobody from your trusted IT team is supporting the PC.
  • A browser page claimed a protected PDF or shared document needed an update before it could open.

What may remain after the installer runs

Place to check What you may see What it means
Downloads ScreenConnect.ClientSetup.exe The installer. It may be gone after setup, so absence here does not prove the PC is clean.
Apps & Features ScreenConnect Client or ConnectWise Control Client The installed remote access client.
Services ScreenConnect Client Service Background service that can keep the client available after reboot.
Task Manager ScreenConnect.ClientService.exe, ScreenConnect.WindowsClient.exe Service and interactive session components.
Program folders C:\Program Files (x86)\ScreenConnect Client (...) Common client installation folder. The exact suffix varies by instance.
Security tools Exclusions, disabled protection, new scheduled tasks Possible follow-on activity from the scammer or a bundled payload.

Do this first if ScreenConnect appeared unexpectedly

  1. Disconnect the PC from the internet. Unplug Ethernet or turn off Wi-Fi. If the session is still open, this breaks the attacker’s control while you investigate.
  2. End the call or chat. Do not let the same person guide the cleanup. Scammers often tell victims that removal will “damage the account” or “cancel the refund”.
  3. Use a different clean device for passwords. If you typed banking, email, Microsoft, Google, PayPal, crypto, or work credentials while the session was active, change those passwords from another device.
  4. Call your bank from the number on the card or official website. Do this immediately if the scammer saw account pages, asked for card details, initiated transfers, or mentioned refunds.
  5. Take quick evidence notes. Save the phone number, website, downloaded file name, time, and any payment/account actions. This helps with bank fraud reports and later cleanup.

How to remove ScreenConnect Client from Windows

If this is a work computer, confirm with your IT department before removal. On a personal PC, remove unexpected ScreenConnect as soon as the internet connection is off.

  1. Open Settings > Apps > Installed apps or Apps & Features.
  2. Search for ScreenConnect and ConnectWise Control.
  3. Select the client entry and choose Uninstall.
  4. Restart Windows.
  5. Open Services with services.msc and look again for ScreenConnect Client Service or a ConnectWise/ScreenConnect service.
  6. Open Task Manager and check whether ScreenConnect.ClientService.exe or ScreenConnect.WindowsClient.exe returned after reboot.

If the normal uninstaller is missing or fails, open PowerShell as administrator and identify the service before deleting anything:

Get-CimInstance Win32_Service |
  Where-Object { $_.DisplayName -match 'ScreenConnect|ConnectWise' } |
  Select-Object Name, DisplayName, State, PathName

Only after you have confirmed the service belongs to the unwanted client, stop it and remove it by service Name, not by guessing from the display name:

sc.exe stop "SERVICE_NAME_FROM_THE_LIST"
sc.exe delete "SERVICE_NAME_FROM_THE_LIST"

Then restart again and re-check Apps, Services, Task Manager, and C:\Program Files (x86)\ for leftover ScreenConnect or ConnectWise client folders. Do not delete random folders with similar names if this is a managed work PC.

Why scan after manual removal

Manual removal can close the obvious remote-access door, but it does not answer what the scammer installed before you noticed. Fake update pages and support scams often deliver more than one component: downloaders, startup entries, scheduled tasks, browser changes, security exclusions, or credential-stealing tools.

This is where Gridinsoft Anti-Malware makes the cleanup easier. After the connection is stopped and the visible client is removed, run a full scan to check for hidden files, unwanted apps, startup entries, scheduled tasks, browser leftovers, and companion malware that may have arrived during the same session. The scan cannot prove that no human saw your screen, but it can help remove the technical leftovers that keep a PC exposed.

Unexpected ScreenConnect on this PC?

If the process path is wrong, the name imitates a Windows component, or high CPU started after an unknown installer, scan for hidden miners, services, startup entries, and bundled components.

Scan for remote-access leftovers

If a scammer had remote access

Treat the cleanup as both a device problem and an account problem. Removing the client is only one part of recovery.

  • Change passwords for email, banking, Microsoft/Google/Apple, PayPal, crypto, shopping, cloud storage, and work accounts from a clean device.
  • Turn on multi-factor authentication where possible.
  • Check email forwarding rules, filters, recovery email addresses, and connected apps.
  • Review browser saved passwords and payment methods.
  • Check bank and card activity for transfers, new payees, gift-card purchases, and test charges.
  • Tell your workplace IT team if a work account, VPN, RDP, Teams, Slack, cloud drive, or admin tool was open during the session.
  • If sensitive documents, tax records, Social Security details, or identity documents were visible, consider credit freezes and official identity-theft reporting steps.

Legitimate ScreenConnect vs scam install

Question Legitimate support Likely scam
Who asked you to install it? Your employer, MSP, or a known vendor you contacted first. An unsolicited caller, pop-up, email, fake document page, or refund agent.
Where did the download come from? A known company support portal or a link confirmed by your IT team. A random domain, shortened URL, fake PDF/update page, or copied chat instruction.
Was the session explained? You know the technician, purpose, and expected time window. The person creates urgency, asks for banking, tells you not to close the window, or requests payment.
What should you do? Confirm with the owner before uninstalling. Disconnect, remove the client, scan, and secure accounts.

ScreenConnect abuse usually appears as part of a larger lure, not as a search for the installer name. Gridinsoft recently analyzed a fake Social Security Statement email that pushed ScreenConnect through a fake Adobe-style document page. We have also covered sysupdate.jpeg malware with ScreenConnect activity and broader remote-access malware warning signs.

That is why this page focuses on the post-install problem: what to check when the installer is gone but the client, service, or remote-control risk may remain.

FAQ

Is ScreenConnect malware?

No. ScreenConnect is legitimate remote support software. It becomes a security concern when it is installed without informed permission or delivered through a scam, fake update, phishing email, or fake support call.

Does ScreenConnect.ClientSetup.exe stay running after installation?

Usually the setup file is only the installer. After installation, the more important things to check are the installed app entry, ScreenConnect Client Service, ScreenConnect.ClientService.exe, and ScreenConnect.WindowsClient.exe. The installer may remain in Downloads, but the service is what can keep access available.

Can I just delete ScreenConnect.ClientSetup.exe?

No. Deleting the downloaded installer does not remove an installed client or undo what happened during a remote session. Remove the app, check services and processes, reboot, scan the PC, and secure accounts that were visible or used.

What if my company uses ScreenConnect?

Do not remove a managed support tool from a work PC without asking IT. The warning applies to unexpected installs on personal PCs or situations where the download came from a suspicious call, email, pop-up, or fake document page.

When should I reinstall Windows?

Reinstalling may be reasonable if the scammer had admin access for a long time, installed multiple tools, disabled security, or accessed high-value work systems. For many home users, disconnecting, removing the client, scanning with a trusted anti-malware tool, and securing accounts is the first practical step before deciding on a full reset.

References

  1. ConnectWise. “ScreenConnect Remote Support Software.” ConnectWise ScreenConnect, accessed June 18, 2026. https://www.screenconnect.com/
  2. Cybersecurity and Infrastructure Security Agency, National Security Agency, Federal Bureau of Investigation, and MS-ISAC. “Protecting Against Malicious Use of Remote Monitoring and Management Software.” Cybersecurity Advisory AA23-025A, January 25, 2023, accessed June 18, 2026. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a
The FBI believes that the HelloKitty cryptor is controlled by operators from Ukraine
Anonymous hackers declared war on the Russian government
Chinese Hackers Use Google Command & Control Capabilities in Attacks
Fake Robux PDFs on .gov and .mil Sites: Scam Warning
XZ Utils Backdoor Discovered, Threating Linux Servers
TAGGED:
Share This Article
ByDaniel Zimmermann
Follow:
With a strong background in consumer safety and fraud prevention, Daniel specializes in providing actionable tips and advice to users. His focus is on helping individuals understand the risks of interacting with fraudulent sites and services
Previous Article Friends ransomware locks files with the .friends124 extension before recovery checks. Friends Ransomware: .friends124 File Recovery Guide
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?