We happen to use ConnectWise Control (formerly ScreenConnect) as our remote support tool so when we got a call from a customer that we already had an agent installed on, we were dismayed to find the scammer was also using a paid version of Control. This is the story of how we removed the scammer and reported them to ConnectWise.
We have this one elderly customer, he used to work with a business we still support and we’ve continued to assist him with tasks on his home computer. He was a computer programmer long ago, he would always tell us about the days of pushing punch cards into a computer the size of a room in order to run some simple calculations. He’s been pretty sharp for the most part, but as he aged it became harder to keep up with all this developing technology.
He comes into our story when he called one day telling us he thinks a scammer is connected to his computer. One of our junior help desk guys took the call and thought to bring me in when he couldn’t quite determine which remote software the scammer was using. Meanwhile the scammer was trying to communicate by notepad and telephone with the customer.
I got connected and told him to hang up on the scammer and don’t answer his calls. I checked the running tasks, nothing noticeable, then went to services and noticed he had several screenconnect entries. The scammer had added multiple access agents, these are the install types that can connect without the user’s permission.
The junior tech choose to disable guest input but I don’t think that stopped the scammer because at one point a full screen window displayed that we couldn’t get any apps on top of, so I dropped back into backstage mode.
In backstage mode I opened regedit and navigated to services to examine the multiple entries, one of them is our remote, so I don’t want to accidentally remove my own access.
In regedit I browsed to HKLM\SYSTEM\CurrentControlSet\Services, here there were several ScreenConnect Client entries with different guid strings, the best way to find the scammer links was to check the urls and to know your own url. Your own can be found at https://cloud.screenconnect.com/
Once you know the instance id or custom url you can examine the ImagePath in the registry:
"C:\Users\user-6154\AppData\Local\Apps\2.0\WAE09LZV.WL0\ZNEYHGD7.74J\scre..tion_b15b0581876c57b7_0014.0002_a6b5b1346214a778\ScreenConnect.ClientService.exe" "?y=Guest&h=chelp.live&p=8041&s=59973ade-6011-4561-8b6c-64002e4a9e30&k=BgIAAACkAABSU0ExAAgAAAEAAQCDJtWgqekzRVo8dGHl%2b4mRD4X509o6naFSX5ri6oKCh58u0KquANoKWXMagEwL636P9aw93EvW0cVgYiuGFWOzeeLuKHfehoyQcNZQ4AjJTFpf86ktD%2f5VREGlwYw7BgH1thDidPfqCd8S3BYZtGzor8PYM66rjMPJqEg%2f0LhiWlOLw3ceA9oZwt%2bkB3S1L74J8meAoME4LMzwt%2fC4i5vKBFycaNtWYBgDPG1SqtOTkayxqBqQuDoy6aOUVAW1oIP%2fhJlhMwUBCCRO3raSWCe%2fHtcL1CAJlGFuAEwijdPF2UJHAjs%2bCyMWFeTDgHcSjvbWXWYN3nc3njHrjWMtoOXI&r=&i=Untitled%20Session" "1"
"C:\Users\user-6154\AppData\Local\Apps\2.0\WAE09LZV.WL0\ZNEYHGD7.74J\scre..tion_b15b0581876c57b7_0014.0002_03ad3af19bd93df0\ScreenConnect.ClientService.exe" "?y=Guest&h=onbxr.xyz&p=8041&s=a2cc838e-5932-4457-aa87-b48145ab2522&k=BgIAAACkAABSU0ExAAgAAAEAAQCDJtWgqekzRVo8dGHl%2b4mRD4X509o6naFSX5ri6oKCh58u0KquANoKWXMagEwL636P9aw93EvW0cVgYiuGFWOzeeLuKHfehoyQcNZQ4AjJTFpf86ktD%2f5VREGlwYw7BgH1thDidPfqCd8S3BYZtGzor8PYM66rjMPJqEg%2f0LhiWlOLw3ceA9oZwt%2bkB3S1L74J8meAoME4LMzwt%2fC4i5vKBFycaNtWYBgDPG1SqtOTkayxqBqQuDoy6aOUVAW1oIP%2fhJlhMwUBCCRO3raSWCe%2fHtcL1CAJlGFuAEwijdPF2UJHAjs%2bCyMWFeTDgHcSjvbWXWYN3nc3njHrjWMtoOXI&r=&i=Untitled%20Session" "1"
"C:\Users\user-6154\AppData\Local\Apps\2.0\WAE09LZV.WL0\ZNEYHGD7.74J\scre..tion_b15b0581876c57b7_0014.0002_f0cd82ddfb991180\ScreenConnect.ClientService.exe" "?y=Guest&h=onbxr.xyz&p=8041&s=a906953a-c8ad-45a3-929b-400b4cf1c350&k=BgIAAACkAABSU0ExAAgAAAEAAQCDJtWgqekzRVo8dGHl%2b4mRD4X509o6naFSX5ri6oKCh58u0KquANoKWXMagEwL636P9aw93EvW0cVgYiuGFWOzeeLuKHfehoyQcNZQ4AjJTFpf86ktD%2f5VREGlwYw7BgH1thDidPfqCd8S3BYZtGzor8PYM66rjMPJqEg%2f0LhiWlOLw3ceA9oZwt%2bkB3S1L74J8meAoME4LMzwt%2fC4i5vKBFycaNtWYBgDPG1SqtOTkayxqBqQuDoy6aOUVAW1oIP%2fhJlhMwUBCCRO3raSWCe%2fHtcL1CAJlGFuAEwijdPF2UJHAjs%2bCyMWFeTDgHcSjvbWXWYN3nc3njHrjWMtoOXI&r=&i=Untitled%20Session" "1"
"C:\Users\user-6154\AppData\Local\Apps\2.0\WAE09LZV.WL0\ZNEYHGD7.74J\scre..tion_b15b0581876c57b7_0014.0002_f0cd82ddfb991180\ScreenConnect.ClientService.exe" "?y=Guest&h=supportclient.cc&p=8041&s=fcebf6bd-eb1d-45cd-8546-12630415be23&k=BgIAAACkAABSU0ExAAgAAAEAAQCDJtWgqekzRVo8dGHl%2b4mRD4X509o6naFSX5ri6oKCh58u0KquANoKWXMagEwL636P9aw93EvW0cVgYiuGFWOzeeLuKHfehoyQcNZQ4AjJTFpf86ktD%2f5VREGlwYw7BgH1thDidPfqCd8S3BYZtGzor8PYM66rjMPJqEg%2f0LhiWlOLw3ceA9oZwt%2bkB3S1L74J8meAoME4LMzwt%2fC4i5vKBFycaNtWYBgDPG1SqtOTkayxqBqQuDoy6aOUVAW1oIP%2fhJlhMwUBCCRO3raSWCe%2fHtcL1CAJlGFuAEwijdPF2UJHAjs%2bCyMWFeTDgHcSjvbWXWYN3nc3njHrjWMtoOXI&r=&i=bahar%20ka%20remote%20dennis%20cb" "1"
Some interesting stuff here, we find the sites that host these scammer’s control instances. As I post this I also notice what might be the name they gave the session:
"bahar ka remote dennis cb"Seems to translate to “spring remote dennis cub” 🤷
Our customer was told by the scammer that McAfee would be needed to eliminate the virus and that this software was $300, so it was no surprise to see that one of the instances looked like this:
At this point the customer became suspicious because the initial alert was McAfee and he had Symantec not McAfee and they’re telling him only McAfee can fix the problem. That’s when he called us.
In backstage mode, I was able to issue these commands to terminate the scammers connection:
sc stop "ScreenConnect Client (xxxc838e-5932-4457-aa87-b48145ab2522)"
sc stop "ScreenConnect Client (xxx73ade-6011-4561-8b6c-64002e4a9e30)"
sc stop "ScreenConnect Client (xxx6953a-c8ad-45a3-929b-400b4cf1c350)"
sc stop "ScreenConnect Client (xxxbf6bd-eb1d-45cd-8546-12630415be23)"
sc delete "ScreenConnect Client (xxxc838e-5932-4457-aa87-b48145ab2522)"
sc delete "ScreenConnect Client (xxx73ade-6011-4561-8b6c-64002e4a9e30)"
sc delete "ScreenConnect Client (xxx6953a-c8ad-45a3-929b-400b4cf1c350)"
sc delete "ScreenConnect Client (xxxbf6bd-eb1d-45cd-8546-12630415be23)"I open a chat with ConnectWise Support, as a customer of several of their products this is quite easy to do. I send them the urls, over the next day I send them all the information I have about the scam so they can revoke their license.
I decided that I may also need to get their servers shutdown, so I checked each of the urls we had and found they’re in different datacenters for ColoCrossing.com, I sent them an email with the evidence and the server dns and ip addresses. They don’t seem to have the best reputation or response time so we will see if either company comes through to protect the elderly from this kind of abuse.
If this is interesting to you I highly recommend Jim Browning on YouTube, he spends his time tracking these scammers down, it’s educational and entertaining: https://www.youtube.com/JimBrowning
dyers in IT 