@ScammerRevolts, what’s your take on this one that a chode tried getting me on today…
That one is not connect wise control.
mcare.help iframes https://xibition.top/guest.aspx, the main page of which is simply a template lifted from Tooplate
Here is a new one.
kcare.cc
2 Likes
Yeah these scams are awful.
Can someone give instructions on how to remove it from my pc? thanks
I use Revo Uninstaller for all program uninstalls as it will scan all the leftover files related to programs, including registry keys, unwanted files, and folders.
If doing it manually…
Manually Remove ConnectWise Control (ScreenConnect) From Windows
Get the unique thumbprint for the ScreenConnect instance installed on the PC
- Open Program and Features, Control Panel > All Control Panel Items > Programs and Features
- Search for “ScreenConnect Client” in the list of software installed.
- You should see something similar to “ScreenConnect Client (xxxxxxxxxxxxxxxx)”, where “xxxxxxxxxxxxxxxx” represents the unique thumbprint. Note this thumbprint down somewhere as you will need it for the rest of the steps.
Delete all traces of ScreenConnect Client (xxxxxxxxxxxxxxxx) from C:\
- Open File explorer
- Search, find and delete any folders named “ScreenConnect Client (xxxxxxxxxxxxxxxx)” in the following directories:
C:\Program Files
C:\Program Files (x86)
C:\ProgramData
3. Do a search through the c:\ for “ScreenConnect Client (xxxxxxxxxxxxxxxx)” to confirm all traces have been removed.
Delete all traces of ScreenConnect Client (xxxxxxxxxxxxxxxx) from Registry Editor
- Open “RegEdit” with Admin privileges
- Do a “CTRL+F” to bring up search bar
- Search the registry for any traces of the ScreenConnect instance “ScreenConnect Client (xxxxxxxxxxxxxxxx)” & “xxxxxxxxxxxxxxxx”, where “xxxxxxxxxxxxxxxx” represents the unique thumbprint.
- Delete these entries from the registry
Delete the ScreenConnect service from Windows Services - Open an elevated command prompt
- Run the following command (where “xxxxxxxxxxxxxxxx” represents the unique thumbprint):
sc delete “ScreenConnect Client (xxxxxxxxxxxxxxxx)”
3. Open Services and confirm the ScreenConnect service has been deleted. This may take a few minutes for the command to process after running it
Hi. I made a simple TamperMonkey script to alert you when you are on a ConnectWise scam website.
Just install the js script into tampermonkey, done!
here is the source: GitHub - biden2020prez/ConnectWise-Scam-Blocker: Identify and block ConnectWise Scams
If anyone here wants edit access to the repo, in order to update the list of sites when needed (I’ll try but can’t promise), just PM me here or email me: [email protected]
Screenshots:
1 Like
I have been looking a bit more into this today with the 10 scammers I called. To turn off connectwise, run these two commands:
taskkill /f /im ScreenConnect.WindowsClient.exe
taskkill /f /im ScreenConnect.ClientService.exe
This will kill the program.and go to c:\Users\username\appdata\local and delete the folder called “apps”, so it doesnt start when you turn on your PC.
I was baiting some scammers yesterday and had ZoneAlarm on the VM. I was surprised it detected Connectwise as malware. It let it install first and only after fifteen minutes was it detected. I’m guessing the method that stopped it was behavioral based. The ZA browser extension doesn’t seem to let it download at all now. It’s not displaying that it’s flagged for some reason, but it is keeping the download in limbo, like it’s paused indefinitely.
1 Like
Ok I added this domain, also nice to see this software is finally getting flagged 
1 Like