Hacked by screen connect client

Hi
I noticed yesterday that somebody had remote access to my computer. After much searching, re-installing and rebooting, I’ve determined that it was Connectwise and their screen connect client. I’m not particularly tech savvy but normally good enough to not fall for a scam so I don’t remember entering a code except for the normal bank type 2FAs. Anyway, I got this thing somehow and I have two questions/observations:

  1. Avast was notifying me of something malicious but despite quarantining and rebooting, the little bugger got back in.
  2. I have now uninstalled the client and rebooted a couple of times and don’t see it in services or task manager. Am I safe or could it still come back?

Thanks
Mitch

Not knowing how it got on and or what was being quarantined by avast it would be hard to say.

Connectwise is not a scam program, it is similar to TeamViewer

I think it was an email from the “Social Security Administration”. I’m normally good at spotting these types of emails but the fake one came in at exactly the same time as two legitimate ones (one for me and one on my wife’s account) and when I opened my email client I clicked on the wrong one. I only opened the email and realized my mistake before I clicked on any links or attachments.

I think one of the malicious files was auoct.js and the other was yjvski.js

I would be surprised if it wasn’t the Mail Shield that alerted, given javascripts would be unusual in emails.

That said I don’t think the Mail Shield would alert in this way and send it to Quarantine as you mentioned.

Sorry, I wasn’t clear. I didn’t have Avast when I received the email. The app I was using at the time flashed the auoct warning but obviously didn’t deal with it as I later saw the hacker trying to get past the lock screen.

Avast gave me the warning yesterday, randomly, and I must admit I panicked a little bit and just shut everything down without paying too much attention. But Avast didn’t fix the problem either. I saw the hacker on my computer again.

Now, I think uninstalling Connectwise has solved the problem but I’m not sure. Without catching him in the act again, how can I know if I’m safe?

Thanks
Mitch

You could try running an ‘on-demand’ check with free version Malwarebytes to see if there are any traces left.

By on-demand it means that the program isn’t active all of the time, only when run or the program can conflict with Avast which is an on-access antivirus.

See https://forums.malwarebytes.com/topic/305935-using-malwarebytes-as-on-demand-scanner-with-f-secure-on-android/

The Free version is as far as I’m aware on-demand only (but you are likely to get nagged to buy), https://www.malwarebytes.com/solutions/free-antivirus

Thanks. I have tried that now and it found some “Potentially Unwanted Programs” which I don’t THINK are anything to do with the problem.

I assume it is these .js files that are turning Connectwise into malware. My concern is that Avast and Avira have both detected but failed to deal with these .js files. Both flashed a warning and supposedly quarantined these files but the problem re-occurred. Now Malwarebytes is not giving me any .js file warnings. Is it possible that the little buggers are still hiding somewhere?

I keep checking services to make sure that the Connectwise client is not running but I can’t do that every time I look away from my computer (I have my screen timeout set to 3 minutes so when I do step away there is only a small window for the hacker to get on my computer while I’m not looking).

Another thing, I definitely don’t remember providing the code that Connectwise supposedly needs to connect. I am aware of remote access software and think I would have spotted that as a scam attempt. I enter codes all the time but only when trying to connect to banks, etc. Connections that I have initiated.

Thanks again for your help

You’re welcome.
Unfortunately malware removal isn’t my strong suit - prevention is generally easier.