How to Remove Remote Access Scam Backdoors in 2026: Step-by-Step Guide for Windows Users
Remote access scams often begin with fake pop-ups or calls warning that your "Microsoft computer has been blocked" or your device is infected. Scammers persuade users to grant remote control, then install persistent backdoors like ScreenConnect Client. These connect to attacker domains such as trustconnectsoftware[.]com, enabling ongoing access even after the initial session.
This guide outlines verified steps to identify the scam, disconnect active threats, remove known backdoors through services, registry, and files, scan with effective antivirus tools, and prevent reinstallation. It focuses on Windows users affected by tech support scams, drawing from the Microsoft Security Blog on 2026 threats and other sources. Follow these steps to regain control safely.
Spot the Remote Access Scam Before It Escalates
Spotting scam tactics early can stop deeper infections. Watch for browser pop-ups or notifications claiming "Microsoft computer has been blocked" or fake errors that urge contacting a "Microsoft technician" by phone or link (Cybernews). Scammers build urgency with warnings of infections or bank risks, typically through unsolicited calls or emails (Microsoft Support; Splashtop).
Microsoft never starts unsolicited support contacts. Legitimate tools like Splashtop work safely only with permission, though scammers exploit them. Any pressure to act quickly or install software signals a scam--pause and verify on your own.
Immediate Steps to Disconnect and Isolate the Threat
Move fast to stop active access, even without deep technical skills. Close the browser or leave the malicious site causing pop-ups. Terminate any open third-party remote sessions, such as TeamViewer or Chrome Remote Desktop (Microsoft Q&A).
Disabling Windows Remote Desktop won't block scammers, who depend on third-party tools (Ask Leo!). Steer clear of further contact with suspicious parties. Disconnect from the internet briefly to isolate the PC, then move to removal.
Step-by-Step Removal of Known Remote Access Backdoors
Scammers plant persistent backdoors like ScreenConnect Client that endure reboots. The Microsoft Security Blog from 2026 details how these create services and registry entries for outbound connections to trustconnectsoftware[.]com.
Warning: Editing the registry risks system problems. Back up first via File > Export in Registry Editor (regedit.exe). Proceed only if comfortable, or get professional help.
-
Check and delete the service: Open Command Prompt as administrator. Run
services.msc. Look for "ScreenConnect Client" under HKLM\SYSTEM\ControlSet001\Services\ScreenConnect Client (with a 16-digit hexadecimal ID). Right-click > Delete if found. Restart the PC. -
Remove the Run key: Open regedit.exe. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Delete the "TrustConnectAgent" entry, which launches C:\Program Files\Adobe Acrobat Reader\AdobeReader.exe.
-
Delete files: Navigate to C:\Program Files (x86)\ScreenConnect Client [Client ID] and delete the folder. Also check and remove suspicious files in C:\Program Files\Adobe Acrobat Reader\, such as AdobeReader.exe if linked to the backdoor.
Reboot and watch for reconnection attempts to trustconnectsoftware[.]com. Microsoft Defender XDR users can run queries for related RMM activity.
Best Antivirus Tools to Scan and Eliminate Remaining Malware
After manual removal, scan for leftovers using proven tools. Tests from PCMag UK in 2026 evaluated performance on malware samples, including those driving pop-ups. TotalAV stands out for pop-up scam removal (Cybernews).
| Tool | Detection Rate (Malware Samples) | URL Block Rate | Strengths for Scam Cleanup |
|---|---|---|---|
| Avast/Norton | 97% (9.7/10 score) | Norton: 99% | High overall detection; effective on downloads |
| Bitdefender | 93-100% (9.0-10/10 score) | High on URLs | Strong on curated malware and web threats |
| TotalAV | Effective on pop-up scams | N/A | Tailored for browser-based scam removal |
These rates stem from specific lab tests; results vary by threat type. Run full scans after removal--TotalAV fits pop-up remnants, while Avast/Norton or Bitdefender tackle broader persistence. Update tools first for 2026 threats.
Lock Down Your PC: Prevention After Removal
Prevent reinstallation by securing remote access features. Disable unnecessary Windows Remote Desktop after legitimate use. Stick to trusted tools only with explicit permission and independent checks.
| Tool/Tool Type | Legitimate Use Case | Scam Risk if Misused |
|---|---|---|
| Splashtop | Safe with permission for support | High if coerced by scammers |
| Quick Assist | Requires explicit permission | Lower due to consent prompts |
| TeamViewer/Chrome Remote Desktop | Valid for trusted remote help | Frequently abused in tech scams |
| Windows Remote Desktop | Built-in for controlled access | Does not block third-party scams |
Verify contacts through official channels before granting access. Avoid unsolicited remote sessions entirely (Splashtop; Ask Leo!).
FAQ
How do I know if scammers installed remote access on my PC?
Look for pop-ups like "Microsoft computer blocked," unsolicited urgent calls, or tools like ScreenConnect Client in services/registry (Cybernews; Microsoft Security Blog).
Does turning off Windows Remote Desktop stop all scam access?
No, scammers use third-party tools like TeamViewer or Chrome Remote Desktop, which it does not affect (Ask Leo!).
What are the signs of ScreenConnect Client backdoor malware?
Service at HKLM\SYSTEM\ControlSet001\Services\ScreenConnect Client, Run key "TrustConnectAgent," files in C:\Program Files (x86)\ScreenConnect Client, and connections to trustconnectsoftware[.]com (Microsoft Security Blog).
Which antivirus is best for removing remote access scam remnants?
Avast/Norton (97% detection), Bitdefender (93-100%), or TotalAV for pop-ups--select based on full scans and test strengths (PCMag UK; Cybernews).
Can I safely use TeamViewer after a scam incident?
Yes, if only with trusted parties and after full cleanup, but avoid if coerced previously due to misuse risks (Microsoft Q&A).
How do I run a Microsoft Defender query for RMM activity?
Microsoft Defender XDR customers can execute queries to detect related remote monitoring activity, as detailed in security blogs (Microsoft Security Blog).
Run a full antivirus scan today, monitor for unusual network activity, and verify all future support requests independently.