Hi all. This is a simple help page to assist people that have had their Windows computer’s compromised by an attacker that uses the SimpleHelp software for remote control.
To infect your computer, the attackers send an email from a friend or coworker or colleague to you asking you to click on a link to verify if you are coming to their party or event. Of course there is no event and the attacker sent you an email through your friend’s compromised email.
Here is a sample of what two of these invites might look like.
NOTE: In the first image below ALL the links take your web browser to the malware. All the links….even the “Remove Yourself”. Sneaky, right?
The second example looks very similar to the first:
You can see at the bottom of the second image that the URL just doesn’t look right.
What can you do?
Below are the steps I’ve used to successfully remove the bad software from a Windows computer. I’ve also included some content on what to do after the infection is remediated.
Please note that I cannot be held responsible if something you do as a result of this blog post messes up your computer, data, or anything. This is what worked for me so I am sharing. If this seems too complicated or you don’t want to type stuff that this guide shows…..fine fine…I get it. Please:
- Stop your computer from talking on the network by unplugging the computer’s network cable or disabling WiFi (think Airplane mode).
- Give this website guide to an computer professional and suggest they use it.
While I am a recovering cyber security guy, I cannot help you with this process, advise you on your specific situation, or do anything more than express my faith that you can do it!!
The Guide
A Step-by-Step Guide to Removing Malicious Remote Access Software (SimpleHelp)
| 🔴 WHAT HAPPENED TO YOUR COMPUTER? |
You received an email that tricked you into clicking a link or downloading a file. That file secretly installed a program called SimpleHelp on your computer. This program gives criminals full control of your computer — they can see your files, type on your keyboard, steal passwords, and more.
This guide will help you remove it. Follow each step carefully. If you get confused at any point, stop and ask someone for help rather than guessing.
| 🚨 DO THESE TWO THINGS IMMEDIATELY — BEFORE ANYTHING ELSE |
| 1. Unplug Your Internet Pull out your ethernet cable, or turn off Wi-Fi. This cuts off the attacker’s access right now. | 2. Don’t Turn Off Your Computer Yet Leave it on for now. You need it running to remove the software properly. |
PART 1: Remove the Malicious Software
The next steps involve typing commands into a special window called the ‘Command Prompt’. Don’t worry — we will show you exactly what to type.
The guide is written so that you can print it out and check off each item that you do.
How to open Command Prompt as Administrator:
- Click the Start button (Windows logo) at the bottom left of your screen
- Type:
cmd - Right-click on ‘Command Prompt‘ in the results
- Click ‘Run as administrator‘
- Click ‘Yes‘ if a box pops up asking for permission
- A black window with white text will appear — this is the Command Prompt
⚠ Type each command below EXACTLY as shown, then press ENTER after each one.
| STEP 1 | Stop the Attacker’s Programs |
| Copy and paste each line below into the Command Prompt, pressing ENTER after each: | |
taskkill /F /IM SimpleService.exe | |
taskkill /F /IM "Remote AccessWinLauncher.exe" | |
taskkill /F /IM simplehelper64.exe | |
taskkill /F /IM session_win.exe | |
taskkill /F /IM shcad.exe | |
taskkill /F /IM javaw.exe | |
| ✅ It’s okay if some commands say ‘not found’ — just keep going. |
| STEP 2 | Remove the Attacker’s Hidden Service |
| Type these two commands: | |
sc stop "Remote Access Service" | |
sc delete "Remote Access Service" | |
| ✅ If it says ‘The specified service does not exist’, that is fine — move on. |
| STEP 3 | Delete the Malicious Files |
| Open File Explorer (the folder icon on your taskbar). Navigate to each of the following locations and DELETE the folder named ‘Remote Access‘ if it exists: | |
C:\Program Files\Remote Access\ | |
C:\Program Files (x86)\Remote Access\ | |
C:\ProgramData\Remote Access\ | |
C:\ProgramData\JWApps\ | |
| Tip: You can type any of these paths directly into the address bar at the top of File Explorer and press ENTER to jump right there. |
PART 2: Confirm the Threat is Gone
Now that the malicious software has been removed, you can safely reconnect to the internet to run these final checks.
| 🌐 RECONNECT YOUR INTERNET NOW — Plug your network cable back in, or turn your Wi-Fi back on. It is now safe to do so — the attacker’s connection has been blocked. You will need internet access for some of the steps in Part 3. |
| STEP 5 | Verify the Service is Removed |
| Type this and press ENTER: | |
sc query "Remote Access Service" | |
| ✅ GOOD: The response should say ‘The specified service does not exist‘. | |
| ❌ BAD: If it shows anything else, the service is still present — contact a trusted tech-savvy person or your workplace IT department. |
| STEP 6 | Check No Files Remain |
| Type this and press ENTER: | |
dir /s /b “%ProgramFiles%\SimpleService.exe" | |
| ✅ GOOD: The response should say ‘File Not Found‘. | |
| ❌ BAD: If a file path is listed, repeat Steps 1–3 or contact a trusted tech-savvy person or your workplace IT department. |
After both checks above pass, restart your computer. Once it has restarted, open the Command Prompt again (same way as before) and repeat Steps 5 and 6 one more time.
Why? Some malicious software can reinstall itself when your computer restarts. Running the checks again after a reboot confirms it is truly gone.
| ✅ If both checks still pass after the reboot, you are clear to move on to Part 3. |
PART 3: After Removal — What to Do Next
| These next steps are very important. Don’t skip them. |
Change Your Passwords
Even after removing this software, the attacker may be able to continue to use your passwords. Change them — especially for:
- Your email account
- Your bank and financial accounts
- Any work accounts or VPNs
- Your computer’s login password
Change passwords from a DIFFERENT device (like your phone) if possible, just to be safe.
Check Your Web Browser History
The attacker may have used your web browser to visit websites, log into accounts, or download more malicious software. Here’s how to check what happened:
How to open your browser history:
- Chrome or Edge: Press Ctrl + H on your keyboard
- Firefox: Press Ctrl + H on your keyboard
What to look for — flag anything you don’t recognize:
- Websites you never visited — especially banking, email, or social media sites
- Downloads you didn’t initiate — look for visits to file download pages
- Searches you didn’t make — scroll through and look for anything unusual
- Visits to remote access or VPN sites (e.g., ngrok.io, anydesk.com, teamviewer.com)
- Any activity during times you were NOT using your computer
| 💡 Tip: Look for activity around the time the infection happened. If you clicked the suspicious link at 2pm, look at everything from 2pm onward for that day. |
How to check download history:
- Chrome or Edge: Press Ctrl + J to open your Downloads list
- Firefox: Press Ctrl + J to open your Downloads list
- Look for files you don’t recognize — especially .exe, .scr, .bat, or .zip files
Screenshot or write down anything suspicious before clearing your history. This information could be useful if you need to report the incident.
Check Your Screensaver and Power Settings
Attackers sometimes change your screensaver and sleep settings to stop your computer from locking itself — making it easier for them to access it again later. Check that these are set correctly:
How to check:
- Click the Start button and type: Control Panel, then press ENTER
- Click ‘Power Options‘ — make sure your computer is set to sleep after no more than 10–15 minutes of inactivity
- Right-click on your Desktop and choose ‘Personalize‘, then click ‘Lock Screen‘, then ‘Screen saver settings‘ — make sure a screensaver is set and ‘On resume, display logon screen’ is checked
| 💡 Tip: If your computer was previously set to sleep or lock automatically and no longer does, the attacker likely changed these settings. |
Watch for Suspicious Activity
Over the next few weeks, keep an eye out for:
- Unexpected emails saying your password was changed
- Strange activity on your bank statements
- Accounts you can’t log into anymore
- Friends or coworkers saying they got odd messages from you
Run a Full Antivirus Scan
If you have antivirus software (Windows Defender, Malwarebytes, etc.), run a FULL scan now — not a quick scan.
Consider Enabling Multi-Factor Authentication (MFA)
MFA means even if someone has your password, they still can’t log in without a second code sent to your phone. Most email, banking, and social media accounts offer this in their Security Settings.
PART 4: Important — Save Evidence & Stay Alert
| If this happened at work or you may want to report this to law enforcement, do NOT delete anything until you have saved copies of the following: |
- The original suspicious file you clicked (e.g., RSVP_E_CARD_INVITEDOC.scr)
- The original phishing email — do not delete it; forward it to [email protected] or [email protected]
- Any files named ‘serviceconfig.xml’ found in the installation folders — these contain technical details about the attack
Take screenshots of anything suspicious you notice before deleting it.
You may want to tell the person that sent you the invite that their computer may be compromised. DO NOT SEND THEM AN EMAIL as the attackers might see it and delete it. Instead, send a text message or call them.
⚠ Watch Out for Follow-Up Attacks
This is very important: attackers who have already successfully targeted you once are very likely to try again.
| 🎣 BEWARE OF FOLLOW-UP PHISHING EMAILS |
In the days, weeks, or even months after this attack, you may receive more phishing emails designed to re-infect your computer. These may look very convincing — they might appear to come from a bank, a delivery company, Microsoft, or even someone you know.
Follow these rules for every email going forward:
- Do NOT click any links in emails — even if the email looks legitimate
- Instead, open a new browser tab and manually type the website address yourself (e.g., type ‘www.yourbank.com’ rather than clicking a link in an email)
- Be suspicious of any email that creates a sense of urgency — ‘Act now!’, ‘Your account will be closed!’, ‘You have a package waiting!’
- If an email contains a phone number and asks you to call it — DO NOT CALL IT. Attackers use fake phone numbers to trick victims into giving up information or re-installing malware
- When in doubt, contact the company directly by visiting their official website yourself
| 💡 Simple rule: If you did not expect an email, and it contains a link or attachment — do not click it. Go to the website directly instead. |
| 🆘 WHEN TO STOP AND GET HELP |
Please reach out to a trusted tech-savvy friend or family member, your workplace IT department, or a professional cybersecurity service if:
- Any of the verification checks in Part 2 show the attacker is still present
- You are uncomfortable with any of the steps above
- This happened on a work computer — your employer’s IT team needs to know as soon as possible
- You believe sensitive data (passwords, financial info, personal files) was accessed
- You are unsure if you completed the steps correctly
You can also report cybercrime to the FBI’s Internet Crime Complaint Center at: ic3.gov
This guide was prepared in response to active exploitation of SimpleHelp RMM (CVE-2024-57727). For IT professionals, please refer to CISA Advisory AA25-163A for full technical details.