![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 99%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFG%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 21%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETN%3C/text%3E%3C/svg%3E)
Hello Fox Glen Gate Guard,
I'm sorry for the headache. Based on what you've described, this looks like it could be a scammer-installed ScreenConnect (ConnectWise) rather than a traditional virus — though the effect is similar in that someone may have had remote access to the machine. The AI's subinacl suggestion was probably the wrong path; this doesn't really look like an ACL problem.
The likely reason ScreenConnect.WindowsAuthenticationPackage.dll refuses to delete is that, judging by the name, it appears to be registered as a Windows LSA Authentication Package. If that's the case, lsass.exe loads it at every boot from HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages into its own (protected) process, which would hold the file open the entire session. takeown and remove-item -force can't break a live lock held by a protected SYSTEM process — Windows just reports "Access denied", which is misleading. The "reinstall a month later" behavior could be the ScreenConnect service self-healing, or possibly the attacker reconnecting.
Here's a path that should be worth trying:
1. Try a proper uninstall of the ScreenConnect client first
Open Programs and Features and look for ScreenConnect Client (cae8a7eb97fb2c95). If it's there, uninstall it. If it's hidden from the list (common with scam installs), open an elevated Command Prompt and run sc delete "ScreenConnect Client (cae8a7eb97fb2c95)", then reboot.
2. Check the LSA registration so the DLL stops loading
Open regedit as admin and go to HKLM\SYSTEM\CurrentControlSet\Control\Lsa. In the multi-string value Authentication Packages, see if anything references ScreenConnect.WindowsAuthenticationPackage — if so, remove that line so only the defaults (e.g. msv1_0) remain. Reboot. Once lsass no longer loads it, the DLL should just be an ordinary file you can delete normally.
3. Clean up leftovers
Delete the folder C:\Program Files (x86)\ScreenConnect Client (cae8a7eb97fb2c95), then in regedit do Ctrl+F and search for ScreenConnect and the thumbprint cae8a7eb97fb2c95 and remove matching entries.
However, because this is a multi-user PC, the file has been coming back for at least a month, and a remote-access tool ended up installed without consent, it's probably safer to assume the machine could be compromised beyond just this one DLL — keyloggers, stored credentials, browser sessions, and other backdoors are all possibilities. The safest course is likely to back up personal files, change important passwords from a different device, and do a Reset This PC > Remove everything (or a clean Windows install).
Hope this helps you finally close the door on it.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.