(Like many of my technology postings, this is really here for my own notes on problems I run into, the solutions I try and what works when. They are updated as I learn.)
Had a patron bring their laptop in. They had encountered some ransomeware and called the number. They had given the scammers their credit card number and let them remotely into their computer. The patron was jazzed because they were never charged. But the computer was slow and they suspected it was compromised.
Well… there was a a phone number (SK-1-844-307-1727) embedded in their task bar and further conversation revealed that the patron had called the number subsequently for help with passwords. This sounded bad. To make matters weirder, the laptop had been running Windows 7 until Monday night, when it installed Windows 10. They brought in laptop in on Tuesday.
Malwarebytes found nothing.
Adware remover found nothing.
There was a whole bunch of Windows updates not going through. I went into services and restarrted the Update Service.
Rkill found nothing.
Searching online for the phone number you get a number of sites that "walk you through" how to remove it. Always the same bullshit where they direct you to Task Manager to "stop the malicious program" and show how to "remove malicious programs" will no further info on what the malicious programs are named and screenshots of stopiing and removing programs like Firefox. OR they recommend buying Spyhunter 4. So we know were Spyhunter 4 makes their money.
Tried the old JRT. Nothing found.
SUPERAntiSpyware found over 200 hundred trackers and an extension in Internet Explorer that might be part of the problem. Clever, since I would not have thought to look at IE since the upgrade.
Ran a free trial of HitmanPro. That found a couple of dozen of problems.
But the phone number is still on the Task Bar.
I had tried right-clicking on the Task Bar before and finding how to remove the number. This time, after running HitmanPro, I was able find the number under Toolbars and remove it.