Jump to content

Recommended Posts

  • Staff

What is Weather Wizard?

The Malwarebytes research team has determined that Weather Wizard is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end.

How do I know if my computer is affected by Weather Wizard?

You may see this warning during install:

main.png

these tasks in your Task Scheduler:

warning3.png

and this entry in your list of installed programs:

warning4.png

How did Weather Wizard get on my computer?

Tech Support Scammers use different methods for distributing themselves. This particular one was bundled with a weather app.

warning1.png

But it also installs files that will produce a Blue Screen of Death (BSOD) with the Tech Support Scammers number.

warning2.png

How do I remove Weather Wizard?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of Weather Wizard?
  • No, Malwarebytes' Anti-Malware removes Weather Wizard completely.
  • This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam.

protection1.png

Technical details for experts

No visible signs in a HijackThis log

You may see these entries in FRST logs:

 () C:\Windows\SysInfo.exe C:\Windows\System32\Tasks\Lanwifi C:\Windows\System32\Tasks\Systemhi C:\Users\{username}\Desktop\Weather Wizard.lnk C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Wizard C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard C:\Program Files (x86)\Weather Wizard () C:\Windows\SysFix.exe () C:\Windows\amdave64Win.exe () C:\Windows\SysInfo.exe C:\Windows\sc.bat () C:\Windows\winLoad32.exeWeather Wizard 1.0 (HKLM-x32\...\Weather Wizard) (Version: 1.0 - weatther wizard)Task: {05925C2D-D54B-4F7A-AE1A-D45D7D2F859B} - System32\Tasks\Systemhi => C:\Windows\SysInfo.exe [2016-01-20] ()Task: {660A8E20-C12D-4767-931F-1CFED04974A5} - System32\Tasks\Lanwifi => C:\Windows\amdave64Win.exe [2016-01-20] ()
Alterations made by the installer:

File system details [View: All details] (Selection)---------------------------------------------------    Adds the folder C:\Program Files (x86)\Weather Wizard       Adds the file Newtonsoft.Json.dll"="04/01/2016 06:37, 520192 bytes, A       Adds the file Newtonsoft.Json.xml"="04/01/2016 06:37, 501178 bytes, A       Adds the file uninst.exe"="01/02/2016 08:30, 405247 bytes, A       Adds the file Weather Wizard.url"="01/02/2016 08:30, 50 bytes, A       Adds the file WeatherApp.exe"="08/01/2016 11:54, 1042432 bytes, A    Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard       Adds the file Uninstall.lnk"="01/02/2016 08:30, 840 bytes, A       Adds the file Weather Wizard.lnk"="01/02/2016 08:30, 1077 bytes, A       Adds the file Website.lnk"="01/02/2016 08:30, 1097 bytes, A    Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Wizard    In the existing folder C:\Users\{username}\Desktop       Adds the file Weather Wizard.lnk"="01/02/2016 08:30, 1059 bytes, A    In the existing folder C:\Windows       Adds the file amdave64Win.exe"="20/01/2016 13:45, 12288 bytes, A       Adds the file keywords.txt"="07/01/2016 10:08, 195217 bytes, A       Adds the file sc.bat"="19/01/2016 11:18, 198 bytes, A       Adds the file SysFix.exe"="20/01/2016 13:46, 12288 bytes, A       Adds the file SysInfo.exe"="20/01/2016 09:50, 20992 bytes, A       Adds the file winLoad32.exe"="19/01/2016 10:13, 44032 bytes, A    In the existing folder C:\Windows\System32\Tasks       Adds the file Lanwifi"="01/02/2016 08:30, 3584 bytes, A       Adds the file Systemhi"="01/02/2016 08:30, 3576 bytes, ARegistry details [View: All details] (Selection)------------------------------------------------    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherApp.exe]       "(Default)"="REG_SZ", "C:\Program Files (x86)\Weather Wizard\WeatherApp.exe"    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]       "SystemFix"="REG_SZ", "C:\windows\winLoad32.exe"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Weather Wizard]       "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Weather Wizard\WeatherApp.exe"       "DisplayName"="REG_SZ", "Weather Wizard 1.0"       "DisplayVersion"="REG_SZ", "1.0"       "Publisher"="REG_SZ", "weatther wizard"       "UninstallString"="REG_SZ", "C:\Program Files (x86)\Weather Wizard\uninst.exe"       "URLInfoAbout"="REG_SZ", "http://www.mycompany.com"    [HKEY_CURRENT_USER\SOFTWARE\weatherapp]       "ver"="REG_SZ", "1"
Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 01/02/2016Scan Time: 08:39Logfile: mbamWeatherWizard.txtAdministrator: YesVersion: 2.2.0.1020Malware Database: v2016.02.01.01Rootkit Database: v2016.01.20.01License: PremiumMalware Protection: DisabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: {username}Scan Type: Threat ScanResult: CompletedObjects Scanned: 318272Time Elapsed: 5 min, 8 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 1Rogue.TechSupportScam, C:\Windows\SysInfo.exe, 528, Delete-on-Reboot, [6b1a104b3b5ee55117c5af30ee138d73]Modules: 0(No malicious items detected)Registry Keys: 2PUP.Optional.WeatherWizard, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Weather Wizard, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], Rogue.TechSupportScam, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Systemhi, Delete-on-Reboot, [87fefb60ebae69cda6c6083f35cfaa56], Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 3PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard, Delete-on-Reboot, [5332b8a33f5a22149b9d4ff872923ac6], PUP.Optional.WeatherWizard, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard, Quarantined, [bacbb9a287121224028e76698a78c937], PUP.Optional.WeatherWizard, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Wizard, Quarantined, [70154318e6b3c175bcd4eff0f30f6a96], Files: 17Rogue.TechSupportScam, C:\Windows\SysInfo.exe, Delete-on-Reboot, [6b1a104b3b5ee55117c5af30ee138d73], Rogue.TechSupportScam, C:\Users\{username}\Desktop\ww[1].exe, Quarantined, [e3a2f467afea3402b824c916758c6997], Rogue.TechSupportScam, C:\Windows\amdave64Win.exe, Quarantined, [1c6986d5039639fd20bc6a7537ca42be], Rogue.TechSupportScam, C:\Windows\SysFix.exe, Quarantined, [87fedf7c019893a3e9f3b32c2ad747b9], Rogue.TechSupportScam, C:\Windows\winLoad32.exe, Quarantined, [2065a5b66e2b4bebf090f8e53dc49868], PUP.Optional.WeatherWizard, C:\Users\{username}\Desktop\Weather Wizard.lnk, Quarantined, [2d588bd0336660d61c1b51f60400dd23], PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\Weather Wizard.url, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\Newtonsoft.Json.dll, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\Newtonsoft.Json.xml, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\uninst.exe, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\WeatherApp.exe, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], Rogue.TechSupportScam, C:\Windows\System32\Tasks\Systemhi, Quarantined, [14710a51237661d573f743047193cb35], PUP.Optional.WeatherWizard, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard\Uninstall.lnk, Quarantined, [bacbb9a287121224028e76698a78c937], PUP.Optional.WeatherWizard, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard\Weather Wizard.lnk, Quarantined, [bacbb9a287121224028e76698a78c937], PUP.Optional.WeatherWizard, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard\Website.lnk, Quarantined, [bacbb9a287121224028e76698a78c937], PUP.Optional.MorePowerfulCleaner, C:\Windows\keywords.txt, Quarantined, [f491df7ce4b573c37a5efcfee42024dc], Rogue.TechSupportScam, C:\Windows\sc.bat, Quarantined, [4a3b3328f4a5082ed20a3fbbae560ff1], Physical Sectors: 0(No malicious items detected)(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.