The Malwarebytes research team has determined that Weather Wizard is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end.
How do I know if my computer is affected by Weather Wizard?
You may see this warning during install:
these tasks in your Task Scheduler:
and this entry in your list of installed programs:
How did Weather Wizard get on my computer?
Tech Support Scammers use different methods for distributing themselves. This particular one was bundled with a weather app.
But it also installs files that will produce a Blue Screen of Death (BSOD) with the Tech Support Scammers number.
How do I remove Weather Wizard?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-version.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes' Anti-Malware removes Weather Wizard completely.
- This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam.
Technical details for experts
No visible signs in a HijackThis log
You may see these entries in FRST logs:
() C:\Windows\SysInfo.exe C:\Windows\System32\Tasks\Lanwifi C:\Windows\System32\Tasks\Systemhi C:\Users\{username}\Desktop\Weather Wizard.lnk C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Wizard C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard C:\Program Files (x86)\Weather Wizard () C:\Windows\SysFix.exe () C:\Windows\amdave64Win.exe () C:\Windows\SysInfo.exe C:\Windows\sc.bat () C:\Windows\winLoad32.exe Weather Wizard 1.0 (HKLM-x32\...\Weather Wizard) (Version: 1.0 - weatther wizard) Task: {05925C2D-D54B-4F7A-AE1A-D45D7D2F859B} - System32\Tasks\Systemhi => C:\Windows\SysInfo.exe [2016-01-20] () Task: {660A8E20-C12D-4767-931F-1CFED04974A5} - System32\Tasks\Lanwifi => C:\Windows\amdave64Win.exe [2016-01-20] ()Alterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Weather Wizard Adds the file Newtonsoft.Json.dll"="04/01/2016 06:37, 520192 bytes, A Adds the file Newtonsoft.Json.xml"="04/01/2016 06:37, 501178 bytes, A Adds the file uninst.exe"="01/02/2016 08:30, 405247 bytes, A Adds the file Weather Wizard.url"="01/02/2016 08:30, 50 bytes, A Adds the file WeatherApp.exe"="08/01/2016 11:54, 1042432 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard Adds the file Uninstall.lnk"="01/02/2016 08:30, 840 bytes, A Adds the file Weather Wizard.lnk"="01/02/2016 08:30, 1077 bytes, A Adds the file Website.lnk"="01/02/2016 08:30, 1097 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Wizard In the existing folder C:\Users\{username}\Desktop Adds the file Weather Wizard.lnk"="01/02/2016 08:30, 1059 bytes, A In the existing folder C:\Windows Adds the file amdave64Win.exe"="20/01/2016 13:45, 12288 bytes, A Adds the file keywords.txt"="07/01/2016 10:08, 195217 bytes, A Adds the file sc.bat"="19/01/2016 11:18, 198 bytes, A Adds the file SysFix.exe"="20/01/2016 13:46, 12288 bytes, A Adds the file SysInfo.exe"="20/01/2016 09:50, 20992 bytes, A Adds the file winLoad32.exe"="19/01/2016 10:13, 44032 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Lanwifi"="01/02/2016 08:30, 3584 bytes, A Adds the file Systemhi"="01/02/2016 08:30, 3576 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherApp.exe] "(Default)"="REG_SZ", "C:\Program Files (x86)\Weather Wizard\WeatherApp.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemFix"="REG_SZ", "C:\windows\winLoad32.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Weather Wizard] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Weather Wizard\WeatherApp.exe" "DisplayName"="REG_SZ", "Weather Wizard 1.0" "DisplayVersion"="REG_SZ", "1.0" "Publisher"="REG_SZ", "weatther wizard" "UninstallString"="REG_SZ", "C:\Program Files (x86)\Weather Wizard\uninst.exe" "URLInfoAbout"="REG_SZ", "http://www.mycompany.com" [HKEY_CURRENT_USER\SOFTWARE\weatherapp] "ver"="REG_SZ", "1"Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 01/02/2016 Scan Time: 08:39 Logfile: mbamWeatherWizard.txt Administrator: Yes Version: 2.2.0.1020 Malware Database: v2016.02.01.01 Rootkit Database: v2016.01.20.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 318272 Time Elapsed: 5 min, 8 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 Rogue.TechSupportScam, C:\Windows\SysInfo.exe, 528, Delete-on-Reboot, [6b1a104b3b5ee55117c5af30ee138d73] Modules: 0 (No malicious items detected) Registry Keys: 2 PUP.Optional.WeatherWizard, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Weather Wizard, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], Rogue.TechSupportScam, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Systemhi, Delete-on-Reboot, [87fefb60ebae69cda6c6083f35cfaa56], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 3 PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard, Delete-on-Reboot, [5332b8a33f5a22149b9d4ff872923ac6], PUP.Optional.WeatherWizard, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard, Quarantined, [bacbb9a287121224028e76698a78c937], PUP.Optional.WeatherWizard, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Wizard, Quarantined, [70154318e6b3c175bcd4eff0f30f6a96], Files: 17 Rogue.TechSupportScam, C:\Windows\SysInfo.exe, Delete-on-Reboot, [6b1a104b3b5ee55117c5af30ee138d73], Rogue.TechSupportScam, C:\Users\{username}\Desktop\ww[1].exe, Quarantined, [e3a2f467afea3402b824c916758c6997], Rogue.TechSupportScam, C:\Windows\amdave64Win.exe, Quarantined, [1c6986d5039639fd20bc6a7537ca42be], Rogue.TechSupportScam, C:\Windows\SysFix.exe, Quarantined, [87fedf7c019893a3e9f3b32c2ad747b9], Rogue.TechSupportScam, C:\Windows\winLoad32.exe, Quarantined, [2065a5b66e2b4bebf090f8e53dc49868], PUP.Optional.WeatherWizard, C:\Users\{username}\Desktop\Weather Wizard.lnk, Quarantined, [2d588bd0336660d61c1b51f60400dd23], PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\Weather Wizard.url, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\Newtonsoft.Json.dll, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\Newtonsoft.Json.xml, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\uninst.exe, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\WeatherApp.exe, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], Rogue.TechSupportScam, C:\Windows\System32\Tasks\Systemhi, Quarantined, [14710a51237661d573f743047193cb35], PUP.Optional.WeatherWizard, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard\Uninstall.lnk, Quarantined, [bacbb9a287121224028e76698a78c937], PUP.Optional.WeatherWizard, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard\Weather Wizard.lnk, Quarantined, [bacbb9a287121224028e76698a78c937], PUP.Optional.WeatherWizard, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard\Website.lnk, Quarantined, [bacbb9a287121224028e76698a78c937], PUP.Optional.MorePowerfulCleaner, C:\Windows\keywords.txt, Quarantined, [f491df7ce4b573c37a5efcfee42024dc], Rogue.TechSupportScam, C:\Windows\sc.bat, Quarantined, [4a3b3328f4a5082ed20a3fbbae560ff1], Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention