Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

Removal instructions for Weather Wizard

- - - - -

  • Please log in to reply
No replies to this topic

#1
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
What is Weather Wizard?

The Malwarebytes research team has determined that Weather Wizard is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end.

How do I know if my computer is affected by Weather Wizard?

You may see this warning during install:

main.png

these tasks in your Task Scheduler:

warning3.png

and this entry in your list of installed programs:

warning4.png

How did Weather Wizard get on my computer?

Tech Support Scammers use different methods for distributing themselves. This particular one was bundled with a weather app.

warning1.png

But it also installs files that will produce a Blue Screen of Death (BSOD) with the Tech Support Scammers number.

warning2.png

How do I remove Weather Wizard?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of Weather Wizard?
  • No, Malwarebytes' Anti-Malware removes Weather Wizard completely.
  • This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam.

protection1.png


Technical details for experts

No visible signs in a HijackThis log

You may see these entries in FRST logs:

 () C:\Windows\SysInfo.exe
 C:\Windows\System32\Tasks\Lanwifi
 C:\Windows\System32\Tasks\Systemhi
 C:\Users\{username}\Desktop\Weather Wizard.lnk
 C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Wizard
 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard
 C:\Program Files (x86)\Weather Wizard
 () C:\Windows\SysFix.exe
 () C:\Windows\amdave64Win.exe
 () C:\Windows\SysInfo.exe
 C:\Windows\sc.bat
 () C:\Windows\winLoad32.exe

Weather Wizard 1.0 (HKLM-x32\...\Weather Wizard) (Version: 1.0 - weatther wizard)
Task: {05925C2D-D54B-4F7A-AE1A-D45D7D2F859B} - System32\Tasks\Systemhi => C:\Windows\SysInfo.exe [2016-01-20] ()
Task: {660A8E20-C12D-4767-931F-1CFED04974A5} - System32\Tasks\Lanwifi => C:\Windows\amdave64Win.exe [2016-01-20] ()
Alterations made by the installer:

File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Program Files (x86)\Weather Wizard
       Adds the file Newtonsoft.Json.dll"="04/01/2016 06:37, 520192 bytes, A
       Adds the file Newtonsoft.Json.xml"="04/01/2016 06:37, 501178 bytes, A
       Adds the file uninst.exe"="01/02/2016 08:30, 405247 bytes, A
       Adds the file Weather Wizard.url"="01/02/2016 08:30, 50 bytes, A
       Adds the file WeatherApp.exe"="08/01/2016 11:54, 1042432 bytes, A
    Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard
       Adds the file Uninstall.lnk"="01/02/2016 08:30, 840 bytes, A
       Adds the file Weather Wizard.lnk"="01/02/2016 08:30, 1077 bytes, A
       Adds the file Website.lnk"="01/02/2016 08:30, 1097 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Wizard
    In the existing folder C:\Users\{username}\Desktop
       Adds the file Weather Wizard.lnk"="01/02/2016 08:30, 1059 bytes, A
    In the existing folder C:\Windows
       Adds the file amdave64Win.exe"="20/01/2016 13:45, 12288 bytes, A
       Adds the file keywords.txt"="07/01/2016 10:08, 195217 bytes, A
       Adds the file sc.bat"="19/01/2016 11:18, 198 bytes, A
       Adds the file SysFix.exe"="20/01/2016 13:46, 12288 bytes, A
       Adds the file SysInfo.exe"="20/01/2016 09:50, 20992 bytes, A
       Adds the file winLoad32.exe"="19/01/2016 10:13, 44032 bytes, A
    In the existing folder C:\Windows\System32\Tasks
       Adds the file Lanwifi"="01/02/2016 08:30, 3584 bytes, A
       Adds the file Systemhi"="01/02/2016 08:30, 3576 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherApp.exe]
       "(Default)"="REG_SZ", "C:\Program Files (x86)\Weather Wizard\WeatherApp.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
       "SystemFix"="REG_SZ", "C:\windows\winLoad32.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Weather Wizard]
       "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Weather Wizard\WeatherApp.exe"
       "DisplayName"="REG_SZ", "Weather Wizard 1.0"
       "DisplayVersion"="REG_SZ", "1.0"
       "Publisher"="REG_SZ", "weatther wizard"
       "UninstallString"="REG_SZ", "C:\Program Files (x86)\Weather Wizard\uninst.exe"
       "URLInfoAbout"="REG_SZ", "http://www.mycompany.com"
    [HKEY_CURRENT_USER\SOFTWARE\weatherapp]
       "ver"="REG_SZ", "1"

Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 01/02/2016
Scan Time: 08:39
Logfile: mbamWeatherWizard.txt
Administrator: Yes

Version: 2.2.0.1020
Malware Database: v2016.02.01.01
Rootkit Database: v2016.01.20.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 318272
Time Elapsed: 5 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
Rogue.TechSupportScam, C:\Windows\SysInfo.exe, 528, Delete-on-Reboot, [6b1a104b3b5ee55117c5af30ee138d73]

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.WeatherWizard, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Weather Wizard, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], 
Rogue.TechSupportScam, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Systemhi, Delete-on-Reboot, [87fefb60ebae69cda6c6083f35cfaa56], 

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 3
PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard, Delete-on-Reboot, [5332b8a33f5a22149b9d4ff872923ac6], 
PUP.Optional.WeatherWizard, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard, Quarantined, [bacbb9a287121224028e76698a78c937], 
PUP.Optional.WeatherWizard, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Wizard, Quarantined, [70154318e6b3c175bcd4eff0f30f6a96], 

Files: 17
Rogue.TechSupportScam, C:\Windows\SysInfo.exe, Delete-on-Reboot, [6b1a104b3b5ee55117c5af30ee138d73], 
Rogue.TechSupportScam, C:\Users\{username}\Desktop\ww[1].exe, Quarantined, [e3a2f467afea3402b824c916758c6997], 
Rogue.TechSupportScam, C:\Windows\amdave64Win.exe, Quarantined, [1c6986d5039639fd20bc6a7537ca42be], 
Rogue.TechSupportScam, C:\Windows\SysFix.exe, Quarantined, [87fedf7c019893a3e9f3b32c2ad747b9], 
Rogue.TechSupportScam, C:\Windows\winLoad32.exe, Quarantined, [2065a5b66e2b4bebf090f8e53dc49868], 
PUP.Optional.WeatherWizard, C:\Users\{username}\Desktop\Weather Wizard.lnk, Quarantined, [2d588bd0336660d61c1b51f60400dd23], 
PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\Weather Wizard.url, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], 
PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\Newtonsoft.Json.dll, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], 
PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\Newtonsoft.Json.xml, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], 
PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\uninst.exe, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], 
PUP.Optional.WeatherWizard, C:\Program Files (x86)\Weather Wizard\WeatherApp.exe, Quarantined, [5332b8a33f5a22149b9d4ff872923ac6], 
Rogue.TechSupportScam, C:\Windows\System32\Tasks\Systemhi, Quarantined, [14710a51237661d573f743047193cb35], 
PUP.Optional.WeatherWizard, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard\Uninstall.lnk, Quarantined, [bacbb9a287121224028e76698a78c937], 
PUP.Optional.WeatherWizard, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard\Weather Wizard.lnk, Quarantined, [bacbb9a287121224028e76698a78c937], 
PUP.Optional.WeatherWizard, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Weather Wizard\Website.lnk, Quarantined, [bacbb9a287121224028e76698a78c937], 
PUP.Optional.MorePowerfulCleaner, C:\Windows\keywords.txt, Quarantined, [f491df7ce4b573c37a5efcfee42024dc], 
Rogue.TechSupportScam, C:\Windows\sc.bat, Quarantined, [4a3b3328f4a5082ed20a3fbbae560ff1], 

Physical Sectors: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
  • 0

Advertisements





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.