ARCHIVERFORWIN.EXE is Trojan Ransom.Gimemo
Ransom Screen Locker ARCHIVERFORWIN.EXE is a malicious program.
ARCHIVERFORWIN.EXE blocks user access to a computer that it infects.
ARCHIVERFORWIN.EXE demands a ransom paid for unlocking the computer.
Malware Analysis of ARCHIVERFORWIN.EXE
Full path on a computer: %AppData%\ArchiverforWin.exe
Detected by RegRun Warrior:
Item Name: shell
Author: Unknown
Related File: %AppData%\ArchiverforWin.exe
Type: System.ini
Item Name: UserInit
Author: Unknown
Related File: %AppData%\ArchiverforWin.exe,%WinDir%\System32\userinit.exe,
Type: UserInit Value
Item Name: B64Fu7wxCKTba7x
Author: thehrgergergeg
Related File: %APPDATA%\ARCHIVERFORWIN.EXE
Type: Registry Run
Removal Results: Success
Number of reboot: 1
ARCHIVERFORWIN.EXE is known as:
Trojan.Ransom.Gimemo, Trojan.MBRlock
ARCHIVERFORWIN.EXE hash:
- MD5: cfc4da393278354a60b82f8014a9f557
How to quickly detect ARCHIVERFORWIN.EXE presence?
Registry:
Files:
Registry:- HKLM\Software\Microsoft\Active Setup\Installed Components\{gNlHvcTl-X3Rf-glhX-zEHE-R7LhQcT46ee6}\B64Fu7wxCKTba7x: “”%AppData%\ArchiverforWin.exe” /ActiveX”
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\B64Fu7wxCKTba7x: “%AppData%\ArchiverforWin.exe”
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\B64Fu7wxCKTba7x: “%AppData%\ArchiverforWin.exe”
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%AppData%\ArchiverforWin.exe”
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “%AppData%\ArchiverforWin.exe,%WinDir%\System32\userinit.exe,”
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%AppData%\ArchiverforWin.exe”
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “%AppData%\ArchiverforWin.exe,%WinDir%\System32\userinit.exe,”
Files:- %AppData%\ArchiverforWin.exe
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
