Forum » Support and Bug Reports »

Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: Cant fully uninstall

I uninstalled the software but all new folders have the blue arrows. How do I make this stop?

What blue arrows? Do you mean that Windows File Explorer shows some blue arrow overlays on file icons? WinSCP does not add any overlays to Windows File Explorer. That must be a different application.
Guest

Cant fully uninstall

I uninstalled the software but all new folders have the blue arrows. How do I make this stop?
brablc

worried wrote:

OK, I plan to get round to that later today.

Thank you for your replies, it is appreciated :)


DragExt.dll is described here https://winscp.net/eng/docs/dragext . It is an extension of the file explorer which keeps it locked and does not allow it to be deleted without uninstaller and restart.

Should you find WinSCP on your system again, please:

- Check the version: right click the .exe select Properties and check Details tab.
- Get the MD5 of the winscp.exe (you may use FCIV https://www.microsoft.com/en-us/download/details.aspx?id=11533 ): 
fciv -md5 winscp.exe

- Now compare the MD5 with the one from https://winscp.net/eng/download.php

At that moment we will know more. Perhaps Secunia PSI found some traces (may be incorrectly) of WinSCP on your system and decided to install newer version over it.

It seems unlikely to me that someone would install WinSCP on your system to do something nasty with it. WinSCP does not listen on any port for commands. It needs to be operated locally. Someone would need access for instance to your remote desktop to do something with it. If this is possible then you should be looking for open ports on your system. But be prepared to Google on those ports to exclude false positives: 
netstat -a | find "LISTENING"
worried

OK, I plan to get round to that later today.

Thank you for your replies, it is appreciated :)
Freitag

worried wrote:

Also, I forgot to mention;

My router firmware is up-to-date.

I want to avoid a restore if possible because it will cause issues and conflicts with some automated processes I have set up and programs I use, such as FlexRAID. I just don't have the time at present to work around all of that.


I think that finding WinSCP on your system was just the warning sign, I think you need more dedicated help in fixing it.

I've found myself on this site (link below) a few times after searching for things I found in a HijackThis log file.
https://forums.malwarebytes.com/forum/7-windows-malware-removal-help-support/
worried

Also, I forgot to mention;

My router firmware is up-to-date.

I want to avoid a restore if possible because it will cause issues and conflicts with some automated processes I have set up and programs I use, such as FlexRAID. I just don't have the time at present to work around all of that.
worried

That sounds very possible unfortunately. Would you happen to know if there is anyway/anywhere (logs, 3rd party tools and such) I can reference, which might be able to confirm this?

Another malwarebytes scan last night picked up a security.hijack; HKLM/../../launcher.exe x2. It seemed to remove them successfully. I then ran several different scans with different tools and can't seem to find anything else, but I might consult an expert from the malwarebytes forums.

On another note, I managed to remove WinSCP from my system. The system I had the issue on is a home server and I don't directly access it very often, so I use Secunia PSI to keep the programs up-to-date. I checked to see if WinSCP was present on the list and it was. So I disabled the auto-update for WinSCP and uninstalled it again and this time it did not come back. I am not entirely sure this was the cause because I did some other things too, like shut down my wifi, before checking Secunia PSI.

Please let me know if you have any suggestions regarding my first question.

Thanks
Freitag

Re: update

Your intruder idea sounds most likely. And he left behind something. He's probably after the port forwarding aspects of the software and is using you as a proxy for something you don't want to get blamed for.

Make sure to document the process in case someone comes after you. It might even be worth a police report?

Check your router too - look up the firmware version to make sure there are not any known vulnerabilities. If someone got in, they came through that.

Do you have backups? If so restore to a point before you got hacked.

worried wrote:

Ok, i have had a little time today to investigate further. So far I cannot find anything on Google that relates to my problem, except here.

I mentioned that I renamed the files, well that did not work apparently because the files I renamed were recreated. I have uninstalled it and it installs itself again almost immediately. I have deleted the files and it installs itself again, almost immediately.

I have now created blank txt documents and renamed them as winscp.exe/com and overwritten the original files. This seems to be fooling whatever is putting this on my system, stopping it from installing it again. I figure, at least this way it can't be run.

Any thoughts?
worried

update

Ok, i have had a little time today to investigate further. So far I cannot find anything on Google that relates to my problem, except here.

I mentioned that I renamed the files, well that did not work apparently because the files I renamed were recreated. I have uninstalled it and it installs itself again almost immediately. I have deleted the files and it installs itself again, almost immediately.

I have now created blank txt documents and renamed them as winscp.exe/com and overwritten the original files. This seems to be fooling whatever is putting this on my system, stopping it from installing it again. I figure, at least this way it can't be run.

Any thoughts?
worried

Thanks for your reply.

The machine it appeared on is actually headless and I am 99.9999999999% certain my 5y/o has nothing to do with this.

As a temporary measure I have renamed the winscp.exe and winscp.com to winscp.exe.bak and winscp.com.bak, until I can figure this out.

I doubt it is malware too. I am considering an intruder on my wireless network.
Freitag

I can't imagine what would have installed this - any malware surreptitious enough to install some software without permission would have it's own connection tools baked in.

I presume that you keep your Admin account and your non privileged user accounts separated and that your 5yr old doesn't know the admin PW.

Try simply deleting the install directory and then running a tool like CCleaner to remove any unwanted registry entries* that may have been left behind.

But with any unexpected activity, run a malware/anti-virus check.


Good luck, and let us know if you find out how it happened.


*Any time you edit your registry step 1 is always a backup.
worried

WinSCP just installed on my system




Anonymous wrote:
This WinSCP has found itself on my harddrive without any action through me and It will not uninstall for anything. I can not delete any files associated with this program as the DragExt.dll file will not allow itself to not be in current use. I feel this program is a malicious third party attempt to gain access to my computer and if an actual way to remove it from my computer is not presented the author and publisher of this program will be subject to the extent of the law I bring into the situation.



Chill dude... WinSCP is not malicious software so no worries. Also, it can't get on your computer without someone's help - maybe you walked away from it without locking the screen?

A couple of ideas that might your situation.

1. Reboot in safe mode and you ought to be able to delete the .dll files.

2. A better idea though might be to perform a clean install of a version that you download from this website, turn on desktop integration, and then reboot. Follow that with a clean uninstall - if you're trying to delete .dll files you probably didn't try the uninstall route first or your installation was corrupt and a clean start will help.

Good luck.



Hi, I am having the same problem as above, I realize this thread is 3 years old, but Google brought me here and it is the most similar situation to mine that I have found so far.

I did not install WinSCP on my system. I use pulseway to monitor my systems and I got a notification that WinSCP had being installed, I thought "that's odd" and investigated and there it was, desktop icon and everything. I did not do this and there was nobody in the house but my 5 year old son and myself. I tried removing it from my system, but after the uninstall process (which claimed to be successful) it is still on my system.

I am getting really worried now, any advice would be appreciated.

Many Thanks
Freitag

Re: Unable to Uninstall

Anonymous wrote:

This WinSCP has found itself on my harddrive without any action through me and It will not uninstall for anything. I can not delete any files associated with this program as the DragExt.dll file will not allow itself to not be in current use. I feel this program is a malicious third party attempt to gain access to my computer and if an actual way to remove it from my computer is not presented the author and publisher of this program will be subject to the extent of the law I bring into the situation.


Chill dude... WinSCP is not malicious software so no worries. Also, it can't get on your computer without someone's help - maybe you walked away from it without locking the screen?

A couple of ideas that might your situation.

1. Reboot in safe mode and you ought to be able to delete the .dll files.

2. A better idea though might be to perform a clean install of a version that you download from this website, turn on desktop integration, and then reboot. Follow that with a clean uninstall - if you're trying to delete .dll files you probably didn't try the uninstall route first or your installation was corrupt and a clean start will help.

Good luck.
Guest

Unable to Uninstall

This WinSCP has found itself on my harddrive without any action through me and It will not uninstall for anything. I can not delete any files associated with this program as the DragExt.dll file will not allow itself to not be in current use. I feel this program is a malicious third party attempt to gain access to my computer and if an actual way to remove it from my computer is not presented the author and publisher of this program will be subject to the extent of the law I bring into the situation.
martin

Re: winscp troubles

paxtonwife wrote:

I dont even know how this WinScp ended up on my computer but i think it is conflicting with my operating system... vista... there is a file that says key tools but all thats in it is a link to a website... do i need this? is it necessary? and... its not even in my uninstal area... help?

If you do not use WinSCP, you can safely remove any file related to it.
paxtonwife

winscp troubles

I dont even know how this WinScp ended up on my computer but i think it is conflicting with my operating system... vista... there is a file that says key tools but all thats in it is a link to a website... do i need this? is it necessary? and... its not even in my uninstal area... help?
Guest

Re: Silent Uninstall

martin wrote:

Is it available in the 4.0beta?

Yes it is.


Thx!
martin

Re: Silent Uninstall

Is it available in the 4.0beta?

Yes it is.
Guest

Re: Silent Uninstall

martin wrote:

vpeter wrote:

Is there no workaround for disabling the cleanup question at uninstall? Some registry-modification, or similar?

No. It will be solved in the next release.


Is it available in the 4.0beta?
martin

Re: Silent Uninstall

vpeter wrote:

Is there no workaround for disabling the cleanup question at uninstall? Some registry-modification, or similar?

No. It will be solved in the next release.
vpeter

Silent Uninstall

Is there no workaround for disabling the cleanup question at uninstall? Some registry-modification, or similar?
martin

Re: sillent uninstall

Kone wrote:

Is there a way to uninstall WinSCP silently?

You can use /silent parameter, but it does not suppress the "cleanup" question unfortunately. I may fix this in the next release.
Kone

sillent uninstall

Is there a way to uninstall WinSCP silently?
martin

Re: Uninstalling WinSCP

  1. If you have installed WinSCP with installation-package, you may uninstall it from Windows control panel
  2. If you have downloaded the EXE file only, just delete it.
erena

Uninstalling WinSCP

How do I uninstall WinSCP? I'm running it on Windows 2000.

Documentation

Support

Associations

Follow Us