Analysis by: Christopher Daniel So
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 2,934,400 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 08 Apr 2014

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan creates the following folders:

  • %User Temp%\is-5POVM.tmp
  • %User Temp%\is-A8UHB.tmp
  • %User Temp%\is-A8UHB.tmp\_isetup
  • %Program Files%\WinSCP
  • %Program Files%\WinSCP\PuTTY
  • %Start Menu%\Programs\WinSCP
  • %Start Menu%\Programs\WinSCP\Key tools

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista and 7.)

Other System Modifications

This Trojan deletes the following files:

  • %Start Menu%\Programs\WinSCP\WinSCP.pif
  • %Start Menu%\Programs\WinSCP\WinSCP.url
  • %Start Menu%\Programs\WinSCP\WinSCP Web Site.lnk
  • %Start Menu%\Programs\WinSCP\WinSCP Web Site.pif
  • %Start Menu%\Programs\WinSCP\Support forum.lnk
  • %Start Menu%\Programs\WinSCP\Support forum.pif
  • %Start Menu%\Programs\WinSCP\Documentation.lnk
  • %Start Menu%\Programs\WinSCP\Documentation.pif
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTYgen.pif
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTYgen.url
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTYgen Manual.pif
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTYgen Manual.url
  • %Start Menu%\Programs\WinSCP\Key tools\Pageant.pif
  • %Start Menu%\Programs\WinSCP\Key tools\Pageant.url
  • %Start Menu%\Programs\WinSCP\Key tools\Pageant Manual.pif
  • %Start Menu%\Programs\WinSCP\Key tools\Pageant Manual.url
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTY Web Site.lnk
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTY Web Site.pif
  • %Desktop%\WinSCP.pif
  • %Desktop%\WinSCP.url
  • %User Profile%\SendTo\WinSCP (for upload).pif
  • %User Profile%\SendTo\WinSCP (for upload).url

(Note: %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista and 7.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\Desktop on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following registry keys:

HKEY_CURRENT_USER\Software\Martin Prikryl

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface

HKEY_LOCAL_MACHINE\Software\Martin Prikryl\
WinSCP 2

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
directory\shellex\CopyHookHandlers\
WinSCPCopyHook

HKEY_LOCAL_MACHINE\Software\Martin Prikryl\
WinSCP 2\DragExt

HKEY_CLASSES_ROOT\SCP

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SCP\DefaultIcon

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SCP\shell

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SCP\shell\open

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SCP\shell\open\
command

HKEY_CLASSES_ROOT\SFTP

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SFTP\DefaultIcon

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SFTP\shell

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SFTP\shell\open

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SFTP\shell\open\
command

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
NewDirectory

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
SynchronizeChecklist

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
FindFile

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
ConsoleWin

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\History

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\HistoryParams

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
QueueView

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\LocalPanel

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\RemotePanel

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Security

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Bookmarks

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Bookmarks\
Local

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Bookmarks\
Remote

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Bookmarks\
ShortCuts

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Bookmarks\
Options

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\0

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\1

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
Interface = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Martin Prikryl\
WinSCP 2
DefaultInterfaceInterface = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ShowAdvancedLoginOptions = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Martin Prikryl\
WinSCP 2
DefaultInterfaceShowAdvancedLoginOptions = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDExtEnabled = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
Period = "7"

HKEY_LOCAL_MACHINE\SOFTWARE\Martin Prikryl\
WinSCP 2
DefaultUpdatesPeriod = "7"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Setup Version = "5.2.3"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: App Path = "%Program Files%\WinSCP"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
InstallLocation = "%Program Files%\WinSCP"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Icon Group = "WinSCP"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: User = "Wilbert"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Setup Type = "full"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Selected Components = "main,shellext,pageant,puttygen,transl,transl\eng"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Deselected Components = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Selected Tasks = "enableupdates,desktopicon,desktopicon\user,sendtohook,urlhandler"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Deselected Tasks = "desktopicon\common,quicklaunchicon,searchpath"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
DisplayName = "WinSCP 4.2.5"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
DisplayIcon = "%Program Files%\WinSCP\WinSCP.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
UninstallString = "%Program Files%\WinSCP\unins000.exe "

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
QuietUninstallString = "%Program Files%\WinSCP\unins000.exe /SILENT"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
DisplayVersion = "4.2.5"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Publisher = "Martin Prikryl"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
URLInfoAbout = "http://{BLOCKED}p.net"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
HelpLink = "http://{BLOCKED}p.net/forum"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
URLUpdateInfo = "http://{BLOCKED}p.net/eng/download.php"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
NoModify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
NoRepair = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
InstallDate = "20140330"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup CodeFile: SetupType = "custom"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32
ThreadingModel = "Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Martin Prikryl\
WinSCP 2\DragExt
Enable = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SCP
EditFlags = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SCP
BrowserFlags = "8"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SFTP
EditFlags = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SFTP
BrowserFlags = "8"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
RandomSeedFile = "%25APPDATA%25%5Cwinscp.rnd"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
PuttyRegistryStorageKey = "Software%5CSimonTatham%5CPuTTY"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmOverwriting = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmResume = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
AutoReadDirectoryAfterOp = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SessionReopenAuto = "1388"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SessionReopenBackground = "7d"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SessionReopenTimeout = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
TunnelLocalPortNumberLow = "c35"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
TunnelLocalPortNumberHigh = "c3b3"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
CacheDirectoryChangesMaxSize = "64"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ShowFtpWelcomeMessage = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
Logging = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogFileAppend = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogWindowLines = "64"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogProtocol = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogActions = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ContinueOnError = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmCommandSession = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SynchronizeParams = "42"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SynchronizeOptions = "5"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SynchronizeModeAuto = "ffffffff"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SynchronizeMode = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
MaxWatchDirectories = "1f4"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
QueueTransfersLimit = "2"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
QueueAutoPopup = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
QueueRememberPassword = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
PuttySession = "WinSCP%20temporary%20session"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
PuttyPath = "%25PROGRAMFILES%25%5CPuTTY%5Cputty.exe"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
PuttyPassword = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
TelnetForFtpInPutty = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
IgnoreCancelBeforeFinish = "{random values}"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
BeepOnFinish = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
BeepOnFinishAfter = "{random values}"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SynchronizeBrowsing = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
KeepUpToDateChangeDelay = "1f4"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ChecksumAlg = "md5"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SessionReopenAutoIdle = "1388"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
AddXToDirectories = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
Masks = "{random characters}"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
FileNameCase = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
PreserveReadOnly = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
PreserveTime = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
PreserveRights = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
IgnorePermErrors = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
Text = "rw-r--r--"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
TransferMode = "2"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
ResumeSupport = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
ResumeThreshold = "{random values}"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
ReplaceInvalidChars = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
LocalInvalidChars = "/%5%System Root%%2A%3F"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
CalculateSize = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
NegativeExclude = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
ClearArchive = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
CPSLimit = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
Queue = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
QueueNoConfirmation = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
QueueIndividually = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
NewerOnly = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
CopyParamList = "ffffffff"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
NewDirectory
Valid = "{random values}"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmExitOnCompletion = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogView = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
SynchronizeChecklist
WindowParams = "0;-1;-1;600;450;0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
SynchronizeChecklist
ListParams = "1;1150,1;100,1;80,1;130,1;25,1;100,1;80,1;130,10;1;2;3;4;5;6;7"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
FindFile
WindowParams = "646,481"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
FindFile
ListParams = "3;1125,1;181,1;80,1;122,10;1;2;3"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
ConsoleWin
WindowSize = "570,430"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
CopyOnDoubleClick = "2"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
CopyOnDoubleClickConfirmation = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDAllowMove = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDAllowMoveInit = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDTransferConfirmation = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDWarnLackOfTempSpace = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDWarnLackOfTempSpaceRatio = "{random values}"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DeleteToRecycleBin = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DimmHiddenFiles = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
RenameWholeName = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SelectDirectories = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SelectMask = "%2A.%2A"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ShowHiddenFiles = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ShowInaccesibleDirectories = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmTransferring = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmDeleting = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmRecycling = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmClosingSession = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
UseLocationProfiles = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
UseSharedBookmarks = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
LocaleSafe = "49"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDExtTimeout = "3e8"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DefaultDirIsHome = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
TemporaryDirectoryAppendSession = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
TemporaryDirectoryAppendPath = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
TemporaryDirectoryCleanup = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmTemporaryDirectoryCleanup = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
PreservePanelState = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
Theme = "OfficeXP"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
PathInCaption = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
MinimizeToTray = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
BalloonNotifications = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
NotificationsTimeout = "a"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
NotificationsStickTime = "2"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
CopyParamAutoSelectNotice = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SessionToolbarAutoShown = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
LockToolbars = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
AutoOpenInPutty = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
LastMonitor = "ffffffff"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
VersionHistory = "40205624,stable"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FontName = "Courier%20New"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FontHeight = "fffffff4"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FontStyle = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FontCharset = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
WordWrap = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FindMatchCase = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FindWholeWord = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FindDown = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
TabSize = "7"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
MaxEditors = "1f4"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
EarlyClose = "2"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
SDIShellEditor = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
QueueView
Height = "64"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
QueueView
Layout = "70,160,160,80,80,80"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
QueueView
Show = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
QueueView
LastHideShow = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
QueueView
ToolBar = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
LastCheck = "{random values}"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
HaveResults = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
ShownResults = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
BetaVersions = "2"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
ConnectionType = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
ProxyPort = "1f9"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
ForVersion = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
Version = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
Critical = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
Disabled = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
ToolbarsLayout = "{random characters}"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
DirViewParams = "0;1;0150,1;70,1;101,1;79,1;62,1;55,1;20,0;150,0;125,00;1;8;2;3;4;5;6;7"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
LastLocalTargetDirectory = "%System Root%%5CDocuments%20and%20Settings%5CWilbert%5CMy%20Documents"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
StatusBar = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
WindowParams = "-1;-1;600;400;0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
ViewStyle = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
ShowFullAddress = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
DriveView = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
DriveViewWidth = "b4"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
CurrentPanel = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
LocalPanelWidth = "{random values}"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
SwappedPanels = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
StatusBar = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
WindowParams = "-1;-1;600;400;0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
ExplorerStyleSelection = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
PreserveLocalDirectory = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
CompareByTime = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
CompareBySize = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
FullRowSelect = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
TreeOnLeft = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\LocalPanel
DirViewParams = "0;1;0150,1;70,1;101,1;79,1;62,1;55,00;1;2;3;4;5"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\LocalPanel
StatusBar = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\LocalPanel
DriveView = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\LocalPanel
DriveViewHeight = "64"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\LocalPanel
DriveViewWidth = "64"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\RemotePanel
DirViewParams = "0;1;0150,1;70,1;101,1;79,1;62,1;55,0;20,0;150,0;125,00;1;8;2;3;4;5;6;7"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\RemotePanel
StatusBar = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\RemotePanel
DriveView = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\RemotePanel
DriveViewHeight = "64"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\RemotePanel
DriveViewWidth = "64"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogWindowOnStartup = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogWindowParams = "-1;-1;500;400"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Security
UseMasterPassword = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\0
FileMask = "%2A.%2A"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\0
Editor = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\0
ExternalEditorText = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\0
SDIExternalEditor = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\0
DetectMDIExternalEditor = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\1
FileMask = "%2A.%2A"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\1
Editor = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\1
ExternalEditor = "notepad.exe"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\1
ExternalEditorText = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\1
SDIExternalEditor = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\1
DetectMDIExternalEditor = "0"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DirectDraw\MostRecentApplication
Name = "iexplore.exe"

(Note: The default value data of the said registry entry is iexplore.exe.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DirectDraw\MostRecentApplication
ID = "4117b81"

(Note: The default value data of the said registry entry is 41107b81.)

It deletes the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1

Dropping Routine

This Trojan drops the following files:

  • %User Temp%\is-5povm.tmp\{malware file name}.tmp
  • %User Temp%\is-A8UHB.tmp\_isetup\_RegDLL.tmp
  • %User Temp%\is-A8UHB.tmp\_isetup\_shfoldr.dll
  • %User Temp%\is-A8UHB.tmp\OCSetupHlp.dll
  • %Program Files%\WinSCP\unins000.dat
  • %Program Files%\WinSCP\is-VLP8F.tmp
  • %Program Files%\WinSCP\is-B3TB7.tmp
  • %Program Files%\WinSCP\is-87I57.tmp
  • %Program Files%\WinSCP\is-TV44J.tmp
  • %Program Files%\WinSCP\is-QKNJJ.tmp
  • %Program Files%\WinSCP\is-9Q0PU.tmp
  • %Program Files%\WinSCP\PuTTY\is-BLU1T.tmp
  • %Program Files%\WinSCP\PuTTY\is-UP4J0.tmp
  • %Program Files%\WinSCP\PuTTY\is-0GIMO.tmp
  • %Program Files%\WinSCP\PuTTY\is-K14GO.tmp
  • %Start Menu%\Programs\WinSCP\WinSCP.lnk
  • %Start Menu%\Programs\WinSCP\WinSCP Web Site.url
  • %Start Menu%\Programs\WinSCP\Support forum.url
  • %Start Menu%\Programs\WinSCP\Documentation.url
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTYgen.lnk
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTYgen Manual.lnk
  • %Start Menu%\Programs\WinSCP\Key tools\Pageant.lnk
  • %Start Menu%\Programs\WinSCP\Key tools\Pageant Manual.lnk
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTY Web Site.url
  • %Desktop%\WinSCP.lnk
  • %User Profile%\SendTo\WinSCP (for upload).lnk
  • %User Profile%\Application Data\winscp.rnd

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista and 7.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\Desktop on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

This report is generated via an automated analysis system.

  SOLUTION

Minimum Scan Engine: 9.300

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software
    • Martin Prikryl
  • In HKEY_CURRENT_USER\Software\Martin Prikryl
    • WinSCP 2
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
    • Interface
  • In HKEY_LOCAL_MACHINE\Software\Martin Prikryl
    • WinSCP 2
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • Updates
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
    • winscp3_is1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}
    • InProcServer32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\directory\shellex\CopyHookHandlers
    • WinSCPCopyHook
  • In HKEY_LOCAL_MACHINE\Software\Martin Prikryl\WinSCP 2
    • DragExt
  • In HKEY_CLASSES_ROOT
    • SCP
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SCP
    • DefaultIcon
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SCP
    • shell
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SCP\shell
    • open
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SCP\shell\open
    • command
  • In HKEY_CLASSES_ROOT
    • SFTP
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SFTP
    • DefaultIcon
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SFTP
    • shell
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SFTP\shell
    • open
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SFTP\shell\open
    • command
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
    • Logging
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • CopyParam
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • NewDirectory
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • SynchronizeChecklist
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • FindFile
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ConsoleWin
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
    • History
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
    • HistoryParams
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • Editor
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • QueueView
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • Explorer
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • Commander
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander
    • LocalPanel
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander
    • RemotePanel
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
    • Security
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
    • Bookmarks
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Bookmarks
    • Local
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Bookmarks
    • Remote
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Bookmarks
    • ShortCuts
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Bookmarks
    • Options
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • 0
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • 1

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • Interface = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Martin Prikryl\WinSCP 2
    • DefaultInterfaceInterface = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ShowAdvancedLoginOptions = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Martin Prikryl\WinSCP 2
    • DefaultInterfaceShowAdvancedLoginOptions = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • DDExtEnabled = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Updates
    • Period = "7"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Martin Prikryl\WinSCP 2
    • DefaultUpdatesPeriod = "7"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • Inno Setup: Setup Version = "5.2.3"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • Inno Setup: App Path = "%Program Files%\WinSCP"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • InstallLocation = "%Program Files%\WinSCP"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • Inno Setup: Icon Group = "WinSCP"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • Inno Setup: User = "Wilbert"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • Inno Setup: Setup Type = "full"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • Inno Setup: Selected Components = "main,shellext,pageant,puttygen,transl,transl\eng"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • Inno Setup: Deselected Components = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • Inno Setup: Selected Tasks = "enableupdates,desktopicon,desktopicon\user,sendtohook,urlhandler"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • Inno Setup: Deselected Tasks = "desktopicon\common,quicklaunchicon,searchpath"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • DisplayName = "WinSCP 4.2.5"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • DisplayIcon = "%Program Files%\WinSCP\WinSCP.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • UninstallString = "%Program Files%\WinSCP\unins000.exe "
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • QuietUninstallString = "%Program Files%\WinSCP\unins000.exe /SILENT"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • DisplayVersion = "4.2.5"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • Publisher = "Martin Prikryl"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • URLInfoAbout = "http://{BLOCKED}p.net"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • HelpLink = "http://{BLOCKED}p.net/forum"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • URLUpdateInfo = "http://{BLOCKED}p.net/eng/download.php"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • NoModify = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • NoRepair = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • InstallDate = "20140330"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1
    • Inno Setup CodeFile: SetupType = "custom"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32
    • ThreadingModel = "Apartment"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Martin Prikryl\WinSCP 2\DragExt
    • Enable = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SCP
    • EditFlags = "2"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SCP
    • BrowserFlags = "8"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SFTP
    • EditFlags = "2"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SFTP
    • BrowserFlags = "8"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • RandomSeedFile = "%25APPDATA%25%5Cwinscp.rnd"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • PuttyRegistryStorageKey = "Software%5CSimonTatham%5CPuTTY"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ConfirmOverwriting = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ConfirmResume = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • AutoReadDirectoryAfterOp = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • SessionReopenAuto = "1388"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • SessionReopenBackground = "7d"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • SessionReopenTimeout = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • TunnelLocalPortNumberLow = "c35"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • TunnelLocalPortNumberHigh = "c3b3"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • CacheDirectoryChangesMaxSize = "64"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ShowFtpWelcomeMessage = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Logging
    • Logging = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Logging
    • LogFileAppend = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Logging
    • LogWindowLines = "64"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Logging
    • LogProtocol = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Logging
    • LogActions = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ContinueOnError = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ConfirmCommandSession = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • SynchronizeParams = "42"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • SynchronizeOptions = "5"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • SynchronizeModeAuto = "ffffffff"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • SynchronizeMode = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • MaxWatchDirectories = "1f4"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • QueueTransfersLimit = "2"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • QueueAutoPopup = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • QueueRememberPassword = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • PuttySession = "WinSCP%20temporary%20session"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • PuttyPath = "%25PROGRAMFILES%25%5CPuTTY%5Cputty.exe"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • PuttyPassword = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • TelnetForFtpInPutty = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • IgnoreCancelBeforeFinish = "{random values}"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • BeepOnFinish = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • BeepOnFinishAfter = "{random values}"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • SynchronizeBrowsing = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • KeepUpToDateChangeDelay = "1f4"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ChecksumAlg = "md5"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • SessionReopenAutoIdle = "1388"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • AddXToDirectories = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • Masks = "{random characters}"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • FileNameCase = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • PreserveReadOnly = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • PreserveTime = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • PreserveRights = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • IgnorePermErrors = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • Text = "rw-r--r--"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • TransferMode = "2"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • ResumeSupport = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • ResumeThreshold = "{random values}"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • ReplaceInvalidChars = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • LocalInvalidChars = "/%5%System Root%%2A%3F"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • CalculateSize = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • NegativeExclude = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • ClearArchive = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • CPSLimit = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • Queue = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • QueueNoConfirmation = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • QueueIndividually = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • NewerOnly = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\CopyParam
    • CopyParamList = "ffffffff"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\NewDirectory
    • Valid = "{random values}"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ConfirmExitOnCompletion = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Logging
    • LogView = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\SynchronizeChecklist
    • WindowParams = "0;-1;-1;600;450;0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\SynchronizeChecklist
    • ListParams = "1;1150,1;100,1;80,1;130,1;25,1;100,1;80,1;130,10;1;2;3;4;5;6;7"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\FindFile
    • WindowParams = "646,481"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\FindFile
    • ListParams = "3;1125,1;181,1;80,1;122,10;1;2;3"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\ConsoleWin
    • WindowSize = "570,430"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • CopyOnDoubleClick = "2"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • CopyOnDoubleClickConfirmation = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • DDAllowMove = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • DDAllowMoveInit = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • DDTransferConfirmation = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • DDWarnLackOfTempSpace = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • DDWarnLackOfTempSpaceRatio = "{random values}"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • DeleteToRecycleBin = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • DimmHiddenFiles = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • RenameWholeName = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • SelectDirectories = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • SelectMask = "%2A.%2A"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ShowHiddenFiles = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ShowInaccesibleDirectories = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ConfirmTransferring = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ConfirmDeleting = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ConfirmRecycling = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ConfirmClosingSession = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • UseLocationProfiles = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • UseSharedBookmarks = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • LocaleSafe = "49"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • DDExtTimeout = "3e8"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • DefaultDirIsHome = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • TemporaryDirectoryAppendSession = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • TemporaryDirectoryAppendPath = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • TemporaryDirectoryCleanup = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • ConfirmTemporaryDirectoryCleanup = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • PreservePanelState = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • Theme = "OfficeXP"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • PathInCaption = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • MinimizeToTray = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • BalloonNotifications = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • NotificationsTimeout = "a"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • NotificationsStickTime = "2"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • CopyParamAutoSelectNotice = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • SessionToolbarAutoShown = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • LockToolbars = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • AutoOpenInPutty = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • LastMonitor = "ffffffff"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface
    • VersionHistory = "40205624,stable"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • FontName = "Courier%20New"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • FontHeight = "fffffff4"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • FontStyle = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • FontCharset = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • WordWrap = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • FindMatchCase = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • FindWholeWord = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • FindDown = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • TabSize = "7"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • MaxEditors = "1f4"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • EarlyClose = "2"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor
    • SDIShellEditor = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\QueueView
    • Height = "64"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\QueueView
    • Layout = "70,160,160,80,80,80"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\QueueView
    • Show = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\QueueView
    • LastHideShow = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\QueueView
    • ToolBar = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Updates
    • LastCheck = "{random values}"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Updates
    • HaveResults = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Updates
    • ShownResults = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Updates
    • BetaVersions = "2"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Updates
    • ConnectionType = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Updates
    • ProxyPort = "1f9"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Updates
    • ForVersion = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Updates
    • Version = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Updates
    • Critical = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Updates
    • Disabled = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Explorer
    • ToolbarsLayout = "{random characters}"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Explorer
    • DirViewParams = "0;1;0150,1;70,1;101,1;79,1;62,1;55,1;20,0;150,0;125,00;1;8;2;3;4;5;6;7"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Explorer
    • LastLocalTargetDirectory = "%System Root%%5CDocuments%20and%20Settings%5CWilbert%5CMy%20Documents"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Explorer
    • StatusBar = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Explorer
    • WindowParams = "-1;-1;600;400;0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Explorer
    • ViewStyle = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Explorer
    • ShowFullAddress = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Explorer
    • DriveView = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Explorer
    • DriveViewWidth = "b4"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander
    • CurrentPanel = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander
    • LocalPanelWidth = "{random values}"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander
    • SwappedPanels = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander
    • StatusBar = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander
    • WindowParams = "-1;-1;600;400;0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander
    • ExplorerStyleSelection = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander
    • PreserveLocalDirectory = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander
    • CompareByTime = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander
    • CompareBySize = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander
    • FullRowSelect = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander
    • TreeOnLeft = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander\LocalPanel
    • DirViewParams = "0;1;0150,1;70,1;101,1;79,1;62,1;55,00;1;2;3;4;5"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander\LocalPanel
    • StatusBar = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander\LocalPanel
    • DriveView = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander\LocalPanel
    • DriveViewHeight = "64"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander\LocalPanel
    • DriveViewWidth = "64"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander\RemotePanel
    • DirViewParams = "0;1;0150,1;70,1;101,1;79,1;62,1;55,0;20,0;150,0;125,00;1;8;2;3;4;5;6;7"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander\RemotePanel
    • StatusBar = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander\RemotePanel
    • DriveView = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander\RemotePanel
    • DriveViewHeight = "64"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Commander\RemotePanel
    • DriveViewWidth = "64"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Logging
    • LogWindowOnStartup = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Logging
    • LogWindowParams = "-1;-1;500;400"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security
    • UseMasterPassword = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor\0
    • FileMask = "%2A.%2A"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor\0
    • Editor = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor\0
    • ExternalEditorText = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor\0
    • SDIExternalEditor = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor\0
    • DetectMDIExternalEditor = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor\1
    • FileMask = "%2A.%2A"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor\1
    • Editor = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor\1
    • ExternalEditor = "notepad.exe"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor\1
    • ExternalEditorText = "1"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor\1
    • SDIExternalEditor = "0"
  • In HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Interface\Editor\1
    • DetectMDIExternalEditor = "0"

Step 4

Restore these modified registry values

[ Learn More ]

Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
    • From: Name = "iexplore.exe"
      To: Name = ""iexplore.exe""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
    • From: ID = "4117b81"
      To: ID = ""41107b81""

Step 5

Search and delete these components

[ Learn More ]
There may be some components that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %User Temp%\is-5povm.tmp\{malware file name}.tmp
  • %User Temp%\is-A8UHB.tmp\_isetup\_RegDLL.tmp
  • %User Temp%\is-A8UHB.tmp\_isetup\_shfoldr.dll
  • %User Temp%\is-A8UHB.tmp\OCSetupHlp.dll
  • %Program Files%\WinSCP\unins000.dat
  • %Program Files%\WinSCP\is-VLP8F.tmp
  • %Program Files%\WinSCP\is-B3TB7.tmp
  • %Program Files%\WinSCP\is-87I57.tmp
  • %Program Files%\WinSCP\is-TV44J.tmp
  • %Program Files%\WinSCP\is-QKNJJ.tmp
  • %Program Files%\WinSCP\is-9Q0PU.tmp
  • %Program Files%\WinSCP\PuTTY\is-BLU1T.tmp
  • %Program Files%\WinSCP\PuTTY\is-UP4J0.tmp
  • %Program Files%\WinSCP\PuTTY\is-0GIMO.tmp
  • %Program Files%\WinSCP\PuTTY\is-K14GO.tmp
  • %Start Menu%\Programs\WinSCP\WinSCP.lnk
  • %Start Menu%\Programs\WinSCP\WinSCP Web Site.url
  • %Start Menu%\Programs\WinSCP\Support forum.url
  • %Start Menu%\Programs\WinSCP\Documentation.url
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTYgen.lnk
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTYgen Manual.lnk
  • %Start Menu%\Programs\WinSCP\Key tools\Pageant.lnk
  • %Start Menu%\Programs\WinSCP\Key tools\Pageant Manual.lnk
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTY Web Site.url
  • %Desktop%\WinSCP.lnk
  • %User Profile%\SendTo\WinSCP (for upload).lnk
  • %User Profile%\Application Data\winscp.rnd

Step 6

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %User Temp%\is-5POVM.tmp
  • %User Temp%\is-A8UHB.tmp
  • %User Temp%\is-A8UHB.tmp\_isetup
  • %Program Files%\WinSCP
  • %Program Files%\WinSCP\PuTTY
  • %Start Menu%\Programs\WinSCP
  • %Start Menu%\Programs\WinSCP\Key tools

Step 7

Scan your computer with your Trend Micro product to delete files detected as TROJ_DLOADER.ZA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 8

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

  • %Start Menu%\Programs\WinSCP\WinSCP.pif
  • %Start Menu%\Programs\WinSCP\WinSCP.url
  • %Start Menu%\Programs\WinSCP\WinSCP Web Site.lnk
  • %Start Menu%\Programs\WinSCP\WinSCP Web Site.pif
  • %Start Menu%\Programs\WinSCP\Support forum.lnk
  • %Start Menu%\Programs\WinSCP\Support forum.pif
  • %Start Menu%\Programs\WinSCP\Documentation.lnk
  • %Start Menu%\Programs\WinSCP\Documentation.pif
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTYgen.pif
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTYgen.url
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTYgen Manual.pif
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTYgen Manual.url
  • %Start Menu%\Programs\WinSCP\Key tools\Pageant.pif
  • %Start Menu%\Programs\WinSCP\Key tools\Pageant.url
  • %Start Menu%\Programs\WinSCP\Key tools\Pageant Manual.pif
  • %Start Menu%\Programs\WinSCP\Key tools\Pageant Manual.url
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTY Web Site.lnk
  • %Start Menu%\Programs\WinSCP\Key tools\PuTTY Web Site.pif
  • %Desktop%\WinSCP.pif
  • %Desktop%\WinSCP.url
  • %User Profile%\SendTo\WinSCP (for upload).pif
  • %User Profile%\SendTo\WinSCP (for upload).url

Step 9

Restore these deleted registry keys/values from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
    • winscp3_is1


Did this description help? Tell us how we did.