What is winupdate86.exe, How to remove winupdate86.exe
winupdate86.exe is a harmful program.
 |
It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum. |
Name: winupdate86
Filename: winupdate86.exe
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | winupdate86.exe
Command: C:\WINDOWS\system32\winupdate86.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“winupdate86.exe”=C:\WINDOWS\system32\winupdate86.exe
Description: trojan agent that installed with winhelper86.dll, winlogon86.exe trojans and Advanced Virus Remover (rogue antispyware program) and shows fake spyware alerts
How to remove: use these winhelper86.dll, winupdate86.exe, winlogon86.exe removal instructions.
December 2nd, 2009 at 2:52 am
This thing blocked everything on my computer, including safe mode, regedit, taskmgr. it had every base covered. smart virus, very smart. disables most tools. it got in through a google pop-up would you believe.
i deleted it but it came right back, scanned the directory for it. couldn’t find what was bringing it back. Finally restored from my norton ghost copy.
December 13th, 2009 at 12:39 am
Dominic sounds like I got a similar version to what you got. Associated with this file is a file called logon86.exe and you have to remove it as well. I used the Ultimate Boot CD (UBCD – google it to fine the download) and NFTS4dos in order to delete the files. There may still be a few other issues, I’ll post complete details when i finish my clean up.
December 16th, 2009 at 12:09 pm
It isn’t so ‘smart’. When you run cmd and it shuts it down it pops up a modal warning dialog which stops it from doing anything. While that dialog is up, you can run the various tools (except taskmgr?) that it tries to prevent you from running. Then use a utilities like pslist and pskill to kill the various associated tasks so you can remove the files.
December 23rd, 2009 at 7:46 pm
Please Help!
i delelted the winlogon86.exe file, in an attempt to get rid of this trojan. Now, i cannot log on to windows! The computer boot up, and then as it is logging on, the desktop is dispalyed (empty) for a brief time, and then it logs off and reverts back to the log on page (administrator, guest, etc.). What can i do? i am willing to reformat to get rid of the virus, but i need to log on so i can back up some important data. Could someone ata a computer repair shop back up my hard drive wiyth this problem, so i can then reformat?
December 24th, 2009 at 10:02 pm
jason, you need to restore Windows registry using Last good configuration mode. Then use HijackThis to fix winlogon86.exe or use removal instructions (the link above).
December 25th, 2009 at 6:01 pm
Merry Christmas to all.
i got the same problem as Jason. i deleted winlogon86.exe file and now i can’t log on to windows. i got a loop when i try to log on it starts loading my settings but
then it logs off :(.
safe mode or last good configuration mode didn’t work… same loop and i can’t enter windows. i also deleted winhelper86.dll and winupdate86.exe using Recovery Console
but it didn’t help. i use a hp notebook with xp home sp3 and i wonder if my recovery or repair hp cd’s will help me start windows (for the moment i can’t find them 🙁 .
sorry for my mistakes by english is second language for me. thanks in advance for any help.
December 28th, 2009 at 2:41 am
jason
put in your your Windows Disc and boot into Repair, you will see a dos mode, press “1” go into “C:\Windows” directory and type in your user/admin password.
after that go into your “System32” folder by typing “cd System32” without “quotes”
then enter in:
“copy winlogon.exe winlogon86.exe” and
“copy winlogon.exe winupdate86.exe” <— just incase
type: "exit" to restart
after you log into your desktop, press "[Windows Key] + R" and enter "regedit"
to go "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" and at
"UserInit = c:\windows\system32\winlogon86.exe" change it back to ""UserInit = c:\windows\system32\userinit.exe" and your done!
download "Malwarebytes' Anti-Malware" and do a rescan on your computer. AND REMEMBER!, change all your old passwords.
December 28th, 2009 at 9:30 am
I had the same thing as Jason – delelted the winlogon86.exe file, in an attempt to get rid of this trojan. Now, i cannot log on to windows! The computer boot up, and then as it is logging on, the desktop is dispalyed (empty) for a brief time, and then it logs off and reverts back to the log on page (administrator, guest, etc.). The question is how do I restore the Windows registry?
December 30th, 2009 at 7:06 pm
This is how I restore my system to an old good configuration before all that mess.
Boot with the windows XP CD
At “Welcome to setup screen” Press R
Select the appropriate path for windows and press enter
If it asks you for the administrator password, type the administrator password and
press enter or just hit enter
We will now see the Prompt c:\windows>
Step 1:
——–
cd system32 enter, then dir enter
AVR10.exe
critical_warning.html
winhelper86.dll
winupdate86.exe
winlogon86.exe
delete all files : del AVR10.exe, del critical_warning.html etc…
I also deleted one file but I am not sure if it was 41.exe or 31.exe
Anyway delete them both if you spot them.
Step 2:
——–
cd system32\config
ren system system.old
ren software software.old
ren SAM SAM.old
ren security security.old
ren default default.old
type cd \ or cd C:\ enter and it will display C:\>
Step 3:
——–
Type cd “\System Volume Information” enter(including quotes)
Type dir enter
Hopefully, you will see a folder with a large name of the form: _restore{MANY-NUMBERS-AND-LETTERS-HERE}.
Type cd _restore{YOUR-NUMBERS-AND-LETTERS-HERE}
Type dir
It will list you Restore Points
(e.g. RP511, RP512, RP513, RP514, etc…) with dates in front of the line, make sure that you chose one that you
had a good system configuration
Select the one from the list EXCEPT the last one (this one is with the bad configuration)
Say RP514 is the last one.
type cd RP513 (or RP512 or RP5511 or RPn) and enter
type cd snapshot and enter
type dir and enter
now you see files like _registry_user…… and _registry_machine…….
type copy _registry_user_.default c:\windows\system32\config\default and enter (note 1st one is .default but 2nd is default)
type copy _registry_machine_security c:\windows\system32\config\security and
enter
type copy _registry_machine_software c:\windows\system32\config\software and
enter
type copy _registry_machine_system c:\windows\system32\config\system and enter
type copy _registry_machine_sam c:\windows\system32\config\sam and enter
type exit and enter
Take extra care when you typing,
remember to eject your CD and hopefully your pc will
be like the date you selected.
All xxxxx.old files in step 2 are for backup, after you are back in windows you can delete them.Needless to say this is just to login windows then you have to clean it … and for me Task manager had an error but I fixed it too.
GL 2 all… and Happy New Year !
December 30th, 2009 at 8:05 pm
Hi Mark,
No need to restore your registry, Boot up with your window disk. pick repair with command prompt. then follow “U8MYR!CE” instructions above
good luck
January 1st, 2010 at 1:32 pm
First, thanks you to those who posted in the forum. You got me a long way down the road to a fix. All seems to be OK now. So, I thought I’d share:
My symptoms:
– Got the worm.win32.netsky screen
– Got the “spyware alert” wallpaper
– task manager was disabled
– ability to change wallpaper was disabled
– winupdate86.exe was present
– removed winpudate86.exe and got the login/logout loop problem
– Symantec email protection kept detecting that my machine had been compromised and I was sending spam
The final solution appears to be:
– Kill winupdate86 process
– Run symantec scan
– Run Ccleaner (free download)
– Run malwarebytes (free download)
– Update to win xp SP3 (which handles the spamming problem)
I tried to manually fix all of this, but the problems came back twice. When I turned Symantec email-protection back on, it showed I was still spamming, and then the other symptoms came back eventually. Doing the steps above seems to have solved it.
Here are some tips on some of the other problems people are having:
Enabling Task Manager
***
When trying to run regedit and getting the message that it’s been infected and cannot run (fake), simply try to run it again while the fake warning alert is still on-screen. You’ll get through the second time. Then fix the value for “DisableTaskMgr” under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] to be zero instead of one. This will reinstate your task manager. Then use it to blow away the winupdate86 process, the 41.exe process, and anything else that looks hinky.
***
I would add that FastNetSrv was a process that was problematic in my scenario.
Login/Logout problem after removing winsetup86.exe (see U8MYRICE’s post above – THANKS!!!)
Put in your Windows Disc and boot into Repair, you will see a dos mode, press “1″ go into “C:\Windows” directory and type in your user/admin password.
after that go into your “System32″ folder by typing “cd System32″ without “quotes”
then enter in:
“copy winlogon.exe winlogon86.exe” and
“copy winlogon.exe winupdate86.exe” <— just incase
type: "exit" to restart
But, in the end, after you are able to kill the winsetup86.exe process, make sure and run malwarebytes AND update to Win XP SP3. I had to both to keep the problems from coming back.
January 2nd, 2010 at 1:00 am
Same problem
And whats worse is this is a work computer that has all my work on it 🙁
I cant log into Windows at all after getting rid of that winupdate and winlogin
January 2nd, 2010 at 1:55 am
I tried to do the above but it didnt work. Can I use any Recovery cd or does it have to be my version of windows? (I dont have the recovery cd for that one)
January 2nd, 2010 at 10:58 am
I got in.
But the only thing is now in my run folder I got winupdate86.exe……..is it ok to delete that?
January 3rd, 2010 at 1:14 am
Yes, you can remove winupdate86.exe, but before, use HijackThis to remove winupdate86.exe autorun entry from Windows registry.
January 7th, 2010 at 7:36 am
This worked like a charm, although when I tried to download the link from malwarebytes anti-malware it took me to PCtools. I downloaded theirs and scanned and it found hundreds of threats, but they wanted to charge me for removing them. I uninstalled it, went to Malwarebytes.com and downloaded their program, scanned and it cleaned everything just fine. Thank you very much for your help
January 12th, 2010 at 10:52 pm
Hey all…
I was stuck with the same problem on my machine. I was in the endless loop at the login screen and couldn’t get anywhere. I did exactly what U8MYR!CE mentioned above and finally got past the login screen. Unfortunately, that was as far as I got. My desktop comes up with my wallpaper but nothing else…no icons, no system tray, task bar, nothing!!! Just a blank screen (with the exception of my wallpaper.) I tried, in vain, to hit the windows key + R which yielded nothing.
Any more ideas? I’d really hate to format the HD if it’s a simple (or even a not so simple) fix.
Thanks……Dave
January 13th, 2010 at 9:43 am
Dave, once Windows loaded, press CTRL + ALT + DEL.
Windows Task Manager should opens.
Click File, New Task.
Type explorer.exe and press Enter.
It should load your icons and task bar.
Now, download and run Malwarebytes Anti-malware.
January 13th, 2010 at 11:56 am
I tried that and the task manager option is “grayed out” so that isn’t an option for me. If it helps, it’s Windows XP Pro. Any other thought?
January 13th, 2010 at 9:51 pm
My computer had Win32.NetSky,
Symptoms:
1. Desktop on the computer showed that your computer is infected with Win32.NetSky
2. In the system tray I see RED “X “ icon.
3. Task Manager is disabled
4. View->Field Options in Windows Explorer is also disabled.
5. If I try to system restore to previous restore point it display the following message: “System restore has been turned off by your group policy. To turn on system restore; contact your domain administrator.”
System restore was enabled on my system.
What I did:
I rebooted the system in safe mode, same behavior (task manager disable, system restore is not available etc.).
Investigation:
I found following files under C:\Windows\System32 with most recent date time stamp (say 1/13/2010):
1. IS15.exe 0 bytes
2. Helper32.dll 0 bytes
3. IE Warning.htm 3kb
4. wpa.dbl 2kb
5. winlogon32.exe 21kb
6. smss32.exe 21kb
7. oh77tim.dll 145kb
8. info.tmp 40kb
Uncheck through MSCONFIG
In Startup Tab I also UNCHECKED
1. SMSS32 which point to C:\Windows\System32\SMSS32.EXE
2. AWY84 which point to C:\Documents and Settings\\Local Settings\Temp\AWY84.EXE
Deleting files while logged in SAFE mode:
1. I deleted all the files from C:\Documents and Settings\\Local Settings\Temp.
There were couple EXE (e.g. AWY84.EXE) files with most recent date time stamp.
2. Deleted files form C:\Windows\System32
a. IS15.exe 0 bytes
b. Helper32.dll 0 bytes
c. IE Warning.htm 3kb
d. wpa.dbl 2kb
e. winlogon32.exe 21kb
f. smss32.exe 21kb
g. oh77tim.dll 145kb
h. info.tmp 40kb
Rebooted:
Now when I go to log on after a restart it keeps taking me back to the log on screen to hit ctrl alt delete to log on with my password, I enter my password and it keeps taking me back to the log on screen?
Same behavior is happening in SAFE Mode as well.
I followed the instructions what U8MYR!CE mentioned.
1. Put in your your Windows Disc and boot into Repair, you will see a dos mode, press “1″ go into “C:\Windows” directory and type in your user/admin password.
after that go into your “System32″ folder by typing “cd System32″ without “quotes”
then enter in:
“copy winlogon.exe winlogon86.exe” and
“copy winlogon.exe winupdate86.exe” <— just incase
type: "exit" to restart
I
am unable to log-in to my system. When I log on after a restart it keeps taking me back to logon screen.
I really, really appreciate if someone helps to resolve this issue.
Thanks in anticipation.
January 14th, 2010 at 8:37 am
Please HELP! I have this virus on my computer and before I found this thread, I deleted the file: C:/Windows/System32/SMSS32.exe, C:/Windows/System32/IS15.exe,
C:/Windows/System32/helper32.exe and now when I go to log on after a restart it keeps taking me back to the log on screen to hit ctrl alt delete to log on with my password, I enter my password and it keeps taking me back to the log on screen?
I followed the instruction what U8MYR!CE suggested on
But I am still unable to logon. System keeps taking me back to the log on screen.
Any suggestions?
January 14th, 2010 at 12:13 pm
I saw U8MYR!CE instructions on removing winupdate86.exe. Mine is named winupdate32.exe. Do the same instruction apply? After I had removed it, My computer logs off right after logging in.
I am referring to the reply from U8MYR!CE posted December 28, 2009 @ 2:41am
January 15th, 2010 at 12:10 am
Susan, boot your computer in Recovery console.
Type
cd system32
Press Enter.
Type
copy userinit.exe winlogon32.exe
Press Enter.
Type
exit
Press Enter.
February 1st, 2010 at 4:56 pm
Hi everyone,
I had the same logon/logoff loop that others (like John above) were having. On a forum someone pointed me to this website: thinkinginpixels.com/quick-fixes/fix-windows-xp-log-onlog-off-loop/ Dan is extremely helpful. Even when the initial fix on his site didn’t work at first (my userinit file had a wrong registry value) I emailed him and he guided me through the process. Highly recommended! I was able to get my system back and running (it was a lot of work, but that’s OK) without having to reformat.
February 12th, 2010 at 2:42 pm
Just wanted to say that you guys saved me! I had to backdoor it via John’s way and was finally able to get back to where my PC was useable. Thanks so much for putting the time and energyinto helping people with this. Good karma is on the way!
February 15th, 2010 at 9:19 pm
Same problem as Jason and Susan above. Want to follow the instructions but I don’t have a windows xp boot disk. My hp Dv1000 did not come with one. Where can I find one so I can replace the winlogon32.exe file with userinit.exe? Oh and should I be worried about losing hard drive data before I try this? Is there a way to backup the hard drive to a portable USB drive even though I can’t logon? Any advice would be greatly appreciated!!! Thanks.
February 17th, 2010 at 8:11 am
Download Recovery console boot cd from here and burn it to a clean CD Disk.
Boot from the disk and follow above steps (admin Says:January 15th, 2010 at 12:10 am).