What is winupdate86.exe, How to remove winupdate86.exe


winupdate86.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: winupdate86
Filename: winupdate86.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | winupdate86.exe

Command: C:\WINDOWS\system32\winupdate86.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“winupdate86.exe”=C:\WINDOWS\system32\winupdate86.exe

Description: trojan agent that installed with winhelper86.dll, winlogon86.exe trojans and Advanced Virus Remover (rogue antispyware program) and shows fake spyware alerts

How to remove: use these winhelper86.dll, winupdate86.exe, winlogon86.exe removal instructions.

27 Responses to “What is winupdate86.exe, How to remove winupdate86.exe”

  1. dominic Says:

    This thing blocked everything on my computer, including safe mode, regedit, taskmgr. it had every base covered. smart virus, very smart. disables most tools. it got in through a google pop-up would you believe.

    i deleted it but it came right back, scanned the directory for it. couldn’t find what was bringing it back. Finally restored from my norton ghost copy.

  2. David G Says:

    Dominic sounds like I got a similar version to what you got. Associated with this file is a file called logon86.exe and you have to remove it as well. I used the Ultimate Boot CD (UBCD – google it to fine the download) and NFTS4dos in order to delete the files. There may still be a few other issues, I’ll post complete details when i finish my clean up.

  3. Erik J Says:

    It isn’t so ‘smart’. When you run cmd and it shuts it down it pops up a modal warning dialog which stops it from doing anything. While that dialog is up, you can run the various tools (except taskmgr?) that it tries to prevent you from running. Then use a utilities like pslist and pskill to kill the various associated tasks so you can remove the files.

  4. jason Says:

    Please Help!

    i delelted the winlogon86.exe file, in an attempt to get rid of this trojan. Now, i cannot log on to windows! The computer boot up, and then as it is logging on, the desktop is dispalyed (empty) for a brief time, and then it logs off and reverts back to the log on page (administrator, guest, etc.). What can i do? i am willing to reformat to get rid of the virus, but i need to log on so i can back up some important data. Could someone ata a computer repair shop back up my hard drive wiyth this problem, so i can then reformat?

  5. admin Says:

    jason, you need to restore Windows registry using Last good configuration mode. Then use HijackThis to fix winlogon86.exe or use removal instructions (the link above).

  6. John Says:

    Merry Christmas to all.
    i got the same problem as Jason. i deleted winlogon86.exe file and now i can’t log on to windows. i got a loop when i try to log on it starts loading my settings but
    then it logs off :(.
    safe mode or last good configuration mode didn’t work… same loop and i can’t enter windows. i also deleted winhelper86.dll and winupdate86.exe using Recovery Console
    but it didn’t help. i use a hp notebook with xp home sp3 and i wonder if my recovery or repair hp cd’s will help me start windows (for the moment i can’t find them 🙁 .
    sorry for my mistakes by english is second language for me. thanks in advance for any help.

  7. U8MYR!CE™ Says:

    jason

    put in your your Windows Disc and boot into Repair, you will see a dos mode, press “1” go into “C:\Windows” directory and type in your user/admin password.

    after that go into your “System32” folder by typing “cd System32” without “quotes”

    then enter in:
    “copy winlogon.exe winlogon86.exe” and
    “copy winlogon.exe winupdate86.exe” <— just incase

    type: "exit" to restart

    after you log into your desktop, press "[Windows Key] + R" and enter "regedit"
    to go "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" and at
    "UserInit = c:\windows\system32\winlogon86.exe" change it back to ""UserInit = c:\windows\system32\userinit.exe" and your done!

    download "Malwarebytes' Anti-Malware" and do a rescan on your computer. AND REMEMBER!, change all your old passwords.

  8. Mark Says:

    I had the same thing as Jason – delelted the winlogon86.exe file, in an attempt to get rid of this trojan. Now, i cannot log on to windows! The computer boot up, and then as it is logging on, the desktop is dispalyed (empty) for a brief time, and then it logs off and reverts back to the log on page (administrator, guest, etc.). The question is how do I restore the Windows registry?

  9. John Says:

    This is how I restore my system to an old good configuration before all that mess.
    Boot with the windows XP CD

    At “Welcome to setup screen” Press R

    Select the appropriate path for windows and press enter
    If it asks you for the administrator password, type the administrator password and
    press enter or just hit enter
    We will now see the Prompt c:\windows>
    Step 1:
    ——–
    cd system32 enter, then dir enter
    AVR10.exe
    critical_warning.html
    winhelper86.dll
    winupdate86.exe
    winlogon86.exe
    delete all files : del AVR10.exe, del critical_warning.html etc…
    I also deleted one file but I am not sure if it was 41.exe or 31.exe
    Anyway delete them both if you spot them.
    Step 2:
    ——–
    cd system32\config

    ren system system.old
    ren software software.old
    ren SAM SAM.old
    ren security security.old
    ren default default.old

    type cd \ or cd C:\ enter and it will display C:\>

    Step 3:
    ——–
    Type cd “\System Volume Information” enter(including quotes)
    Type dir enter
    Hopefully, you will see a folder with a large name of the form: _restore{MANY-NUMBERS-AND-LETTERS-HERE}.
    Type cd _restore{YOUR-NUMBERS-AND-LETTERS-HERE}
    Type dir
    It will list you Restore Points
    (e.g. RP511, RP512, RP513, RP514, etc…) with dates in front of the line, make sure that you chose one that you
    had a good system configuration

    Select the one from the list EXCEPT the last one (this one is with the bad configuration)
    Say RP514 is the last one.

    type cd RP513 (or RP512 or RP5511 or RPn) and enter

    type cd snapshot and enter
    type dir and enter
    now you see files like _registry_user…… and _registry_machine…….

    type copy _registry_user_.default c:\windows\system32\config\default and enter (note 1st one is .default but 2nd is default)

    type copy _registry_machine_security c:\windows\system32\config\security and
    enter

    type copy _registry_machine_software c:\windows\system32\config\software and
    enter

    type copy _registry_machine_system c:\windows\system32\config\system and enter

    type copy _registry_machine_sam c:\windows\system32\config\sam and enter

    type exit and enter

    Take extra care when you typing,
    remember to eject your CD and hopefully your pc will
    be like the date you selected.
    All xxxxx.old files in step 2 are for backup, after you are back in windows you can delete them.Needless to say this is just to login windows then you have to clean it … and for me Task manager had an error but I fixed it too.
    GL 2 all… and Happy New Year !

  10. Charles Says:

    Hi Mark,
    No need to restore your registry, Boot up with your window disk. pick repair with command prompt. then follow “U8MYR!CE” instructions above

    good luck

  11. tju6 Says:

    First, thanks you to those who posted in the forum.  You got me a long way down the road to a fix.  All seems to be OK now.  So, I thought I’d share:

    My symptoms:

    – Got the worm.win32.netsky screen
    – Got the “spyware alert” wallpaper
    – task manager was disabled
    – ability to change wallpaper was disabled
    – winupdate86.exe was present
    – removed winpudate86.exe and got the login/logout loop problem
    – Symantec email protection kept detecting that my machine had been compromised and I was sending spam

    The final solution appears to be:

    – Kill winupdate86 process
    – Run symantec scan
    – Run Ccleaner (free download)
    – Run malwarebytes (free download)
    – Update to win xp SP3 (which handles the spamming problem)

    I tried to manually fix all of this, but the problems came back twice.  When I turned Symantec email-protection back on, it showed I was still spamming, and then the other symptoms came back eventually.  Doing the steps above seems to have solved it. 

    Here are some tips on some of the other problems people are having:

    Enabling  Task Manager

    ***
    When trying to run regedit and getting the message that it’s been infected and cannot run (fake), simply try to run it again while the fake warning alert is still on-screen.  You’ll get through the second time.  Then fix the value for “DisableTaskMgr” under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] to be zero instead of one.  This will reinstate your task manager.  Then use it to blow away the winupdate86 process, the 41.exe process, and anything else that looks hinky.
    ***

    I would add that FastNetSrv was a process that was problematic in my scenario.

    Login/Logout problem after removing winsetup86.exe (see U8MYRICE’s post above – THANKS!!!)

    Put in your Windows Disc and boot into Repair, you will see a dos mode, press “1″ go into “C:\Windows” directory and type in your user/admin password.
    after that go into your “System32″ folder by typing “cd System32″ without “quotes”
    then enter in:
    “copy winlogon.exe winlogon86.exe” and
    “copy winlogon.exe winupdate86.exe” <— just incase
    type: "exit" to restart

    But, in the end, after you are able to kill the winsetup86.exe process, make sure and run malwarebytes AND update to Win XP SP3.  I had to both to keep the problems from coming back.

  12. John Says:

    Same problem

    And whats worse is this is a work computer that has all my work on it 🙁

    I cant log into Windows at all after getting rid of that winupdate and winlogin

  13. john Says:

    I tried to do the above but it didnt work. Can I use any Recovery cd or does it have to be my version of windows? (I dont have the recovery cd for that one)

  14. john Says:

    I got in.

    But the only thing is now in my run folder I got winupdate86.exe……..is it ok to delete that?

  15. admin Says:

    Yes, you can remove winupdate86.exe, but before, use HijackThis to remove winupdate86.exe autorun entry from Windows registry.

  16. Rex Says:

    This worked like a charm, although when I tried to download the link from malwarebytes anti-malware it took me to PCtools. I downloaded theirs and scanned and it found hundreds of threats, but they wanted to charge me for removing them. I uninstalled it, went to Malwarebytes.com and downloaded their program, scanned and it cleaned everything just fine. Thank you very much for your help

  17. DJOran Says:

    Hey all…

    I was stuck with the same problem on my machine. I was in the endless loop at the login screen and couldn’t get anywhere. I did exactly what U8MYR!CE mentioned above and finally got past the login screen. Unfortunately, that was as far as I got. My desktop comes up with my wallpaper but nothing else…no icons, no system tray, task bar, nothing!!! Just a blank screen (with the exception of my wallpaper.) I tried, in vain, to hit the windows key + R which yielded nothing.

    Any more ideas? I’d really hate to format the HD if it’s a simple (or even a not so simple) fix.

    Thanks……Dave

  18. admin Says:

    Dave, once Windows loaded, press CTRL + ALT + DEL.
    Windows Task Manager should opens.
    Click File, New Task.
    Type explorer.exe and press Enter.
    It should load your icons and task bar.
    Now, download and run Malwarebytes Anti-malware.

  19. DJOran Says:

    I tried that and the task manager option is “grayed out” so that isn’t an option for me. If it helps, it’s Windows XP Pro. Any other thought?

  20. Sam Gil Says:

    My computer had Win32.NetSky,
    Symptoms:
    1. Desktop on the computer showed that your computer is infected with Win32.NetSky
    2. In the system tray I see RED “X “ icon.
    3. Task Manager is disabled
    4. View->Field Options in Windows Explorer is also disabled.
    5. If I try to system restore to previous restore point it display the following message: “System restore has been turned off by your group policy. To turn on system restore; contact your domain administrator.”
    System restore was enabled on my system.

    What I did:
    I rebooted the system in safe mode, same behavior (task manager disable, system restore is not available etc.).
    Investigation:
    I found following files under C:\Windows\System32 with most recent date time stamp (say 1/13/2010):
    1. IS15.exe 0 bytes
    2. Helper32.dll 0 bytes
    3. IE Warning.htm 3kb
    4. wpa.dbl 2kb
    5. winlogon32.exe 21kb
    6. smss32.exe 21kb
    7. oh77tim.dll 145kb
    8. info.tmp 40kb

    Uncheck through MSCONFIG
    In Startup Tab I also UNCHECKED
    1. SMSS32 which point to C:\Windows\System32\SMSS32.EXE
    2. AWY84 which point to C:\Documents and Settings\\Local Settings\Temp\AWY84.EXE

    Deleting files while logged in SAFE mode:
    1. I deleted all the files from C:\Documents and Settings\\Local Settings\Temp.
    There were couple EXE (e.g. AWY84.EXE) files with most recent date time stamp.

    2. Deleted files form C:\Windows\System32
    a. IS15.exe 0 bytes
    b. Helper32.dll 0 bytes
    c. IE Warning.htm 3kb
    d. wpa.dbl 2kb
    e. winlogon32.exe 21kb
    f. smss32.exe 21kb
    g. oh77tim.dll 145kb
    h. info.tmp 40kb

    Rebooted:
    Now when I go to log on after a restart it keeps taking me back to the log on screen to hit ctrl alt delete to log on with my password, I enter my password and it keeps taking me back to the log on screen?
    Same behavior is happening in SAFE Mode as well.

    I followed the instructions what U8MYR!CE mentioned.

    1. Put in your your Windows Disc and boot into Repair, you will see a dos mode, press “1″ go into “C:\Windows” directory and type in your user/admin password.
    after that go into your “System32″ folder by typing “cd System32″ without “quotes”
    then enter in:
    “copy winlogon.exe winlogon86.exe” and
    “copy winlogon.exe winupdate86.exe” <— just incase
    type: "exit" to restart
    I
    am unable to log-in to my system. When I log on after a restart it keeps taking me back to logon screen.

    I really, really appreciate if someone helps to resolve this issue.

    Thanks in anticipation.

  21. Sam Gil Says:

    Please HELP! I have this virus on my computer and before I found this thread, I deleted the file: C:/Windows/System32/SMSS32.exe, C:/Windows/System32/IS15.exe,
    C:/Windows/System32/helper32.exe and now when I go to log on after a restart it keeps taking me back to the log on screen to hit ctrl alt delete to log on with my password, I enter my password and it keeps taking me back to the log on screen?

    I followed the instruction what U8MYR!CE suggested on

    But I am still unable to logon. System keeps taking me back to the log on screen.

    Any suggestions?

  22. Susan Says:

    I saw U8MYR!CE instructions on removing winupdate86.exe. Mine is named winupdate32.exe. Do the same instruction apply? After I had removed it, My computer logs off right after logging in.
    I am referring to the reply from U8MYR!CE posted December 28, 2009 @ 2:41am

  23. admin Says:

    Susan, boot your computer in Recovery console.
    Type
    cd system32
    Press Enter.
    Type
    copy userinit.exe winlogon32.exe
    Press Enter.
    Type
    exit
    Press Enter.

  24. Julie Says:

    Hi everyone,
    I had the same logon/logoff loop that others (like John above) were having. On a forum someone pointed me to this website: thinkinginpixels.com/quick-fixes/fix-windows-xp-log-onlog-off-loop/ Dan is extremely helpful. Even when the initial fix on his site didn’t work at first (my userinit file had a wrong registry value) I emailed him and he guided me through the process. Highly recommended! I was able to get my system back and running (it was a lot of work, but that’s OK) without having to reformat.

  25. Jason Says:

    Just wanted to say that you guys saved me! I had to backdoor it via John’s way and was finally able to get back to where my PC was useable. Thanks so much for putting the time and energyinto helping people with this. Good karma is on the way!

  26. Pete Says:

    Same problem as Jason and Susan above. Want to follow the instructions but I don’t have a windows xp boot disk. My hp Dv1000 did not come with one. Where can I find one so I can replace the winlogon32.exe file with userinit.exe? Oh and should I be worried about losing hard drive data before I try this? Is there a way to backup the hard drive to a portable USB drive even though I can’t logon? Any advice would be greatly appreciated!!! Thanks.

  27. admin Says:

    Download Recovery console boot cd from here and burn it to a clean CD Disk.
    Boot from the disk and follow above steps (admin Says:January 15th, 2010 at 12:10 am).

Leave a Reply