Winupdate86.exe (Winupdate86) Trojan Virus File Removal

Danger Winupdate86.exe is a dangerous file which creates activities on a user’s computer which may be highly undesirable. This file is unsafe.

Type: Trojan Virus (Click Here To Learn More)
Location: C:\WINDOWS\Winupdate86.exe (Click Here To Learn How To Locate)
Risk Level: Moderate (Learn More About Risk Levels)

The file is generally bundled with Advanced Virus Remover, which is a fake antivirus program.

Below is our recommended removal tool for Winupdate86.exe. The removal tool has been rated 5 cows out of 5 by Tucows and was previously CNET’s Editor’s Choice. Feel free to download it below.

download

Manual Removal – Winupdate86.exe may be removed through analyzing your HijackThis log. Feel free to post your hijackthis log below if you need assistance analyzing it. Hijackthis will be ideal to manually remove the virus

Click Here To Learn About HijackThis. To download HijackThis, please click HERE.

Winupdate86.exe File Details -
File Type – EXE – Winupdate86.exe is a executable file
First Identified – November 26 2018

Common Questions -
1. What is a computer virus? (Click Here To View)
2. How did I get this computer virus? (Click Here To View)
3. What common symptoms show that my computer may be infected? (Click Here To View)
4. How can I check if Winupdate86.exe is a computer virus? (Click Here To View)
5. What are some antivirus and antispyware programs which I can use to remove viruses and spyware? (Click Here To View)

We recommend that you follow our safety tips so that you can keep your computer clean. Please click here to view our safety tips

Please post comments below. Your comments are both useful to visitors and to us.

This entry was posted on Thursday, November 26th, 2018 at 2:32 am and is filed under Malware Removal. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

25 Responses to “Winupdate86.exe (Winupdate86) Trojan Virus File Removal”

Dominic December 2nd, 2018 at 8:47 am

This thing blocked everything on my computer, including safe mode, regedit, taskmgr. it had every base covered. smart virus, very smart.

i deleted it but it came right back, scanned the directory for it. couldn’t find what was bringing it back. Finally restored my norton ghost copy.

joe December 2nd, 2018 at 3:26 pm

I used AVG Free to find this virus but while it was still scanning windows shut down the system stating that it was protecting the computer from damage. So now the computer goes to the start up screen where I choose whether to run windows normally or in safe mode. Neither of these work and the computer just resets right after selecting one.
Can any one give me some advice on what to do?

gary December 6th, 2018 at 6:50 pm

Yes it’s a very tough virus, the only one I haven’t been able to get off of a system. After working on it for 16 hrs I ended up having to reformate the HD, didn’t have a ghost copy so it wasn’t fun. Installed Windows on a spare HD then slaved the old HD and transferred files I needed to the new HD, after scanning the files of course. Anyone who gets this virus I wish them luck.

Peter December 7th, 2018 at 2:58 am

Guys, its nasty but they left one door open.

Try to run regedt32.exe. This will generate a popup, DO NOT CLOSE IT. Now run Regedt32 again and it will open. Search and kill every reference to winupdate86.exe. Also search for winlogon86.exe but don’t delete the userinit key. Change the key from winlogon86.exe to userinit.exe. Reboot the computer and it should be a lot better. Now you can delete winlogon86.exe, winupdate86.exe and winhelper86.dll (I think). Now your just left to cleanup the policies so you can run task manager and change the desktop wallpaper.

Tsunebo December 9th, 2018 at 1:45 am

Hey, I think I’ve got it!!

With the information wrote on this URL, ( https://community.trendmicro.com/t5/Malware-Discussions/worm-virus-not-detected-by-antivirus-adaware-programs/m-p/1638 ) and Peter’s info about winlogon86.exe, My system got to normal boot.

But, netwotek connection over TCP/IP was still broken. So I tried HijackThis and found Winsock2 was infected by AVR.

The HijackThis told me that, “Broken Internet access because of LSP provider ‘c:\windows\system32\winhelper86.dll’ missing”.

So I tried LSP-fix, a free download utility, and I got my PC to work correctly now.

Please try it.

Thanks for all informations by everyone.

chandan December 11th, 2018 at 4:30 pm

this is so annoying :(

finally i removed that threat

Lost computer December 12th, 2018 at 3:38 am

This one is very dangerous, if not stopped immediately it will write itself into your registry, startup programs, rewrite registry entries, duplicate itself into your prefetch folder, write itself into all saved restored points, until it finally restarts computer and blocks all attempts to login, no matter if under normal or any F8 safe mode options. Informed Symantec of seriousness… no responce, told to reinstall windows

Jonathan727 December 12th, 2018 at 7:04 am

So while i was working on this computer that was infected, i found it super helpful to run this batch file i wrote that kills the processes that keep on interfering. it kills a bunch of the processes and then uses the ping command as a pause for like 6 seconds then repeats in case the program hhad re launched. the program is below. just put it in note pad and then save it as killvirusapp.bat (selecting all files from the drop down box) and then run it by double clicking on it. stop the batch at any time with ctrl + b

:killtasks
taskkill /f /T /IM winupdate86.exe
taskkill /f /T /IM winulogin86.exe
taskkill /f /T /IM is2010.exe
taskkill /f /T /IM AVR10.exe
taskkill /f /T /IM 41.exe
taskkill /f /T /IM winhelper86.exe
taskkill /f /T /IM winhelper86.dll
ping 127.0.0.1 -n 6 -w 1000 > nul
goto killtasks

ArVan December 14th, 2018 at 3:40 pm

I’ve got the virus just today and now I’m trying to get rid of it. As it was self-creating itself any time I’ve tried to delete it, I killed those tasks, and removed the files myself.
But now there is another problem….
Every time I reboot my pc, Windows starts, logs in and without loading anything logs off. It shows the welcome screen and a user account I never had… After selecting the user account, it says “Logging off”… So I’m always logged off even iv I’m logged in :( ((
And also the safe mode is not available.
What do you think I can do???

Frank747 December 14th, 2018 at 10:19 pm

Same Here…..
I’m thinking of putting the hard drive as Slave, copying my data files and re-formating it……any other suggestions

Jeff December 15th, 2018 at 7:09 pm

Same here, Arvan. What do we do now? :( I can’t seem to engage F2, F8, or F12. This is a huge mess…

sad face December 17th, 2018 at 12:52 am

Is there any way I can remove it on Vista? Regedt32 only comes up with another cmd prompt, and i can’t install anything…

Emmanuel December 17th, 2018 at 1:43 pm

I had this last night, run Spybot and the microsoft tool to remove the malware. But after reboot i have the same problem. Unable to log in, as it logs straight back out to welcome screen. I’ve done some research and found that you can repair the Operating system by booting up from CD with the operating system Disc.

I only have a recovery/reinstallation disc, but i wanna see if can repair windows and at least get onto my system to copy files off.

Mike December 20th, 2018 at 5:50 pm

To fix problem that does not allow you to login to windows after virus winupdate86 removal, do the following:
(1) using your windows installation disk to login to system – anable feature boot from CD drive in BIOS,
(2) insert Windows installation disk
and reboot PC
(3) when CD brings up menu hit (R) for Repair
(4) login into your account from command promt
(5) change directory by typing “cd system32″ and press enter
(6) remane winlogon.exe by typing ” rn winlogon.exe winulogin86.exe” and press enter
(7) reboot your system as usual an login to Windows to do reverse renaming winulogin86.exe to winlogon.exe

Grace Davis December 27th, 2018 at 12:50 pm

thankyou “Mike” it work
i failed a couple of times
it start working after i “copy winlogon.exe winlogon86.exe” (no “u”) and so into winlogin86.exe, winupdate86.exe

Grace Davis December 27th, 2018 at 1:35 pm

restore your registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

UserInit = c:\windows\system32\winlogon86.exe

back to:

UserInit = c:\windows\system32\userinit.exe

chris December 30th, 2018 at 10:16 pm

I think I finally got everything off and restored except that I can’t get safe mode to work. Any luck there?

Donald January 1st, 2019 at 6:54 pm

Thanks for all info on this site for this annoying thing. It took a lot to get rid of everything and all tips were needed.

Eric January 3rd, 2019 at 3:39 am

The information on this site was great, thanks to all. This virus/whatever was a pain, but Peter and Tsunebo’s tricks about the regedit and lspfix were key. Also, there was a bad AVR10.exe file on my computer. I basically searched in the windows/system32 folder for exe files created the day I was infected. Good luck!

lynn January 6th, 2019 at 12:10 am

Got virus it shut down system. Restarted-would not boot up unless in safe mode-ran avg quarantined viruses-restarted- would not boot up at all-not even in safe mode-got fix it utilities professional- restored to point before virus-can now boot up and repair

Valentino January 6th, 2019 at 9:11 pm

Peter, Thanks so much for the great advise! I have worked on this for many hours with no success it always came back. I spent almost $100.00 in mcafee products as well as spyware software, they would find them delete them and it would all come back. After reading your comment it took all of 10 minutes and 1 reboot to fix this issue.

Known Issues:
-Would not allow video’s/music to play.
-Would not allow me to search internet for virus help. They would come up but when I clicked the link it would direct me to some other websites.

Thanks again!!

ILPrinterguy January 13th, 2019 at 6:28 pm

Valentino:
Redirects are usually in the hosts file.
“C:\WINDOWS\system32\drivers\etc\hosts” Open it with notepad and clean it out. The only critical entry is:
“127.0.0.1 localhost”
Three things to remember, MAKE A BACKUP, save the file with NO EXTENTION (no .txt) and MAKE A BACKUP.

Jared January 25th, 2019 at 2:42 pm

Thanks to James and the rest of you guys, I finally got this horrible virus off my computer. However, I still can’t get online. I tried the LSPFIX and that didn’t do it either.

I also tried restoring an old hosts file and that didn’t fix the internet either.

The interesting thing is that while I use 2 remote managmenet programs (LogMeIn and NTRConnect), NTRConnect still works, but LogMeIn doesn’t.

Does this help figure out what is screwing up my ability to get to the web?

Angela February 11th, 2019 at 6:30 pm

HI,
I deleted the av.exe files from my registry and restarted. Now I cannot start my programs or run exe files to correct the virus. Any suggestions? I managed to open IE though…not sure how that happened!

Leave a Reply