What is winupdate86.exe?

Hi my computer is infected last night 17/11/2009 01:05 am on site http://trinixy.ru/. NOD32 v4 (always updated) is recognized infection as trojandownloader.fakealert.AOP but it is not deleted. After restart and scan in safe mod, trojan is deleted. Now i got this message "the application or DLL C:\WINDOWS\system32\winhelper86.dll is not a valid windows image. please check this against your installation diskette". This message appear when I start application: skype, goggletalk, chrome, vypresschat(chat in local network)...
My browsers,IE,Mozilla,chrome and meesangers doesn't work but when i ping sites in CMD (ping www.google.com)i got replay message from all(100% packets sent and recived).
I cant open task manager. In System32 exist winupdate86.exe and winhelper86.dll.
p.s. sorry for english.

# 17 Nov 2009, 6:19

Running Vista Ultimate. Became infected yesterday with Winupdate86.exe. I have been battling with it since. Also, when I reboot, my computer tells me it is infected with Worm.Win32.NetSky. Using Windows Defender, SuperAntiSpyware, FreeFixer v0.49, and FxNetsky from the Symantec website. I seem to be winning, as I have regained the use of TaskManager, which disappeared when the infection started.

# 22 Nov 2009, 13:20

I solved the problem with ComboFix. It's powerful application (3MB).

# 23 Nov 2009, 4:24

Spyhunter has located this malware on my machine but I have to purchase the program in order to remove it - we had several "fake" warnings, I am pretty sure it is on the machine. I downloaded freefixer, which appears to be a useful tool, but it did not find the same file - I'd like to find out how to remove it without having to purchase anything.

# 28 Nov 2009, 20:19

I recently worked on a machine that was infected and it did a number of crazy things. Task Manager was disabled so it wouldn't start, cmd command was recognized as a hazzard so you couldn'r get a command prompt, and the PC would blue screen when you tried to boot in Safe Mode or Safe Mode Command Prompt. I got so fed up that I just formatted.

# 1 Dec 2009, 6:51

I got this virus when my wife clicked a message on Facebook. Very difficult to remove! I've been able to get to the task manager after I left the warning message on the screen, after I try and start SmitfraudFix.exe. I could then also delete it from the registry. However, even after terminating it in the Task Mgr processes, deleting and all that, it still is coming back!

# 2 Dec 2009, 18:15

This is also associated with the winlogon86.exe malware also located in the c:\windows\system32 folder.

http://www.freefixer.com/library/file/44908/

Be cautious in deleting these files though, you might find that you are unable to login to your computer if you delete winlogon86.exe

Follow Roger's steps in the link above and your problem will be fixed. The Registry key with the userinit.exe file associated needs to be restored to what it was originally or the virus will keep coming back.

# 3 Dec 2009, 22:20

I also got winupdate86.exe. it's very smart. came in through a google prompt. it blocks safe mode, regedit, taskmgr and most everything else. i used a different task manager to identify it. removed it from the files and register but it kept coming right on back. i finally restored my ghost copy. just got tired of trying to track it down.

# 4 Dec 2009, 15:54

hi there. i have discovered a number of files associated with this throughout my systems folder. winhelper86.dll is definately 1 of them. winlogon86 is a copycat that is associated which stores and uses your password when you are not online with the program you caught it through. i.e. if u installed it from a fake youtube site it will log onto your youtube account. if you infected from facebook, it will use your facebook account. i have incountered these programs before due to my silly flatmates using my computer. hope that helps

# 6 Dec 2009, 19:28

What a nightmare! I had pop-ups indicating I had a problem. After much review, I finally discovered the problem was winupdate86.exe. Since REGEDIT and TASKMGR were locked out, I had to pull these files from my other computer, and re-name them. But TASKMGR did not work until I edited registry. While in safe-mode, I killed winupdate86, and that revealed it was the problem program. I decided to delete winupdate86.exe manually. Also did a file sort by date, and discovered related files, including some 0 byte files. I deleted all of them. I did not realize deleting WINLOGON86.exe would mean my computer will NEVER BOOT UP AGAIN. But then I found your other page with instructions on how to burn a BOOTABLE CD, and got untangled from that problem. Thanks for your helpful info!

# 12 Dec 2009, 12:32

We can remove this file manually or using scans. But removing this file alone will lead to NO BOOT. The will be associated with userinit in Registry. The Winlogon entry in registry will have the key for Userinit referring to Winupdate86.exe. So if we are removing the file either by scan or manual steps change the key for Userinit to "C:\Windows\System32\Userinit.exe"

HKLM>Software>Microsoft>Windows NT>Current Version>Winlogon

# 18 Dec 2009, 22:38

This is the first root kit I have ever encountered so I'm not sure what the *best* procedure to use is.

After using taskmanagerfix to reaccess task manager and end the winupdate86 process I used regedit to look for culprits manually.

Searching the registry for win*86.* revealed two entries.
I *deleted* the winupdate86 entry in the run folder and *changed* the winlogon86 entry in Winlogon.

Rootkit versions can change and rewrite your registry all kinds of different ways. If freefixer does not perform a Diff of the registry and some restore save points you might be safer to just roll your system back a few days using restore before deleting the files that freefixer finds.

# 20 Dec 2009, 8:53

To fix problem that does not allow you to login to windows after virus winupdate86 removal, do the following:
(1) using your windows installation disk login to system - enable feature boot from CD drive in BIOS,
(2) insert Windows installation disk
and reboot PC
(3) when CD brings up menu, hit (R) for Repair
(4) login into your account from command prompt
(5) change directory by typing "cd system32" and press enter
(6) rename winlogon.exe by typing " rn winlogon.exe winulogin86.exe" and press enter
(7) reboot your system as usual an login to Windows to do reverse renaming winulogin86.exe to winlogon.exe

# 20 Dec 2009, 10:10

Mike,

Are your sure about renaming the file to "winulogin86.exe"

Should this be "winlogon86.exe"

# 29 Dec 2009, 17:53