What is winlogon86.exe?

Having lots of problems with my wife's computer...

Got winhelper86.dll and ran spybot (norton also running). That seems to have killed the internet connection in removing it. Downloaded and ran freefixer, which turned up winlogon86. I deleted that and now I can't log on to windows (type in password and it starts, then logs out and brings me back to the log on page). I can't boot in safe mode either.

Did I erase the wrong file, causing the log on problems or what?

# 1 Dec 2009, 10:04

I have the same problem, which I haven't been able to fix yet.

# 1 Dec 2009, 11:07

I ended up just reformatting and doing a fresh install, but thank you for the quick and detailed response! Hopefully I won't run into this again, but it should help others that have problems.

# 1 Dec 2009, 17:46

Thanks Roger! I only wish I would have found this article earlier. This helped me save my Boss's computer and he is very grateful about that to say the least.

Thanks also for UBCD reference. I never heard of this tool and it is very interesting.

Is there anything else that needs to be removed that you know of now that I am able to login?

# 2 Dec 2009, 14:24

Thanks Roger! Great great great !!!
I followed exactly Your 11 points and I saved an infected XP home sp1 of friend. Btw the infection winlogon86.exe was from facebo.Ok; he clikked yes on some link without thinking were he would be led to...BIG mistake :-) He "accidentaly" downloaded winlogon86.exe and no longer could access his XP couse he was stucked at logon.
winlogon86.exe changed the XP registry value as Roger Karlsson found out!

# 6 Dec 2009, 15:32

The virus is smart and prevents must registry programs from running. Running restore is not possible. Another solution is to copy restore.exe to another name like fixthis.exe. You can then run fixthis.exe which allows you to restore the system to an earlier date and time. This may save the hassle of creating a boot usb. Thanks "Roger Karlsson" for information and userinit.exe, that explained what was really happening.

# 8 Dec 2009, 11:52

I discovered this page while fighting winupdate86.exe. I deleted that nasty program manually, and found other associated files including WINLOGON86.EXE, which I also deleted. Now I discovered my computer would NEVER BOOT UP AGAIN. I had no idea! Your instructions on how to burn a BOOTABLE CD were very helpful, and got my computer back to life again. Thank you.

I have one remaining problem that I will work on today. My wireless adapter is working just fine, but my computer will not connect to internet. I have checked the settings, IPCONFIG, renew, TCPIP protocol settings are good, etc. I finally found some commands to clear the WINSOCK channels. Now Skype is connecting to the internet, but FireFox and Internet Explorer will NOT connect. Not sure why.

# 12 Dec 2009, 12:44

to fix your internet please write in cmd and then - netsh winsock reset

# 18 Dec 2009, 10:30

Renaming the restore.exe utility sounds like the easiest fix but has anyone conquered this virus using just FreeFixer version 0.50?

A lot of my camera and accessory utility files showed up in the freefixer scan. I think the primary file and registry entry names involved with this hack are.

AVR10.exe
critical_warning.html
winhelper86.dll
winupdate86.exe
winlogon86.exe

# 18 Dec 2009, 18:10

Great information.
I got the winlogon86.exe and the winupdate86.exe on my system. I had to boot up in DOS just to see what had happened. From your information, I decided to copy userinit.exe on top of winlogon86.exe. Just to see what would happen. I also deleted winupdate86.exe. I did not have a reg editor on my boot disk to point back to userinit.exe. The system booted up without a problem. I then corrected the userinit.exe entry in the reg. I also found that the task manager had been disabled in "My Computer\HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Policies\System\DisableTaskMgr" and that the Wallpaper had been disabled "My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\NoChangingWallpaper."
Two other entries that I found were "My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoActiveDesktopChanges" and "My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoSetActiveDesktop." I deleted both.

Again, great information.

# 21 Dec 2009, 23:29

THANK YOU for the boot disk info. I used it to restore the registry to an earlier date and am able to boot computer now. I'm back to original problem of winupdate86 and how to remove it. Just downloaded the freefixer program and will try that. Thank you again!!

# 22 Dec 2009, 4:31

Basically I've removed all the .exe's and dll's listed above but now when i login it just stays on a black screen and loads forever. I'm on windows 7 so I've put in the CD loaded the regeditor and strangely my userinit entry is correct and i cant find anything for the disable tskmngr thing. Any help would be appreciated.

Cheers

# 26 Dec 2009, 16:56

After 4 hours of playing about I cracked it!! If your a window's 7 user don't load the registry editor via your windows 7 cd. It will show your userinit entry clean e.g. "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, UserInit = c:\windows\system32\userinit.exe,"

But I was still having problem's logging in. I loaded my pc up into safemode, ctrl alt deleted, went into task manager, started a new task "explorer.exe" from there go into your windows system 32 folder. Load up CMD and type regedit. Once in your regedit follow roger karllson's advice. For some reason the regedit you boot from the windows 7 cd display's everything as if your pc was working.

# 26 Dec 2009, 17:53

My Vista PC was infected with this last night. I've been able to work through most of this, but I'm still suffering from what appears to be a DNS spoofing issue. I'm unable to resolve certain domains (symantec.com, kaspersky.com, trendmicro.com, etc). Other domains resolve fine. Obviously, I'm unable to load/update AV software via the Internet. Google searches via IE will randomly redirect the browser to bogus "security" sites. Any ideas where to go looking to resolve this issue?

# 29 Dec 2009, 8:12

Hi, my sister got this virus, and thanks so much for all the help!!! But I still have locked wallpaper, cant change it from their warning wallpaper, help please.

# 22 Jan 2010, 13:20

problems,problems,laptop,vista, infected with winlogon32, I deleted the file and now I can not get back into the pc. I turn it off it looks like its loading, then nothing but a black screen, I cant get access to anything, just a black screen.I tried downloading fixes on my other pc to disc, then inserted the disc but still black screen ant prompt it to run the disc, very frustrated. Is there anyway to get into my desktop or boot menu, to try and fix this??

# 25 Jan 2010, 8:08

Hi Roger,

I have the same issue. I am not able to logon.
The moment I get it, it loggs me off.
I tried to follow your 11 steps. I downloaded the UBCD4Win. However when I try to set it up on my other machine, my anti virus detects some files MBRFIX.exe and I am not able to complete the setup.
I tried to use Win XP bootable CD, but it directly starts installing new version.
I also booted my PC with a frnds USB drive. I was able to login. I also reset my reg entry. But probably this was the reg entry for that USB drive.
Please help me out. Thanks in advance.

# 26 Jan 2010, 9:49

Roger
your the coolest dude, everything you said works great..
thanks for your commitment in helping the PC community

# 30 Jan 2010, 19:53

I've tried this, but my computer won't boot off a CD. I put it in, go to the boot menu and select the CD drive, but it still boots off the HDD. I've changed the order of preference and even told it not to boot off anything other than a CD, but no joy. Any suggestions?

# 8 Feb 2010, 9:41