We help IT Professionals succeed at work.

PC Tattletale Removal

1,162 Views
Last Modified: 2013-12-04
My XoftSpySE tells me I have PC Tattletale on my computer but that it cannot remove

c:\windows\system32\winload.exe  

Does this mean it cannot delete Pc Tattletale?  I have windows vista, by the way.
Comment
Watch Question

Commented:
http://www.securemost.com/articles/rm_pctattletale.htm

PCTattletale Manual Removal:

Warning: The following instructions are only for advanced computer users. We recommend you to backup your system registry or create a System Restore Point before any risky step. We offers no warranty of any kind to manual operators. For common users we recommend to remove malwares using anti-spyware tools, such as PestPatrol, Spyware Doctor, BPS Spyware&Adware Remover, ...

To uninstall PCTattletale:

   1. Terminate the processes in TaskManager:
      msn6mngr.exe
      Netlogon.exe
      svchost.exe
      Wincmd.exe
      WinLoad.exe
      WinSysMngr.exe
      PCTT.exe

   2. Click Start > Run. Type REGSVR32 -u <Dll_name>. Then click OK. Replace <Dll_name> with following:
      %SystemRoot%\explorer32\chattext.dll
      %SystemRoot%\MSN32.dll

   3. Click Start > Run. Type regedit. Then click OK. Navigate to and delete the subkey:
      HKEY_LOCAL_MACHINE\SOFTWARE\Explorer
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Welcome
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2E8AC9B0E9894094189EA59912D1CCA3
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\39E9F6C570B40D842A0953B8A8C07ADB
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\51799C1F87136324485141E00C6A942F
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\535AAC914F48699489B746B6ADD9165A
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7D77628069B703345B8F64FB8EE22104
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\830EE956C56E84D45A51DD1CDC6E26A3
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\91E6512C39B0465449BA5314D057905E
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A45B49DECD972DF4892DD152ACF2E0E1
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C12F23E87949C614289082A5A0B1BFCD
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C6D6E8663969C4142A4CDE91F63BDD38
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information\{0FFA260F-8A4D-4906-B572-6028A18DE3D5}

      Navigate to the subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, delete the values:
      "(default)" = "", "WinLoad" = "%System%\Winload.exe"

   4. Remove these files in Explorer:
      %SystemRoot%\Instructions.htm
      %SystemRoot%\KbdMonitor.exp
      %SystemRoot%\KbdMonitor.lib
      %SystemRoot%\mscomct2.ocx
      %SystemRoot%\mscomctl.ocx
      %SystemRoot%\msinet.ocx
      %SystemRoot%\MSN32.dll
      %SystemRoot%\mswinsck.ocx
      %SystemRoot%\PCTT.exe
      %SystemRoot%\tabctl32.ocx
      %SystemRoot%\UninstallPCTT.exe
      %SystemRoot%\Unzip32.dll
      %SystemRoot%\WinLoad.exe
      %SystemRoot%\xwebpic10.ocx
      %SystemRoot%\zip32.dll

   5. Remove the directory in Explorer:
      %SystemRoot%\explorer32\
      %ProgramFiles%\Common Files\InstallShield\Driver\7\Intel 32\
Lainie49 - how did this spyware get onto your PC? Have you disabled UAC?

Author

Commented:
No, I haven't disabled User Account Control, if that's what you're referring to.  I originally had CoolWebSearch, the msconfig bug.  XoftSpy removed everything but PC Tattletale and tells me it cannot remove  c:\windows\system32\winload.exe because other programs are using it.   I ran XoftSpy again and it still tells me the same thing.
Im just curious as to how Vista could get infected as easily as XP. Was this a clean install or an upgrade?

Author

Commented:
Brand new computer pre loaded with vista.  I'm thinking about this and wondering if I "accepted" this when I was in a hurry or something.  I can't say that it isn't a possibility.  

Author

Commented:
Is the above solution by Sage the only way to remove it, by the way?  I'm no computer expert and I don't want to screw up my new computer totally :-)
seems to be, although take a backup of your system before making these changes, including a backup of the registry. As its Vista, it should be pretty straight forward, although run regedit and export the entire registry to a file somewhere

Author

Commented:
Ok, thanks so much for all your help.  I'll let you know how it goes (if I don't screw up my computer).

Author

Commented:
Has anybody tried to follow the directions for removal of Tattletale that are listed here for Vista?  I don't find the same values as shown.  I cannot find winload.exe at all.  I'm still trying to figure out how this problem occurred.  I went into my Windows Defender to try to update it and it will not update either.

Commented:
I think it's because the keylogger has the same name as windows vista boot program. Wrong identification I suppose. There's no way such keylogger can infect Vista. The winload.exe is untouchable.

Commented:
Interesting dilemma,
I was looking at this and found that PC tattletale is a parental control.

http://www.pctattletale.com/ 
http://www.download.com/3000-2092-10268339.html

If this has not been installed by a member of your household ( I cleaned from a client's machine and a jealous partner re-installed.)

http://www.symantec.com/security_response/writeup.jsp?docid=2005-062215-5127-99 helps and has detailed instructions for removal.
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions