PC Tattletale Removal

http://www.securemost.com/articles/rm_pctattletale.htm

PCTattletale Manual Removal:

Warning: The following instructions are only for advanced computer users. We recommend you to backup your system registry or create a System Restore Point before any risky step. We offers no warranty of any kind to manual operators. For common users we recommend to remove malwares using anti-spyware tools, such as PestPatrol, Spyware Doctor, BPS Spyware&Adware Remover, ...

To uninstall PCTattletale:

   1. Terminate the processes in TaskManager:
      msn6mngr.exe
      Netlogon.exe
      svchost.exe
      Wincmd.exe
      WinLoad.exe
      WinSysMngr.exe
      PCTT.exe

   2. Click Start > Run. Type REGSVR32 -u <Dll_name>. Then click OK. Replace <Dll_name> with following:
      %SystemRoot%\explorer32\chattext.dll
      %SystemRoot%\MSN32.dll

   3. Click Start > Run. Type regedit. Then click OK. Navigate to and delete the subkey:
      HKEY_LOCAL_MACHINE\SOFTWARE\Explorer
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Welcome
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2E8AC9B0E9894094189EA59912D1CCA3
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\39E9F6C570B40D842A0953B8A8C07ADB
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\51799C1F87136324485141E00C6A942F
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\535AAC914F48699489B746B6ADD9165A
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7D77628069B703345B8F64FB8EE22104
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\830EE956C56E84D45A51DD1CDC6E26A3
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\91E6512C39B0465449BA5314D057905E
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A45B49DECD972DF4892DD152ACF2E0E1
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C12F23E87949C614289082A5A0B1BFCD
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C6D6E8663969C4142A4CDE91F63BDD38
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information\{0FFA260F-8A4D-4906-B572-6028A18DE3D5}

      Navigate to the subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, delete the values:
      "(default)" = "", "WinLoad" = "%System%\Winload.exe"

   4. Remove these files in Explorer:
      %SystemRoot%\Instructions.htm
      %SystemRoot%\KbdMonitor.exp
      %SystemRoot%\KbdMonitor.lib
      %SystemRoot%\mscomct2.ocx
      %SystemRoot%\mscomctl.ocx
      %SystemRoot%\msinet.ocx
      %SystemRoot%\MSN32.dll
      %SystemRoot%\mswinsck.ocx
      %SystemRoot%\PCTT.exe
      %SystemRoot%\tabctl32.ocx
      %SystemRoot%\UninstallPCTT.exe
      %SystemRoot%\Unzip32.dll
      %SystemRoot%\WinLoad.exe
      %SystemRoot%\xwebpic10.ocx
      %SystemRoot%\zip32.dll

   5. Remove the directory in Explorer:
      %SystemRoot%\explorer32\
      %ProgramFiles%\Common Files\InstallShield\Driver\7\Intel 32\

Lainie49 - how did this spyware get onto your PC? Have you disabled UAC?

No, I haven't disabled User Account Control, if that's what you're referring to.  I originally had CoolWebSearch, the msconfig bug.  XoftSpy removed everything but PC Tattletale and tells me it cannot remove  c:\windows\system32\winload.exe because other programs are using it.   I ran XoftSpy again and it still tells me the same thing.

Im just curious as to how Vista could get infected as easily as XP. Was this a clean install or an upgrade?

Brand new computer pre loaded with vista.  I'm thinking about this and wondering if I "accepted" this when I was in a hurry or something.  I can't say that it isn't a possibility.  

Is the above solution by Sage the only way to remove it, by the way?  I'm no computer expert and I don't want to screw up my new computer totally :-)

seems to be, although take a backup of your system before making these changes, including a backup of the registry. As its Vista, it should be pretty straight forward, although run regedit and export the entire registry to a file somewhere

Ok, thanks so much for all your help.  I'll let you know how it goes (if I don't screw up my computer).

Has anybody tried to follow the directions for removal of Tattletale that are listed here for Vista?  I don't find the same values as shown.  I cannot find winload.exe at all.  I'm still trying to figure out how this problem occurred.  I went into my Windows Defender to try to update it and it will not update either.

I think it's because the keylogger has the same name as windows vista boot program. Wrong identification I suppose. There's no way such keylogger can infect Vista. The winload.exe is untouchable.

Interesting dilemma,
I was looking at this and found that PC tattletale is a parental control.

http://www.pctattletale.com/ 
http://www.download.com/3000-2092-10268339.html

If this has not been installed by a member of your household ( I cleaned from a client's machine and a jealous partner re-installed.)

http://www.symantec.com/security_response/writeup.jsp?docid=2005-062215-5127-99 helps and has detailed instructions for removal.