Vista - tattlletale winload keylogger trojan standard in Vista?

After installing RC 1 Vista, I noticed using XSOFTSPY that in
windows\system32\winload.EXE a Trojan is mentioned named tattletale. I can
not remove it.

I have understood that Tattletale is used for "parental control", i.e. a
keylogger that should be used by parents to "spy" their children. Easily it
can be used for other usage as well. Xsoftsy call is a severe risk. (I
agree).

My questions
1: Is this a standard element of Vista? or have I installed it by accident
separately?
2: How can I remove this.

It is not part of Vista..perhaps someone installed it without your knowledge.

PC Tattletale
http://www.pcworld.com/downloads/fil...scription.html

--
Carey Frisch
Microsoft MVP
Windows Shell/User

--------------------------------------------------------------------------------------

"Marinus" <Marinus@discussions.microsoft.com> wrote in message news:9BFE8654-F9FB-44F4-A8A7-6904A2BB8804@microsoft.com...
After installing RC 1 Vista, I noticed using XSOFTSPY that in
windows\system32\winload.EXE a Trojan is mentioned named tattletale. I can
not remove it.

I have understood that Tattletale is used for "parental control", i.e. a
keylogger that should be used by parents to "spy" their children. Easily it
can be used for other usage as well. Xsoftsy call is a severe risk. (I
agree).

My questions
1: Is this a standard element of Vista? or have I installed it by accident
separately?
2: How can I remove this.

How have you tried to remove it? You should check your startup programs to
at least keep it from starting. Have you tried stopping it in Task Manager
and then uninstalling it?


"Marinus" <Marinus@discussions.microsoft.com> wrote in message
news:9BFE8654-F9FB-44F4-A8A7-6904A2BB8804@microsoft.com...
> After installing RC 1 Vista, I noticed using XSOFTSPY that in
> windows\system32\winload.EXE a Trojan is mentioned named tattletale. I
> can
> not remove it.
>
> I have understood that Tattletale is used for "parental control", i.e. a
> keylogger that should be used by parents to "spy" their children. Easily
> it
> can be used for other usage as well. Xsoftsy call is a severe risk. (I
> agree).
>
> My questions
> 1: Is this a standard element of Vista? or have I installed it by accident
> separately?
> 2: How can I remove this.
>
>
>
>
>

Can we say "false positive"? I dl'd this program, ran it, and it claimed
winload.exe was a trojan and also claimed i had a trojan/adware in my
hostfile..... hmmm only entry in my host file is loopback. Another program
deleted like many other so called spyware scanners I've tried. I wouldn't
pay for it.

"Marinus" <Marinus@discussions.microsoft.com> wrote in message
news:9BFE8654-F9FB-44F4-A8A7-6904A2BB8804@microsoft.com...
> After installing RC 1 Vista, I noticed using XSOFTSPY that in
> windows\system32\winload.EXE a Trojan is mentioned named tattletale. I
> can
> not remove it.
>
> I have understood that Tattletale is used for "parental control", i.e. a
> keylogger that should be used by parents to "spy" their children. Easily
> it
> can be used for other usage as well. Xsoftsy call is a severe risk. (I
> agree).
>
> My questions
> 1: Is this a standard element of Vista? or have I installed it by accident
> separately?
> 2: How can I remove this.
>
>
>
>
>

Winload.exe is a part of the Vista RTM operating system. You will find two
instances of it on your computer.

One will be in C:\Windows\System32 and is 918k

The other is in C:\Windows\System32\Boot and is 918k

Both are dated Thursday, ‎November ‎02, ‎2006, �‎07:42:32

--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!



"Marinus" <Marinus@discussions.microsoft.com> wrote in message
news:9BFE8654-F9FB-44F4-A8A7-6904A2BB8804@microsoft.com...
> After installing RC 1 Vista, I noticed using XSOFTSPY that in
> windows\system32\winload.EXE a Trojan is mentioned named tattletale. I
> can
> not remove it.
>
> I have understood that Tattletale is used for "parental control", i.e. a
> keylogger that should be used by parents to "spy" their children. Easily
> it
> can be used for other usage as well. Xsoftsy call is a severe risk. (I
> agree).
>
> My questions
> 1: Is this a standard element of Vista? or have I installed it by accident
> separately?
> 2: How can I remove this.
>
>
>
>
>

Winload.exe is a part of the Vista RTM operating system. You will find two
instances of it on your computer.

One will be in C:\Windows\System32 and is 918k

The other is in C:\Windows\System32\Boot and is 918k

Both are dated Thursday, ‎November ‎02, ‎2006, �‎07:42:32



--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!



"Carey Frisch [MVP]" <cnfrisch@nospamgmail.com> wrote in message
news:30F99664-9677-44DC-99B9-A2BD48737E44@microsoft.com...
> It is not part of Vista..perhaps someone installed it without your
> knowledge.
>
> PC Tattletale
> http://www.pcworld.com/downloads/fil...scription.html
>
> --
> Carey Frisch
> Microsoft MVP
> Windows Shell/User
>
> --------------------------------------------------------------------------------------
>
> "Marinus" <Marinus@discussions.microsoft.com> wrote in message
> news:9BFE8654-F9FB-44F4-A8A7-6904A2BB8804@microsoft.com...
> After installing RC 1 Vista, I noticed using XSOFTSPY that in
> windows\system32\winload.EXE a Trojan is mentioned named tattletale. I
> can
> not remove it.
>
> I have understood that Tattletale is used for "parental control", i.e. a
> keylogger that should be used by parents to "spy" their children. Easily
> it
> can be used for other usage as well. Xsoftsy call is a severe risk. (I
> agree).
>
> My questions
> 1: Is this a standard element of Vista? or have I installed it by accident
> separately?
> 2: How can I remove this.
>
>
>
>
>

Additionally, many forms of malware take on the name of a valid Windows
system file. If you find a similarly named file in another location - it is
a trojan, malware or virus.

--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!



"Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message
news:%23K5WIG$NHHA.140@TK2MSFTNGP04.phx.gbl...
> Winload.exe is a part of the Vista RTM operating system. You will find two
> instances of it on your computer.
>
> One will be in C:\Windows\System32 and is 918k
>
> The other is in C:\Windows\System32\Boot and is 918k
>
> Both are dated Thursday, ‎November ‎02, ‎2006, �‎07:42:32
>
> --
>
>
> Regards,
>
> Richard Urban
> Microsoft MVP Windows Shell/User
> (For email, remove the obvious from my address)
>
> Quote from George Ankner:
> If you knew as much as you think you know,
> You would realize that you don't know what you thought you knew!
>
>
>
> "Marinus" <Marinus@discussions.microsoft.com> wrote in message
> news:9BFE8654-F9FB-44F4-A8A7-6904A2BB8804@microsoft.com...
>> After installing RC 1 Vista, I noticed using XSOFTSPY that in
>> windows\system32\winload.EXE a Trojan is mentioned named tattletale. I
>> can
>> not remove it.
>>
>> I have understood that Tattletale is used for "parental control", i.e. a
>> keylogger that should be used by parents to "spy" their children. Easily
>> it
>> can be used for other usage as well. Xsoftsy call is a severe risk. (I
>> agree).
>>
>> My questions
>> 1: Is this a standard element of Vista? or have I installed it by
>> accident
>> separately?
>> 2: How can I remove this.
>>
>>
>>
>>
>>
>

Hi Richard,

OP's problem is that their anti-spyware program is out of date and not up to
snuff for Vista. It is misidentifying the legitimate winload.exe file with
the one provided by the PC Tattletale malware.

I just knew this was going to start happening when they used the file name
of known malware for the system bootloader.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Windows help - www.rickrogers.org

"Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message
news:%23KqRSG$NHHA.5016@TK2MSFTNGP04.phx.gbl...
> Winload.exe is a part of the Vista RTM operating system. You will find two
> instances of it on your computer.
>
> One will be in C:\Windows\System32 and is 918k
>
> The other is in C:\Windows\System32\Boot and is 918k
>
> Both are dated Thursday, ‎November ‎02, ‎2006, �‎07:42:32
>
>
>
> --
>
>
> Regards,
>
> Richard Urban
> Microsoft MVP Windows Shell/User
> (For email, remove the obvious from my address)
>
> Quote from George Ankner:
> If you knew as much as you think you know,
> You would realize that you don't know what you thought you knew!
>
>
>
> "Carey Frisch [MVP]" <cnfrisch@nospamgmail.com> wrote in message
> news:30F99664-9677-44DC-99B9-A2BD48737E44@microsoft.com...
>> It is not part of Vista..perhaps someone installed it without your
>> knowledge.
>>
>> PC Tattletale
>> http://www.pcworld.com/downloads/fil...scription.html
>>
>> --
>> Carey Frisch
>> Microsoft MVP
>> Windows Shell/User
>>
>> --------------------------------------------------------------------------------------
>>
>> "Marinus" <Marinus@discussions.microsoft.com> wrote in message
>> news:9BFE8654-F9FB-44F4-A8A7-6904A2BB8804@microsoft.com...
>> After installing RC 1 Vista, I noticed using XSOFTSPY that in
>> windows\system32\winload.EXE a Trojan is mentioned named tattletale. I
>> can
>> not remove it.
>>
>> I have understood that Tattletale is used for "parental control", i.e. a
>> keylogger that should be used by parents to "spy" their children. Easily
>> it
>> can be used for other usage as well. Xsoftsy call is a severe risk. (I
>> agree).
>>
>> My questions
>> 1: Is this a standard element of Vista? or have I installed it by
>> accident
>> separately?
>> 2: How can I remove this.
>>
>>
>>
>>
>>
>

Hi all,

I've learned a lot. I've even managed to change the owner of the
(system)file, necessary to delete it. Actually I have deleted all the
Winload-files (diffrent creation-date), so the system did not boot anymore.
Never mind, this is "testing" and the installationpackage was obvious
manipulated and not trustable in any way.

Thanks a lot for all answers.

Marinus



"Richard Urban" wrote:

> Additionally, many forms of malware take on the name of a valid Windows
> system file. If you find a similarly named file in another location - it is
> a trojan, malware or virus.
>
> --
>
>
> Regards,
>
> Richard Urban
> Microsoft MVP Windows Shell/User
> (For email, remove the obvious from my address)
>
> Quote from George Ankner:
> If you knew as much as you think you know,
> You would realize that you don't know what you thought you knew!
>
>
>
> "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message
> news:%23K5WIG$NHHA.140@TK2MSFTNGP04.phx.gbl...
> > Winload.exe is a part of the Vista RTM operating system. You will find two
> > instances of it on your computer.
> >
> > One will be in C:\Windows\System32 and is 918k
> >
> > The other is in C:\Windows\System32\Boot and is 918k
> >
> > Both are dated Thursday, ‎November ‎02, ‎2006, �‎07:42:32
> >
> > --
> >
> >
> > Regards,
> >
> > Richard Urban
> > Microsoft MVP Windows Shell/User
> > (For email, remove the obvious from my address)
> >
> > Quote from George Ankner:
> > If you knew as much as you think you know,
> > You would realize that you don't know what you thought you knew!
> >
> >
> >
> > "Marinus" <Marinus@discussions.microsoft.com> wrote in message
> > news:9BFE8654-F9FB-44F4-A8A7-6904A2BB8804@microsoft.com...
> >> After installing RC 1 Vista, I noticed using XSOFTSPY that in
> >> windows\system32\winload.EXE a Trojan is mentioned named tattletale. I
> >> can
> >> not remove it.
> >>
> >> I have understood that Tattletale is used for "parental control", i.e. a
> >> keylogger that should be used by parents to "spy" their children. Easily
> >> it
> >> can be used for other usage as well. Xsoftsy call is a severe risk. (I
> >> agree).
> >>
> >> My questions
> >> 1: Is this a standard element of Vista? or have I installed it by
> >> accident
> >> separately?
> >> 2: How can I remove this.
> >>
> >>
> >>
> >>
> >>
> >
>
>

I think I have a similar/maybe related problem and would appreciate if
someone could help me. I did an upgrade from XP to Vista Home basic on my
sons computer. It does not have a DVD drive so had to install from 5 CD's.
I put the parental lock on as the computer is in his room and wanted to have
some control on what is viewed (and doing homework rather than
chatting/surfing)!! ;oP

All seemed to be working fine. My son then got to the computer and removed
Grand Theft Auto. The computer no longer starts - he assures me this is all
he did.

It gives the error winload.exe missing or corrupt (yadda, yadda, yadda). It
tells me to reinsert disc and restart. I do this and it wont read the CD. I
have checked boot sequence and it is CD first.

Now what? Please help or provide some ideas as I just cant afford to pay to
fix this one.

thanks in advance

"Marinus" wrote: