Roguekiller wiped out my Windows Defender!?

[foxxewilder]

Okay, I admit I know next to NOTHING about this software but it was listed,
 among other software, to test for a certain viral infection.

Win Defender was working from what the results showed BUT, upon repairs,
Roguekiller wiped out my Windows Defender!

it won't initiate from the services windows at all and windows update has been failing on the updates
on the same program.

Can anyone be of help. Some little jerk at MS wanted to extort 150 US to fix this, I think the guy is just being a jerk!

help?  <

[Tigzy]

Hey
Do you have the reports?

[Tigzy]

By the way, the only case where RogueKiller cleans Windows Defender, is facing a ZeroAccess infection.
It only removes the symbolic link that the infection has created to kill Windows Defender. http://nakedsecurity.sophos.com/zeroaccess3/

You have to repair the services that ZeroAccess has removed too (same link bove for detailed description).
You can do this with several tools, but RogueKiller does embeds such feature => Tools menu, Repair services.

[foxxewilder]

By the way, the only case where RogueKiller cleans Windows Defender, is facing a ZeroAccess infection.
It only removes the symbolic link that the infection has created to kill Windows Defender. http://nakedsecurity.sophos.com/zeroaccess3/

You have to repair the services that ZeroAccess has removed too (same link bove for detailed description).
You can do this with several tools, but RogueKiller does embeds such feature => Tools menu, Repair services.

I've never heard of zeroaccess at all. I used Roguekiller (this is why this message is in this forum).

 It took it out of the services, did something to it so it can't be upgraded nor fixed (normally) and MS wants 150 bucks US to repair the problem so you can pretty well guess I am pretty pissed off at Win 8, MS and RogueKiller.

It created about 7 txt files on the desktop (that ironically, I actually saved to a floppy disk for later examination/translation into english)

the last one goes as follows: (note: all Identifying links have been altered BY ME to "xx" in this file for security reasons)


RogueKiller V8.8.6 _x64_ [Feb  7 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600 ) 64 bits version
Started in : Safe mode with network support
User : eh546 [Admin rights]
Mode : Scan -- Date : 02/09/2014 10:07:55
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 14 ¤¤¤
[DNS][PUM] HKLM\[...]\CCSet\[...]\{97DF7D10-FDB9-41C2-987B-6356DBAD78C5} : NameServer (xx.xx.x.xx.xx.xx.x.xx,xx.xx.x.xx [CANADA (CA) - CANADA (CA) - CANADA (CA)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS001\[...]\{97DF7D10-FDB9-41C2-987B-6356DBAD78C5} : NameServer (xx.xx.x.xx.xx.xx.x.xx,xx.xx.x.xx [CANADA (CA) - CANADA (CA) - CANADA (CA)]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowDownloads (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowVideos (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost
127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST1000DM003-9YN162 +++++
--- User ---
[MBR] efec3d91db4b651f4d3541a8b8db1427
[BSP] 326aee74c296b4bfbfc85c1683656d25 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo
1 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 250 | Size: 410 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) WDC WD3200AAJS-00M0A0 +++++
--- User ---
[MBR] 5b45fa114203d7765856831493511700
[BSP] 311680bf39007db9725077c1b324b57a : Windows XP MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 16068 | Size: 305235 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ IDE) SAMSUNG HD103SJ +++++
--- User ---
[MBR] 2890f74b05517fd2a4e52b7d6d2f483b
[BSP] 4bf8bd660f3f2baff77304b36a635186 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 15120 | Size: 953859 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_02092014_100755.txt >>

[Tigzy]

There's nothing related to Windows Defender here...
Why is your conclusion to say RogueKiller did this?

Did you hit the 'Delete' button? I'm not asking to do it right now, just trying to know if you have a DELETE report ( RKreport[0]_D_xxxxxxxxx.txt )

(Note. If your native language is French, it's accepted as well, I do speak French too)

[foxxewilder]

There's nothing related to Windows Defender here...
Why is your conclusion to say RogueKiller did this?

Did you hit the 'Delete' button? I'm not asking to do it right now, just trying to know if you have a DELETE report ( RKreport[0]_D_xxxxxxxxx.txt )

(Note. If your native language is French, it's accepted as well, I do speak French too)

I did find the issue, for some reason or another, Defender was removed from the registry. I found a hacker kid online that had that same issue.
there is a fix but it lies within the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend

the system was blocking access and change to the internals of that key for some odd reason so I renamed it to WinDefend_Old
ran the WinDefender.Reg file I downloaded from the same site as the Hacker kid used and it's all good now

(I didn't keep the website though... perhaps I should have...)

BUT... it's all fixed now
 

[Tigzy]

Glad you solved your problem.
Could you please answer my questions above? We'd like to determinate where the issue came from.