Categories: Malware

Removing rrFilter MalWare

WARNING

This tip involves changing the Windows Registry. Changing the Registry can harm your computer if you do it incorrectly!! It is highly recommended that before you implement any registry changes, you make a backup of your registry using the microsoft way or some third party tool like Regbak from AceLogix. If you are not comfortable with the registry do not make changes since changes can cause your computer not too boot which means that you may have to re-install Windows and lose your data.

Does your browser have random double underline links and pop-up ads? Remove them now

What RrFilter Does to Your Browser

If you see bold blue double underlined hyperlinks under several words on almost everypage of your browser you probably have rrFilter installed or similiar malware. Here’s an example of what it looks like on your browser page (double click to enlarge)

RRFilter will also redirect you to srv123.com – in Chrome, for instance I noticed tabs that would just spontaneously popup with long url’s starting with srv123.com. rrFilter is particularly aggressive and hard to remove. I scanned my system with 4 different spyware/malware tools and none of them found it. I finally decided to manually search out and destroy it.

How to Disable and Remove RrFilter

Here’s how to disable and remove rrFilter from your system (at least as of 4-12-14. These programs constantly change their way of installation to hide themselves so if you look on your system for rrFilter you may find they have installed under a different name or somewhere else on your system then what’s shown in this tutorial. So if the Short Version doesn’t work for you try the longer more detailed version below to understand how to figure out what to delete and remove).

Short Version

To Disable and Remove From Your System:

  1. Windows Key-R > type “services.msc”, click OK.
  2. Under “Processes” kill “bukgmhvrux”. Under “Services” stop “bukgmhvrux64” and “RrFilterService64”

  3. Windows Key-R > type “%program files%
  4. Delete folder “02” (has the bukgmhvrux64 executable files in it)
  5. Windows Key-R > type “%program files%
  6. Delete folder “rrfilter”
  7. Windows Key-R > type “Regedit”
  8. In RegEdit, delete these registry keys (drill down until you find them, then delete or follow this video on how to find a key):
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RrFilterService64
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bukgmhvrux64
  9. In regedit, search for CA901A03-85D9-4901-9555-59F2AED61F4B (this is guid for one of them, i think the rrfilterservice) and delete all registry keys that contain that GUID.

  10. In regedit search for RrFilterService64 and bukgmhvrux64 and delete any relevant registry keys.

Longer, version – Explains how to manually find rrFilter and similar malware and remove.

The below is based on my screenshot and my memory so is probably somewhat out of order but will give a basic idea of how to manually find this type of malware and remove it.
  1. Startup TaskManager. You do this by right clicking on your task bar, and clicking TaskManager:
  2. Look for anything that looks wrong. I found one almost right off the bat called “bukgmhvrux” running as a process:

    I immediately right clicked and clicked “End Task” and it died! I reloaded my browser and the browser links went away!. Sorry – no screen shots of that as I forgot ! But not done yet…

  3. Using Regedit, Search the registry for “bukgmhvrux”.

    Can’t remember exactly but believe this led me to the GUID of CA901A03-85D9-4901-9555-59F2AED61F4 which eventually gave me the path to rrfilter and bukgmhvrux. I then went back and stopped the rrfilter service and deleted the folder.

  4. Here’s the key values associted with bukgmhvrux64 which shows the path to delete (program files 002):
  5. I then checked Task Manager again, this time looking in Services and found the following and stopped these:

If you still have issues, than it probably isn’t rrFilter that is causing the problem. It could be a malware browser exension or some program that is located elsewhere. Check all your Google Chrome extensions, IE Extensions, Firefox extensions and uninstall anything that is not needed or looks strange. Especially any that were installed around the time you started experiencing the popups. Also go into Control Panel->Programs and Features and start uninstalling any programs you did not intentionally install that were installed around the time you started experiencing problems. Run a few malware finding programs. I won’t go into detail here but here’s a link that does:
http://malwaretips.com/blogs/remove-adware-popup-ads/

Charlie

Share
Published by
Charlie

Recent Posts

Need to Move Your Router’s Existing DHCP IP Reservations to A New Router ? Try Uproot – a Static Lease Conversion Utility

I just released a new open source project on github called Uproot. What is Uproot…

2 weeks ago

Keyboard Browser Navigation Nirvana – Must Have Tools for Keyboard Ninjas

Keyboard Shortcuts Recently I've been coding quite a bit (working on a dart command line…

4 weeks ago

Using pfSense on VirtualBox for Windows using only One Virtual Machine

pfSense on VirtualBox I've been experimenting with pfSense (firewall software you can use for DIY…

2 months ago

Firefox – Where did my pinned tabs go ?

Firefox Pinned Tabs Firefox provides the ability to "pin" a tab, so it stays in…

2 months ago

Creating a Shortcut to Windows Terminal (Or Any Other App That Doesn’t Show Shortcut Option)

Weirdly, Windows Terminal does not allow you to create a shortcut - there's no obvious…

6 months ago

Simplest Wireguard Setup Ever

Wireguard Wireguard is the newest way to setup a VPN for your home servers. What…

7 months ago