Removing rrFilter MalWare

Does your browser have random double underline links and pop-up ads? Remove them now

What RrFilter Does to Your Browser

If you see bold blue double underlined hyperlinks under several words on almost everypage of your browser you probably have rrFilter installed or similiar malware. Here’s an example of what it looks like on your browser page (double click to enlarge)

RRFilter will also redirect you to srv123.com – in Chrome, for instance I noticed tabs that would just spontaneously popup with long url’s starting with srv123.com. rrFilter is particularly aggressive and hard to remove. I scanned my system with 4 different spyware/malware tools and none of them found it. I finally decided to manually search out and destroy it.

How to Disable and Remove RrFilter

Here’s how to disable and remove rrFilter from your system (at least as of 4-12-14. These programs constantly change their way of installation to hide themselves so if you look on your system for rrFilter you may find they have installed under a different name or somewhere else on your system then what’s shown in this tutorial. So if the Short Version doesn’t work for you try the longer more detailed version below to understand how to figure out what to delete and remove).

Short Version

To Disable and Remove From Your System:

1. Windows Key-R > type “services.msc”, click OK.
2. Under “Processes” kill “bukgmhvrux”. Under “Services” stop “bukgmhvrux64” and “RrFilterService64”

3. Windows Key-R > type “%program files%
4. Delete folder “02” (has the bukgmhvrux64 executable files in it)
5. Windows Key-R > type “%program files%
6. Delete folder “rrfilter”
7. Windows Key-R > type “Regedit”
8. In RegEdit, delete these registry keys (drill down until you find them, then delete or follow this video on how to find a key):
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RrFilterService64
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bukgmhvrux64
9. In regedit, search for CA901A03-85D9-4901-9555-59F2AED61F4B (this is guid for one of them, i think the rrfilterservice) and delete all registry keys that contain that GUID.

10. In regedit search for RrFilterService64 and bukgmhvrux64 and delete any relevant registry keys.

Longer, version – Explains how to manually find rrFilter and similar malware and remove.

1. Startup TaskManager. You do this by right clicking on your task bar, and clicking TaskManager:
   
2. Look for anything that looks wrong. I found one almost right off the bat called “bukgmhvrux” running as a process:

   I immediately right clicked and clicked “End Task” and it died! I reloaded my browser and the browser links went away!. Sorry – no screen shots of that as I forgot ! But not done yet…

3. Using Regedit, Search the registry for “bukgmhvrux”.

   Can’t remember exactly but believe this led me to the GUID of CA901A03-85D9-4901-9555-59F2AED61F4 which eventually gave me the path to rrfilter and bukgmhvrux. I then went back and stopped the rrfilter service and deleted the folder.

4. Here’s the key values associted with bukgmhvrux64 which shows the path to delete (program files 002):
   
5. I then checked Task Manager again, this time looking in Services and found the following and stopped these: