Removing rrFilter MalWare
This tip involves changing the Windows Registry. Changing the Registry can harm your computer if you do it incorrectly!! It is highly recommended that before you implement any registry changes, you make a backup of your registry using the microsoft way or some third party tool like Regbak from AceLogix. If you are not comfortable with the registry do not make changes since changes can cause your computer not too boot which means that you may have to re-install Windows and lose your data.
Does your browser have random double underline links and pop-up ads? Remove them now
What RrFilter Does to Your Browser
If you see bold blue double underlined hyperlinks under several words on almost everypage of your browser you probably have rrFilter installed or similiar malware. Here’s an example of what it looks like on your browser page (double click to enlarge)
RRFilter will also redirect you to srv123.com – in Chrome, for instance I noticed tabs that would just spontaneously popup with long url’s starting with srv123.com. rrFilter is particularly aggressive and hard to remove. I scanned my system with 4 different spyware/malware tools and none of them found it. I finally decided to manually search out and destroy it.
How to Disable and Remove RrFilter
Here’s how to disable and remove rrFilter from your system (at least as of 4-12-14. These programs constantly change their way of installation to hide themselves so if you look on your system for rrFilter you may find they have installed under a different name or somewhere else on your system then what’s shown in this tutorial. So if the Short Version doesn’t work for you try the longer more detailed version below to understand how to figure out what to delete and remove).
Short Version
To Disable and Remove From Your System:
- Windows Key-R > type “services.msc”, click OK.
- Under “Processes” kill “bukgmhvrux”. Under “Services” stop “bukgmhvrux64” and “RrFilterService64”
- Windows Key-R > type “%program files%
- Delete folder “02” (has the bukgmhvrux64 executable files in it)
- Windows Key-R > type “%program files%
- Delete folder “rrfilter”
- Windows Key-R > type “Regedit”
- In RegEdit, delete these registry keys (drill down until you find them, then delete or follow this video on how to find a key):
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RrFilterService64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bukgmhvrux64 - In regedit, search for CA901A03-85D9-4901-9555-59F2AED61F4B (this is guid for one of them, i think the rrfilterservice) and delete all registry keys that contain that GUID.
- In regedit search for RrFilterService64 and bukgmhvrux64 and delete any relevant registry keys.
Longer, version – Explains how to manually find rrFilter and similar malware and remove.
- Startup TaskManager. You do this by right clicking on your task bar, and clicking TaskManager:
- Look for anything that looks wrong. I found one almost right off the bat called “bukgmhvrux” running as a process:
I immediately right clicked and clicked “End Task” and it died! I reloaded my browser and the browser links went away!. Sorry – no screen shots of that as I forgot ! But not done yet…
- Using Regedit, Search the registry for “bukgmhvrux”.
Can’t remember exactly but believe this led me to the GUID of CA901A03-85D9-4901-9555-59F2AED61F4 which eventually gave me the path to rrfilter and bukgmhvrux. I then went back and stopped the rrfilter service and deleted the folder.
- Here’s the key values associted with bukgmhvrux64 which shows the path to delete (program files 002):
- I then checked Task Manager again, this time looking in Services and found the following and stopped these:
If you still have issues, than it probably isn’t rrFilter that is causing the problem. It could be a malware browser exension or some program that is located elsewhere. Check all your Google Chrome extensions, IE Extensions, Firefox extensions and uninstall anything that is not needed or looks strange. Especially any that were installed around the time you started experiencing the popups. Also go into Control Panel->Programs and Features and start uninstalling any programs you did not intentionally install that were installed around the time you started experiencing problems. Run a few malware finding programs. I won’t go into detail here but here’s a link that does:
http://malwaretips.com/blogs/remove-adware-popup-ads/