avast web shield has blocked a harmful webpage - tekblue

Help! Everytime I open a web browser, Avast blocks a threat and the following message appears:

Object: http://mom-ex.tekblue.net/crossdomain.xml
Infection: URL:Mal
Process: C:\Program Files(x86).…\iexplore.exe

I’ve run the tools and followed the steps described in “logs to assist in cleaning malware”. All the logs are attached.

It seems to occur when I access this website:
http://www.wunderground.com/cgi-bin/findweather/getForecast?query=Brighton%2C+MI&MR=1

Thanks for any help you can provide.
Glenn

I have a similar problem, that started at 8am today (10/20). Check your task manager to see if a file process named hffmdadtbqh.exe is running (I see from 2 to 20 instances of it). I am doing a boot time scan to see if that will stop it (got a while to go). This virus creates many subfolders of user/app data (one is named xwciaxwtnuz) that go something like this:
local>google>chrome>user data> First Run. At this point that’s all I know.

The boot-time scan found and deleted couple of things but did not kill this virus. What I did was boot in safe made and completely delete the folder username/AppData/LocalLow. That seems to have stopped it. However, I don’t know what any side effects may be. I hope someone can take this info and get to the source of the problem.

I am using a macbook pro and am also having the same issue.
Avast reports blocking the http://mom-ex.tekblue.net/crossdomail.xml
Also the http://mom-ex.tekblue.net/favicon.ico
The first time this happened was yesterday 10-20-2014. It was detected 6 times.
I have since run full scan from Avast and am clean. I also ran cccleaner.
I would appreciate advise on how to clean this, if indeed there is a worm or virus in my mac
Regards

Let me know if this stops the alerts

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM-x32\...\Run: [atr.exe] => [X] CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT2481032&SearchSource=48", "hxxp://search.conduit.com/?ctid=CT3287819&SearchSource=48&CUI=UN25093713252447226&UM=2", "https://mail.google.com/mail/u/0/?shva=1#sent", "https://www.google.com/calendar/render?tab=mc", "hxxp://classic.wunderground.com/cgi-bin/findweather/getForecast?query=48114", "hxxp://www.wunderground.com/auto/wxmap/MI/Brighton.html", "hxxp://www.google.com" 2014-10-16 21:33 - 2014-10-16 21:33 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7 2014-10-09 14:28 - 2014-10-09 14:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons 2014-10-09 14:28 - 2014-10-09 14:28 - 00000000 ____D () C:\Program Files (x86)\Coupons EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

I too received multiple block alerts for the above mentioned… the only thing I have open is GrooveShark so I’m guessing it’s from an advertisement

As I had mentioned in my earlier post, deleting the LocalLow folder while in safe mode and deleting some entries from the registry stopped the problem. Until today (12/24/14). While doing some web surfing the problem came back. Multiple instances of hffmdadtbqh.exe were running and using 100% of CPU time. This time my earlier procedure did not stop it. However, the solution posted by essexboy on Oct 21 seems to have stopped it. In checking this hffm… file it claims to be from Google. I have saved the logs created if anyone would want me to post them.

Those who need help need to start there own topic…helping multiple users in same topic will create chaos

Instructions are found here https://forum.avast.com/index.php?topic=53253.0 how to start a topic is found at the bottom

This probably Trojan/Downloader.Rameh.c detected aka AdWare.Win32.PowerSearch!O.
Running on: Apache/2.2.15
Redirects to: /?MR=1
Outdated Web Server Apache Found: Apache/2.2.15
Bad Host Appearance SPAM.

polonus