I have a similar problem, that started at 8am today (10/20). Check your task manager to see if a file process named hffmdadtbqh.exe is running (I see from 2 to 20 instances of it). I am doing a boot time scan to see if that will stop it (got a while to go). This virus creates many subfolders of user/app data (one is named xwciaxwtnuz) that go something like this:
local>google>chrome>user data> First Run. At this point that’s all I know.
The boot-time scan found and deleted couple of things but did not kill this virus. What I did was boot in safe made and completely delete the folder username/AppData/LocalLow. That seems to have stopped it. However, I don’t know what any side effects may be. I hope someone can take this info and get to the source of the problem.
I am using a macbook pro and am also having the same issue.
Avast reports blocking the http://mom-ex.tekblue.net/crossdomail.xml
Also the http://mom-ex.tekblue.net/favicon.ico
The first time this happened was yesterday 10-20-2014. It was detected 6 times.
I have since run full scan from Avast and am clean. I also ran cccleaner.
I would appreciate advise on how to clean this, if indeed there is a worm or virus in my mac
Regards
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
As I had mentioned in my earlier post, deleting the LocalLow folder while in safe mode and deleting some entries from the registry stopped the problem. Until today (12/24/14). While doing some web surfing the problem came back. Multiple instances of hffmdadtbqh.exe were running and using 100% of CPU time. This time my earlier procedure did not stop it. However, the solution posted by essexboy on Oct 21 seems to have stopped it. In checking this hffm… file it claims to be from Google. I have saved the logs created if anyone would want me to post them.
This probably Trojan/Downloader.Rameh.c detected aka AdWare.Win32.PowerSearch!O.
Running on: Apache/2.2.15
Redirects to: /?MR=1
Outdated Web Server Apache Found: Apache/2.2.15
Bad Host Appearance SPAM.