Pomoc s vírusom/??

Zdravím, potreboval by som pomoc ospravedlňujem neviem kam som to mal dať.. problém: otvorím prehliadač(ktorýkoľvek) a skoro na každej druhej stránke sa mi zobrazí reklama.. vyzerá nejak takto: http://imgupload.sk/viewer.php?file=0ccqevbzo11sjvx9m7ak.png proste v pravom dolnom rohu je reklama(dá sa aj zavrieť) odkiaľ sa tam berie naozaj neviem nemôžem sa dopátrať či to ide cez nejaký program(vírus) alebo ako preskúmal som prvok smeruje to sem - resp. do skoro každej stránky pridá tento kód to vygeneruje rôzne veci ako aj tento iframe fakt si neviem rady čo s tým lebo je to dosť otravné nestalo sa to už niekomu? ďakujem za pomoc

Obrať se sem - forum.viry.cz, tam ti pomohou. Pravděpodobně to bude nějaký trojan. Každopádně pořídit si antivirus a přestat chodit na neznámé warez/porno stránky.

*I just registered to be able to reply to this post.*Problem as described by client:"Cannot go to Google"Problem according to Google Chrome webbrowser:"105 ERR_NAME_NOT_RESOLVED, cannot resolve DNS for google.com" (or anything with Google in it for that matter)Note that every other website seems to work just fine.Wireshark shows outgoing DNS queries to all configured DNS servers but each one of them returns an ICMP 70 Destination unreachable (Port unreachable) message and i don't really know why.I know my network and DNS is good.Example of the malicious code:<div id="_rjkkvyjkph" style="z-index:9998;cursor:pointer;position:fixed !important;position:absolute;right:3px;bottom:3px;width:300px;height:265px;text-align:center;margin:0;overflow:hidden;vertical-align:top"><div style="background-image: url(http://www.google-analytics.com/img/close-btn.png); background-color: transparent; height: 15px; display: block; background-position: 100% 0%; background-repeat: no-repeat no-repeat; "><div style="padding-top:15px;"><iframe frameborder="0" marginwidth="0" marginheight="0" scrolling="no" width="300" height="250" src="http://tag.tlvmedia.com/?id=102031_125330&ad_type=banner&ad_size=300x250"></iframe></div></div></div>Iframe HTML:<html><head><script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=718&size=300x250&inv_code=3021651&referrer=http%3A%2F%2Ftag.tlvmedia.com%2F%3Fid%3D102031_125330%26ad_type%3Dbanner%26ad_size%3D300x250&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D718%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D300x250%26section%3D3021651"></scr'+'ipt>');</script><script type="text/javascript" src="http://ib.adnxs.com/ptj?member=718&size=300x250&inv_code=3021651&referrer=http%3A%2F%2Ftag.tlvmedia.com%2F%3Fid%3D102031_125330%26ad_type%3Dbanner%26ad_size%3D300x250&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D718%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D300x250%26section%3D3021651"></script><script type="text/javascript" src="http://ad.yieldmanager.com/st?anmember=718&anprice=9&ad_type=ad&ad_size=300x250&section=3021651"></script><script type="text/javascript" src="http://ad.yieldmanager.com/imp?Z=300x250&anmember=718&anprice=9&s=3021651&_salt=2516151058&B=10&r=0"></script></head><body marginwidth="0" marginheight="0"><a target="_blank" href="http://ads.tlvmedia.com/clk?3,eJylzdFugjAUBuCn4Y6Y9hQohOyiAiqG6kQYmTcLINIudhJpls2nH4LZHmB.Tpo.X5seTHyw6wrTinoU05NLkY-Ja1EgDimpiXzfB89zwPZcjMzVKrgGL7xKWubtkoiNibP1ZjdV1o4w9Wf3fgbhK4i0najbzx-X.06Wi.xR43FvG7osLvh7emvnv6-WuX0II2ubxVZScMQV1zxbnPkeC64ilBRreSgi2C5TwWEj-d..T6YptO4MwgxYDFMe-5k-f6rmKMtZfVED9dogg7.p764xSChP11I1BjgD9fJ2J4LQF9hosL6ptbx8jAbYsfEP9yFpxw==,"><img border="0" alt="" height="250" width="300" src="http://content.yieldmanager.edgesuite.net/atoms/66/65/f2/00/6665f200e9c34bcb5464512e90e2d7e0.gif"></a><img src="http://router.tlvmedia.com/Logger/impressionLogger.php?vURLID=162230300&advertiserID=131098&advertiserLIID=4726949&sectionID=3021651&publisherID=711957&creativeID=11616317&URL=http%3A%2F%2Fads%2Etlvmedia%2Ecom%2Fst%3Fad%5Ftype%3Diframe%26ad%5Fsize%3D300x250%26section%3D3021651" height="1" width="1" alt=""><img src="http://cm.g.doubleclick.net/pixel?nid=appnexus1" width="1" height="1"><p><noscript><a href="http://ad.yieldmanager.com/imageclick?Z=300x250&s=3021651&t=2" target="parent"><img border="0" src="http://ad.yieldmanager.com/imp?Z=300x250&s=3021651&t=2"></img></a></noscript></p></body></html>From my findings these ads are indeed loaded in an iframe which is somehow injected after a webpage is loaded.It seems to only be shown on websites with Google Analytics.The path to the Javascript file of Google Analytics is http://google-analytics.com/ga.js BUT on an (if i can call it this way) infected system the contents of this file differ from the "real" GA JS file.I myself am at the moment trying to find out what causes this to happen.The HTTP request for ga.js is sent to a server located at 77.125.87.149 which does NOT resolve to the GA domain but (apparantly) somewhere in Israel.** update: This "media network" or call it an "advertising network" named TLVMedia is located at Haarbaa 21, 64739 Jaffa-Tel Aviv, Tel Aviv, Israel** Why would they fake GA? To force ads on people?IP address: 77.125.87.149No host name is associated with this IP address or no reverse lookup is configured.Error:Host not found77.125.87.149 is from Israel(IL) in region Middle East$ nslookup google-analytics.comServer: 208.67.222.222Address: 208.67.222.222#53Non-authoritative answer:Name: google-analytics.comAddress: 74.125.79.103Name: google-analytics.comAddress: 74.125.79.104Name: google-analytics.comAddress: 74.125.79.147Name: google-analytics.comAddress: 74.125.79.99Name: google-analytics.comAddress: 74.125.79.105Name: google-analytics.comAddress: 74.125.79.106Update: Reverted to an old system restore point, Avast suddenly blocked all Google sites.Update: In one of the posts on http://forum.avast.com/index.php?topic=96836.0 a program called tdsskiller is offered. Download it here from the Kaspersky website: http://support.kaspersky.com/downloads/utils/tdsskiller.exeI ran Kaspersky anti-rootkit software, it found four threats of which one was high risk, let's see if it solved it.Kaspersky TDSSKiller detected Rloader.a in Wdf01000.sysIt did!The ads are gone and the pc seems to work much faster again.Though this post is getting older by the day, i'll post updates for as long as i have patience in examining this.

Good job, BjornR1989 ;-)

yeah... very professional job, Bjorn... btw how did you reading content in our language?? -:)

Thanks but in the end the solution was out there on a forum and Google found it for me.I don't think i would have found the cause of the problem by myself.Thanks go out to the people at Kaspersky.@rpet:I did not understand what was written here and only reached this page by searching for the exact code as posted.Machine translation isn't what it should be but thanks to it, the first message made much more sense to me.Try it: http://translate.google.com

cheers man ;) but i don't need it... for me is better learn language 'on the street'... :D

I can know what the software from Kaspersky?

Hello guys, following Bjorn's good job looking at this, it seems that one of our media partners is abusing our ad system, resulting in pop-up ads or injected ads to appear on your PC . You may have recently installed or downloaded an abusive software that causes this nuisance, and we'd like to help you get rid of it. In order to block these ads from appearing, please send us any information that can help identify the source, such as the URL you see on the ads or the name of any software you've recently installed. You can send info to contact@tlvmedia.comWe apologize for your inconvenience and will do our best to resolve this quickly. In the meantime, programs such as Bjorn recommended can help remove the unwanted ads. Thanks, TLV Media