How to get rid of viruses, which redirect you to gocloudly/goac on OS X and maxonclick/ on iOS?












1















I faced with a problem which now annoys me very hard. During the last few days from time to time I was redirected visiting my ordinary list of websites. Googling didn't help too much, because whether the solution is for Windows users, whether it is just another link to download a malware.



Redirection to gocloudly/goac:
OS X El Capitan (v 10.11.6) | Google Chrome (v 52.0.2743.116) (screenshot from chrome history)



here is a screenshot from chrome history



Shows a confirm popup which says that my software is not up to date and asks to download it.




  1. I've already checked my chrome://extensions/ - there is nothing unusual.

  2. Also I checked my hosts file and also there is nothing wrong.

  3. Cleared history and browsing data.


Redirection to maxonclick/and-other-lots-of-redirections-from-here: iOS (v 9.3.5) | Safari



Random redirections.




  1. Cleared history and browsing data.

  2. Turned off JavaScript (it helped but actually the problem is not solved, turning it on will cause the same behaviour).




UPDATE:




  1. Disconnected from home network within iPhone

  2. Cleared Safari cache.

  3. Connected with mobile internet and the redirection disappeared, so it's clearly that problem is not with those devices and their software.










share|improve this question

























  • If two different browsers on two devices show this behavior, then I'd suspect your network/modem/router.

    – Arjan
    Aug 27 '16 at 14:49











  • @Arjan I changed my router about a week ago and as I remember these problems showed up in this period. Will try to test it. Thank you for your advice.

    – mekated
    Aug 27 '16 at 15:24













  • Check your DNS settings on your new router and look if there isn't a firmware upgrade for your router.

    – Tonin
    Sep 20 '16 at 10:45
















1















I faced with a problem which now annoys me very hard. During the last few days from time to time I was redirected visiting my ordinary list of websites. Googling didn't help too much, because whether the solution is for Windows users, whether it is just another link to download a malware.



Redirection to gocloudly/goac:
OS X El Capitan (v 10.11.6) | Google Chrome (v 52.0.2743.116) (screenshot from chrome history)



here is a screenshot from chrome history



Shows a confirm popup which says that my software is not up to date and asks to download it.




  1. I've already checked my chrome://extensions/ - there is nothing unusual.

  2. Also I checked my hosts file and also there is nothing wrong.

  3. Cleared history and browsing data.


Redirection to maxonclick/and-other-lots-of-redirections-from-here: iOS (v 9.3.5) | Safari



Random redirections.




  1. Cleared history and browsing data.

  2. Turned off JavaScript (it helped but actually the problem is not solved, turning it on will cause the same behaviour).




UPDATE:




  1. Disconnected from home network within iPhone

  2. Cleared Safari cache.

  3. Connected with mobile internet and the redirection disappeared, so it's clearly that problem is not with those devices and their software.










share|improve this question

























  • If two different browsers on two devices show this behavior, then I'd suspect your network/modem/router.

    – Arjan
    Aug 27 '16 at 14:49











  • @Arjan I changed my router about a week ago and as I remember these problems showed up in this period. Will try to test it. Thank you for your advice.

    – mekated
    Aug 27 '16 at 15:24













  • Check your DNS settings on your new router and look if there isn't a firmware upgrade for your router.

    – Tonin
    Sep 20 '16 at 10:45














1












1








1








I faced with a problem which now annoys me very hard. During the last few days from time to time I was redirected visiting my ordinary list of websites. Googling didn't help too much, because whether the solution is for Windows users, whether it is just another link to download a malware.



Redirection to gocloudly/goac:
OS X El Capitan (v 10.11.6) | Google Chrome (v 52.0.2743.116) (screenshot from chrome history)



here is a screenshot from chrome history



Shows a confirm popup which says that my software is not up to date and asks to download it.




  1. I've already checked my chrome://extensions/ - there is nothing unusual.

  2. Also I checked my hosts file and also there is nothing wrong.

  3. Cleared history and browsing data.


Redirection to maxonclick/and-other-lots-of-redirections-from-here: iOS (v 9.3.5) | Safari



Random redirections.




  1. Cleared history and browsing data.

  2. Turned off JavaScript (it helped but actually the problem is not solved, turning it on will cause the same behaviour).




UPDATE:




  1. Disconnected from home network within iPhone

  2. Cleared Safari cache.

  3. Connected with mobile internet and the redirection disappeared, so it's clearly that problem is not with those devices and their software.










share|improve this question
















I faced with a problem which now annoys me very hard. During the last few days from time to time I was redirected visiting my ordinary list of websites. Googling didn't help too much, because whether the solution is for Windows users, whether it is just another link to download a malware.



Redirection to gocloudly/goac:
OS X El Capitan (v 10.11.6) | Google Chrome (v 52.0.2743.116) (screenshot from chrome history)



here is a screenshot from chrome history



Shows a confirm popup which says that my software is not up to date and asks to download it.




  1. I've already checked my chrome://extensions/ - there is nothing unusual.

  2. Also I checked my hosts file and also there is nothing wrong.

  3. Cleared history and browsing data.


Redirection to maxonclick/and-other-lots-of-redirections-from-here: iOS (v 9.3.5) | Safari



Random redirections.




  1. Cleared history and browsing data.

  2. Turned off JavaScript (it helped but actually the problem is not solved, turning it on will cause the same behaviour).




UPDATE:




  1. Disconnected from home network within iPhone

  2. Cleared Safari cache.

  3. Connected with mobile internet and the redirection disappeared, so it's clearly that problem is not with those devices and their software.







google-chrome browser virus redirection safari






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 20 '16 at 13:40









Tonin

578520




578520










asked Aug 27 '16 at 14:11









mekatedmekated

614




614













  • If two different browsers on two devices show this behavior, then I'd suspect your network/modem/router.

    – Arjan
    Aug 27 '16 at 14:49











  • @Arjan I changed my router about a week ago and as I remember these problems showed up in this period. Will try to test it. Thank you for your advice.

    – mekated
    Aug 27 '16 at 15:24













  • Check your DNS settings on your new router and look if there isn't a firmware upgrade for your router.

    – Tonin
    Sep 20 '16 at 10:45



















  • If two different browsers on two devices show this behavior, then I'd suspect your network/modem/router.

    – Arjan
    Aug 27 '16 at 14:49











  • @Arjan I changed my router about a week ago and as I remember these problems showed up in this period. Will try to test it. Thank you for your advice.

    – mekated
    Aug 27 '16 at 15:24













  • Check your DNS settings on your new router and look if there isn't a firmware upgrade for your router.

    – Tonin
    Sep 20 '16 at 10:45

















If two different browsers on two devices show this behavior, then I'd suspect your network/modem/router.

– Arjan
Aug 27 '16 at 14:49





If two different browsers on two devices show this behavior, then I'd suspect your network/modem/router.

– Arjan
Aug 27 '16 at 14:49













@Arjan I changed my router about a week ago and as I remember these problems showed up in this period. Will try to test it. Thank you for your advice.

– mekated
Aug 27 '16 at 15:24







@Arjan I changed my router about a week ago and as I remember these problems showed up in this period. Will try to test it. Thank you for your advice.

– mekated
Aug 27 '16 at 15:24















Check your DNS settings on your new router and look if there isn't a firmware upgrade for your router.

– Tonin
Sep 20 '16 at 10:45





Check your DNS settings on your new router and look if there isn't a firmware upgrade for your router.

– Tonin
Sep 20 '16 at 10:45










1 Answer
1






active

oldest

votes


















0














My quick patch to this problem was to block any DNS request to that domain.



This does not (probably) solve the problem at the root, but for now it seems to work.



Some things I've noticed are:




  • it happens both on my computer and my phone, and on different networks,

  • the malicious scripts are injected only in http requests,

  • they intercept any first click bubbling to the <html> tag,

  • they seem to be injected through multiple sources (google tag manager, google tag services and platform.twitter.com, that I'm aware of).


google tag manager callgoogle tag services callplatform twitter call



The script by itself doesn't looks dangerous, it just makes you open a new page with ads and potentially dangerous clickbaits.



I've partially beautified it below:



var PPid = "p20161003pr";
var PPRet = ;
var userAgent = navigator.userAgent.toLowerCase();
var isOpera = -1 != userAgent.indexOf("opera");
var isChrome = -1 != userAgent.indexOf("chrome");
var PPdl = "3";
var PPbl = "";
var PPwl = "";
var PPmw = 450;
var urlOfDamnation = "https://goo.gl/Vjh91p";
var PPcl = [1].sort();
var PPcc = 0;
var PPac;
PPbl = PPbl == "" ? : PPbl.split(" ");
PPwl = PPwl == "" ? : PPwl.split(" ");
function PPdef(_0x50e8x14) {
return (typeof (_0x50e8x14) == "undefined") ? false : true
}
function chPrnt(_0x50e8x19, _0x50e8x14) {
var _0x50e8x17 = false;
if (_0x50e8x19 != null ) {
l = _0x50e8x14 == "w" ? PPwl : PPbl;
if (l.length > 0) {
for (var _0x50e8x18 = 0; _0x50e8x18 < l.length; _0x50e8x18++) {
if (_0x50e8x19.id == PPbl[_0x50e8x18]) {
_0x50e8x17 = true;
break
}
}
;delete l;
!_0x50e8x17 && (_0x50e8x17 = chPrnt(_0x50e8x19.parentNode, _0x50e8x14))
}
}
;return _0x50e8x17
}
function attachOpenNewTabOnClick() {
if (document.attachEvent) {
document.attachEvent("onclick", openNewTab)
} else {
if (document.addEventListener) {
document.addEventListener("click", openNewTab, false)
}
}
}
function PPnCL() {
return (PPcl.length > 0) ? PPcl.shift() : false
}
function setV(_0x50e8x20, _0x50e8x21) {
var _0x50e8x22 = PPdl
, _0x50e8x23 = new Date;
_0x50e8x23.setTime(_0x50e8x23.getTime())
}
function getCookieValue(cookieKey) {
var cookies = document.cookie;
cookieKey += "=";
var cookieStartIndex = cookies.indexOf("; " + cookieKey);
if (-1 == cookieStartIndex) {
cookieStartIndex = cookies.indexOf(cookieKey);
if (0 != cookieStartIndex) {
return null
}
} else {
cookieStartIndex += 2
}
var cookieEndIndex = cookies.indexOf(";", cookieStartIndex);
if (-1 == cookieEndIndex) {
(cookieEndIndex = cookies.length);
}
return unescape(cookies.substring(cookieStartIndex + cookieKey.length, cookieEndIndex))
}
function openNewTab() {
var _0x50e8x14 = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : PPcc;
_0x50e8x14++;
PPac !== false && (setV("PP_CL" + PPid, _0x50e8x14));
if (!getCookieValue("PP_ID" + PPid + "." + PPac) && _0x50e8x14 == PPac) {
setV("PP_ID" + PPid + "." + PPac, 1);
if (document.createEvent && (isOpera || isChrome)) {
var _0x50e8x18 = document.createElement("a");
_0x50e8x18.href = urlOfDamnation;
_0x50e8x18.target = "_blank";
var _0x50e8x19 = document.createEvent("MouseEvents");
_0x50e8x19.initMouseEvent("click", !0, !0, window, 1, 0, 0, 0, 0, !0, !1, !1, !1, 1, null );
_0x50e8x18.dispatchEvent(_0x50e8x19)
} else {
_0x50e8x18 = window.open("about:blank", "win" + Math.floor(9999999 * Math.random()) + 1, "toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=0,left=0,width=" + window.screen.width + "px,height=" + window.screen.height + "px");
with (_0x50e8x18) {
opener.window.focus(),
_0x50e8x18.location = urlOfDamnation,
"undefined" != typeof window.mozPaintCount && window.open("about:blank").close()
}
}
;for (var _0x50e8x18 = document.getElementsByClassName("mtaddiv"), _0x50e8x19 = _0x50e8x18.length, _0x50e8x17 = 0; _0x50e8x17 < _0x50e8x19; _0x50e8x17++) {
"object" == typeof _0x50e8x18[_0x50e8x17] && _0x50e8x18[_0x50e8x17].setAttribute("style", "position:none;left:0px;top:0px;height:0;width:0;z-index:0;display:none;")
}
;PPac = PPnCL()
}
;_0x50e8x14 == PPac - 1 && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
PPcc = _0x50e8x14
}
function addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick(tagName) {
try {
if (!getCookieValue("PP_ID" + PPid + "." + PPac)) {
var elements = document.getElementsByTagName(tagName);
var elementsCount = elements.length;
for (var index = 0; index < elementsCount; index++) {
var elementOffsetWidth = elements[index].offsetWidth;
var elementOffsetHeight = elements[index].offsetHeight;
var check = true;
if (PPwl.length > 0 && !chPrnt(elements[index], "w")) {
check = false;
}
if (check && (PPbl.length > 0 && chPrnt(elements[index], "b"))) {
check = false;
}
if (elementOffsetWidth > PPmw && check) {
var mtadDivElement = document.createElement("div");
mtadDivElement.className = "mtaddiv";
var elementDimensions = elements[index].getBoundingClientRect();
var dimensions = {
top: Math.round(elementDimensions.top + (window.pageYOffset || (document.documentElement.scrollTop || document.body.scrollTop)) - (document.documentElement.clientTop || (document.body.clientTop || 0))),
left: Math.round(elementDimensions.left + (window.pageXOffset || (document.documentElement.scrollLeft || document.body.scrollLeft)) - (document.documentElement.clientLeft || (document.body.clientLeft || 0)))
};
mtadDivElement.setAttribute("style", "position: absolute;left:" + dimensions.left + "px;top:" + dimensions.top + "px;height:" + elementOffsetHeight + "px;width:" + elementOffsetWidth + "px;z-index:899");
if (PPwl.length > 0) {
attachOpenNewTabOnClick(mtadDivElement);
}
document.body.appendChild(mtadDivElement)
}
}
}
} catch (e) {}
}
function bcStart() {
if (!startScript) {
startScript = !0;
PPcc = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : 0;
while (PPcl.length > 0) {
PPac = PPnCL();
if (PPac > PPcc) {
break
}
}
;PPcl.length == 0 && PPac <= PPcc && (PPac = false);
if (PPdef(PPRet)) {
if (PPRet.length > 0) {
var _0x50e8x2f = "";
for (var _0x50e8x23 = 0; _0x50e8x23 < PPRet.length; _0x50e8x23++) {
_0x50e8x2f = _0x50e8x2f + "&" + PPRet[_0x50e8x23]
}
;urlOfDamnation = urlOfDamnation + _0x50e8x2f
}
}
;(PPcc == PPac - 1 && PPac) && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
for (var _0x50e8x20 = PPbl, _0x50e8x21 = _0x50e8x20.length, _0x50e8x2a = 0; _0x50e8x2a < _0x50e8x21; _0x50e8x2a++) {
var _0x50e8x2c = document.getElementById(_0x50e8x20[_0x50e8x2a]);
null != _0x50e8x2c && (_0x50e8x2c.onmouseup = function(_0x50e8x18) {
_0x50e8x18 = _0x50e8x18 || window.event;
_0x50e8x18.stopPropagation ? _0x50e8x18.stopPropagation() : _0x50e8x18.cancelBubble = !0
}
)
}
;if (PPwl.length > 0) {
for (_0x50e8x23 = 0; _0x50e8x23 < PPwl.length; _0x50e8x23++) {
var _0x50e8x22 = document.getElementById(PPwl[_0x50e8x23]);
_0x50e8x22 != null && attachOpenNewTabOnClick(_0x50e8x22)
}
} else {
attachOpenNewTabOnClick(document)
}
}
}
var startTimeout = setTimeout(bcStart, 3000)
, startScript = null ;
if ("function" == typeof window.addEventListener) {
window.addEventListener("load", function() {
clearInterval(startTimeout);
bcStart()
}, !1)
} else {
try {
window.attachEvent("onload", function() {
clearInterval(startTimeout);
bcStart()
})
} catch (D) {}
}
document.getElementsByClassName = function(className) {
var matchingElements = ;
className = new RegExp("b" + className + "b");
for (var allDOMElements = this.getElementsByTagName("*"), index = 0; index < allDOMElements.length; index++) {
if (className.test(allDOMElements[index].className)) {
matchingElements.push(allDOMElements[index])
}
}
;return matchingElements
}





share|improve this answer
























  • how can i block a request for a particular domain ? could you please elaborate this one ?

    – Prateek Jain
    Dec 25 '16 at 8:54











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1118258%2fhow-to-get-rid-of-viruses-which-redirect-you-to-gocloudly-goac-on-os-x-and-maxo%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














My quick patch to this problem was to block any DNS request to that domain.



This does not (probably) solve the problem at the root, but for now it seems to work.



Some things I've noticed are:




  • it happens both on my computer and my phone, and on different networks,

  • the malicious scripts are injected only in http requests,

  • they intercept any first click bubbling to the <html> tag,

  • they seem to be injected through multiple sources (google tag manager, google tag services and platform.twitter.com, that I'm aware of).


google tag manager callgoogle tag services callplatform twitter call



The script by itself doesn't looks dangerous, it just makes you open a new page with ads and potentially dangerous clickbaits.



I've partially beautified it below:



var PPid = "p20161003pr";
var PPRet = ;
var userAgent = navigator.userAgent.toLowerCase();
var isOpera = -1 != userAgent.indexOf("opera");
var isChrome = -1 != userAgent.indexOf("chrome");
var PPdl = "3";
var PPbl = "";
var PPwl = "";
var PPmw = 450;
var urlOfDamnation = "https://goo.gl/Vjh91p";
var PPcl = [1].sort();
var PPcc = 0;
var PPac;
PPbl = PPbl == "" ? : PPbl.split(" ");
PPwl = PPwl == "" ? : PPwl.split(" ");
function PPdef(_0x50e8x14) {
return (typeof (_0x50e8x14) == "undefined") ? false : true
}
function chPrnt(_0x50e8x19, _0x50e8x14) {
var _0x50e8x17 = false;
if (_0x50e8x19 != null ) {
l = _0x50e8x14 == "w" ? PPwl : PPbl;
if (l.length > 0) {
for (var _0x50e8x18 = 0; _0x50e8x18 < l.length; _0x50e8x18++) {
if (_0x50e8x19.id == PPbl[_0x50e8x18]) {
_0x50e8x17 = true;
break
}
}
;delete l;
!_0x50e8x17 && (_0x50e8x17 = chPrnt(_0x50e8x19.parentNode, _0x50e8x14))
}
}
;return _0x50e8x17
}
function attachOpenNewTabOnClick() {
if (document.attachEvent) {
document.attachEvent("onclick", openNewTab)
} else {
if (document.addEventListener) {
document.addEventListener("click", openNewTab, false)
}
}
}
function PPnCL() {
return (PPcl.length > 0) ? PPcl.shift() : false
}
function setV(_0x50e8x20, _0x50e8x21) {
var _0x50e8x22 = PPdl
, _0x50e8x23 = new Date;
_0x50e8x23.setTime(_0x50e8x23.getTime())
}
function getCookieValue(cookieKey) {
var cookies = document.cookie;
cookieKey += "=";
var cookieStartIndex = cookies.indexOf("; " + cookieKey);
if (-1 == cookieStartIndex) {
cookieStartIndex = cookies.indexOf(cookieKey);
if (0 != cookieStartIndex) {
return null
}
} else {
cookieStartIndex += 2
}
var cookieEndIndex = cookies.indexOf(";", cookieStartIndex);
if (-1 == cookieEndIndex) {
(cookieEndIndex = cookies.length);
}
return unescape(cookies.substring(cookieStartIndex + cookieKey.length, cookieEndIndex))
}
function openNewTab() {
var _0x50e8x14 = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : PPcc;
_0x50e8x14++;
PPac !== false && (setV("PP_CL" + PPid, _0x50e8x14));
if (!getCookieValue("PP_ID" + PPid + "." + PPac) && _0x50e8x14 == PPac) {
setV("PP_ID" + PPid + "." + PPac, 1);
if (document.createEvent && (isOpera || isChrome)) {
var _0x50e8x18 = document.createElement("a");
_0x50e8x18.href = urlOfDamnation;
_0x50e8x18.target = "_blank";
var _0x50e8x19 = document.createEvent("MouseEvents");
_0x50e8x19.initMouseEvent("click", !0, !0, window, 1, 0, 0, 0, 0, !0, !1, !1, !1, 1, null );
_0x50e8x18.dispatchEvent(_0x50e8x19)
} else {
_0x50e8x18 = window.open("about:blank", "win" + Math.floor(9999999 * Math.random()) + 1, "toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=0,left=0,width=" + window.screen.width + "px,height=" + window.screen.height + "px");
with (_0x50e8x18) {
opener.window.focus(),
_0x50e8x18.location = urlOfDamnation,
"undefined" != typeof window.mozPaintCount && window.open("about:blank").close()
}
}
;for (var _0x50e8x18 = document.getElementsByClassName("mtaddiv"), _0x50e8x19 = _0x50e8x18.length, _0x50e8x17 = 0; _0x50e8x17 < _0x50e8x19; _0x50e8x17++) {
"object" == typeof _0x50e8x18[_0x50e8x17] && _0x50e8x18[_0x50e8x17].setAttribute("style", "position:none;left:0px;top:0px;height:0;width:0;z-index:0;display:none;")
}
;PPac = PPnCL()
}
;_0x50e8x14 == PPac - 1 && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
PPcc = _0x50e8x14
}
function addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick(tagName) {
try {
if (!getCookieValue("PP_ID" + PPid + "." + PPac)) {
var elements = document.getElementsByTagName(tagName);
var elementsCount = elements.length;
for (var index = 0; index < elementsCount; index++) {
var elementOffsetWidth = elements[index].offsetWidth;
var elementOffsetHeight = elements[index].offsetHeight;
var check = true;
if (PPwl.length > 0 && !chPrnt(elements[index], "w")) {
check = false;
}
if (check && (PPbl.length > 0 && chPrnt(elements[index], "b"))) {
check = false;
}
if (elementOffsetWidth > PPmw && check) {
var mtadDivElement = document.createElement("div");
mtadDivElement.className = "mtaddiv";
var elementDimensions = elements[index].getBoundingClientRect();
var dimensions = {
top: Math.round(elementDimensions.top + (window.pageYOffset || (document.documentElement.scrollTop || document.body.scrollTop)) - (document.documentElement.clientTop || (document.body.clientTop || 0))),
left: Math.round(elementDimensions.left + (window.pageXOffset || (document.documentElement.scrollLeft || document.body.scrollLeft)) - (document.documentElement.clientLeft || (document.body.clientLeft || 0)))
};
mtadDivElement.setAttribute("style", "position: absolute;left:" + dimensions.left + "px;top:" + dimensions.top + "px;height:" + elementOffsetHeight + "px;width:" + elementOffsetWidth + "px;z-index:899");
if (PPwl.length > 0) {
attachOpenNewTabOnClick(mtadDivElement);
}
document.body.appendChild(mtadDivElement)
}
}
}
} catch (e) {}
}
function bcStart() {
if (!startScript) {
startScript = !0;
PPcc = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : 0;
while (PPcl.length > 0) {
PPac = PPnCL();
if (PPac > PPcc) {
break
}
}
;PPcl.length == 0 && PPac <= PPcc && (PPac = false);
if (PPdef(PPRet)) {
if (PPRet.length > 0) {
var _0x50e8x2f = "";
for (var _0x50e8x23 = 0; _0x50e8x23 < PPRet.length; _0x50e8x23++) {
_0x50e8x2f = _0x50e8x2f + "&" + PPRet[_0x50e8x23]
}
;urlOfDamnation = urlOfDamnation + _0x50e8x2f
}
}
;(PPcc == PPac - 1 && PPac) && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
for (var _0x50e8x20 = PPbl, _0x50e8x21 = _0x50e8x20.length, _0x50e8x2a = 0; _0x50e8x2a < _0x50e8x21; _0x50e8x2a++) {
var _0x50e8x2c = document.getElementById(_0x50e8x20[_0x50e8x2a]);
null != _0x50e8x2c && (_0x50e8x2c.onmouseup = function(_0x50e8x18) {
_0x50e8x18 = _0x50e8x18 || window.event;
_0x50e8x18.stopPropagation ? _0x50e8x18.stopPropagation() : _0x50e8x18.cancelBubble = !0
}
)
}
;if (PPwl.length > 0) {
for (_0x50e8x23 = 0; _0x50e8x23 < PPwl.length; _0x50e8x23++) {
var _0x50e8x22 = document.getElementById(PPwl[_0x50e8x23]);
_0x50e8x22 != null && attachOpenNewTabOnClick(_0x50e8x22)
}
} else {
attachOpenNewTabOnClick(document)
}
}
}
var startTimeout = setTimeout(bcStart, 3000)
, startScript = null ;
if ("function" == typeof window.addEventListener) {
window.addEventListener("load", function() {
clearInterval(startTimeout);
bcStart()
}, !1)
} else {
try {
window.attachEvent("onload", function() {
clearInterval(startTimeout);
bcStart()
})
} catch (D) {}
}
document.getElementsByClassName = function(className) {
var matchingElements = ;
className = new RegExp("b" + className + "b");
for (var allDOMElements = this.getElementsByTagName("*"), index = 0; index < allDOMElements.length; index++) {
if (className.test(allDOMElements[index].className)) {
matchingElements.push(allDOMElements[index])
}
}
;return matchingElements
}





share|improve this answer
























  • how can i block a request for a particular domain ? could you please elaborate this one ?

    – Prateek Jain
    Dec 25 '16 at 8:54
















0














My quick patch to this problem was to block any DNS request to that domain.



This does not (probably) solve the problem at the root, but for now it seems to work.



Some things I've noticed are:




  • it happens both on my computer and my phone, and on different networks,

  • the malicious scripts are injected only in http requests,

  • they intercept any first click bubbling to the <html> tag,

  • they seem to be injected through multiple sources (google tag manager, google tag services and platform.twitter.com, that I'm aware of).


google tag manager callgoogle tag services callplatform twitter call



The script by itself doesn't looks dangerous, it just makes you open a new page with ads and potentially dangerous clickbaits.



I've partially beautified it below:



var PPid = "p20161003pr";
var PPRet = ;
var userAgent = navigator.userAgent.toLowerCase();
var isOpera = -1 != userAgent.indexOf("opera");
var isChrome = -1 != userAgent.indexOf("chrome");
var PPdl = "3";
var PPbl = "";
var PPwl = "";
var PPmw = 450;
var urlOfDamnation = "https://goo.gl/Vjh91p";
var PPcl = [1].sort();
var PPcc = 0;
var PPac;
PPbl = PPbl == "" ? : PPbl.split(" ");
PPwl = PPwl == "" ? : PPwl.split(" ");
function PPdef(_0x50e8x14) {
return (typeof (_0x50e8x14) == "undefined") ? false : true
}
function chPrnt(_0x50e8x19, _0x50e8x14) {
var _0x50e8x17 = false;
if (_0x50e8x19 != null ) {
l = _0x50e8x14 == "w" ? PPwl : PPbl;
if (l.length > 0) {
for (var _0x50e8x18 = 0; _0x50e8x18 < l.length; _0x50e8x18++) {
if (_0x50e8x19.id == PPbl[_0x50e8x18]) {
_0x50e8x17 = true;
break
}
}
;delete l;
!_0x50e8x17 && (_0x50e8x17 = chPrnt(_0x50e8x19.parentNode, _0x50e8x14))
}
}
;return _0x50e8x17
}
function attachOpenNewTabOnClick() {
if (document.attachEvent) {
document.attachEvent("onclick", openNewTab)
} else {
if (document.addEventListener) {
document.addEventListener("click", openNewTab, false)
}
}
}
function PPnCL() {
return (PPcl.length > 0) ? PPcl.shift() : false
}
function setV(_0x50e8x20, _0x50e8x21) {
var _0x50e8x22 = PPdl
, _0x50e8x23 = new Date;
_0x50e8x23.setTime(_0x50e8x23.getTime())
}
function getCookieValue(cookieKey) {
var cookies = document.cookie;
cookieKey += "=";
var cookieStartIndex = cookies.indexOf("; " + cookieKey);
if (-1 == cookieStartIndex) {
cookieStartIndex = cookies.indexOf(cookieKey);
if (0 != cookieStartIndex) {
return null
}
} else {
cookieStartIndex += 2
}
var cookieEndIndex = cookies.indexOf(";", cookieStartIndex);
if (-1 == cookieEndIndex) {
(cookieEndIndex = cookies.length);
}
return unescape(cookies.substring(cookieStartIndex + cookieKey.length, cookieEndIndex))
}
function openNewTab() {
var _0x50e8x14 = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : PPcc;
_0x50e8x14++;
PPac !== false && (setV("PP_CL" + PPid, _0x50e8x14));
if (!getCookieValue("PP_ID" + PPid + "." + PPac) && _0x50e8x14 == PPac) {
setV("PP_ID" + PPid + "." + PPac, 1);
if (document.createEvent && (isOpera || isChrome)) {
var _0x50e8x18 = document.createElement("a");
_0x50e8x18.href = urlOfDamnation;
_0x50e8x18.target = "_blank";
var _0x50e8x19 = document.createEvent("MouseEvents");
_0x50e8x19.initMouseEvent("click", !0, !0, window, 1, 0, 0, 0, 0, !0, !1, !1, !1, 1, null );
_0x50e8x18.dispatchEvent(_0x50e8x19)
} else {
_0x50e8x18 = window.open("about:blank", "win" + Math.floor(9999999 * Math.random()) + 1, "toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=0,left=0,width=" + window.screen.width + "px,height=" + window.screen.height + "px");
with (_0x50e8x18) {
opener.window.focus(),
_0x50e8x18.location = urlOfDamnation,
"undefined" != typeof window.mozPaintCount && window.open("about:blank").close()
}
}
;for (var _0x50e8x18 = document.getElementsByClassName("mtaddiv"), _0x50e8x19 = _0x50e8x18.length, _0x50e8x17 = 0; _0x50e8x17 < _0x50e8x19; _0x50e8x17++) {
"object" == typeof _0x50e8x18[_0x50e8x17] && _0x50e8x18[_0x50e8x17].setAttribute("style", "position:none;left:0px;top:0px;height:0;width:0;z-index:0;display:none;")
}
;PPac = PPnCL()
}
;_0x50e8x14 == PPac - 1 && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
PPcc = _0x50e8x14
}
function addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick(tagName) {
try {
if (!getCookieValue("PP_ID" + PPid + "." + PPac)) {
var elements = document.getElementsByTagName(tagName);
var elementsCount = elements.length;
for (var index = 0; index < elementsCount; index++) {
var elementOffsetWidth = elements[index].offsetWidth;
var elementOffsetHeight = elements[index].offsetHeight;
var check = true;
if (PPwl.length > 0 && !chPrnt(elements[index], "w")) {
check = false;
}
if (check && (PPbl.length > 0 && chPrnt(elements[index], "b"))) {
check = false;
}
if (elementOffsetWidth > PPmw && check) {
var mtadDivElement = document.createElement("div");
mtadDivElement.className = "mtaddiv";
var elementDimensions = elements[index].getBoundingClientRect();
var dimensions = {
top: Math.round(elementDimensions.top + (window.pageYOffset || (document.documentElement.scrollTop || document.body.scrollTop)) - (document.documentElement.clientTop || (document.body.clientTop || 0))),
left: Math.round(elementDimensions.left + (window.pageXOffset || (document.documentElement.scrollLeft || document.body.scrollLeft)) - (document.documentElement.clientLeft || (document.body.clientLeft || 0)))
};
mtadDivElement.setAttribute("style", "position: absolute;left:" + dimensions.left + "px;top:" + dimensions.top + "px;height:" + elementOffsetHeight + "px;width:" + elementOffsetWidth + "px;z-index:899");
if (PPwl.length > 0) {
attachOpenNewTabOnClick(mtadDivElement);
}
document.body.appendChild(mtadDivElement)
}
}
}
} catch (e) {}
}
function bcStart() {
if (!startScript) {
startScript = !0;
PPcc = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : 0;
while (PPcl.length > 0) {
PPac = PPnCL();
if (PPac > PPcc) {
break
}
}
;PPcl.length == 0 && PPac <= PPcc && (PPac = false);
if (PPdef(PPRet)) {
if (PPRet.length > 0) {
var _0x50e8x2f = "";
for (var _0x50e8x23 = 0; _0x50e8x23 < PPRet.length; _0x50e8x23++) {
_0x50e8x2f = _0x50e8x2f + "&" + PPRet[_0x50e8x23]
}
;urlOfDamnation = urlOfDamnation + _0x50e8x2f
}
}
;(PPcc == PPac - 1 && PPac) && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
for (var _0x50e8x20 = PPbl, _0x50e8x21 = _0x50e8x20.length, _0x50e8x2a = 0; _0x50e8x2a < _0x50e8x21; _0x50e8x2a++) {
var _0x50e8x2c = document.getElementById(_0x50e8x20[_0x50e8x2a]);
null != _0x50e8x2c && (_0x50e8x2c.onmouseup = function(_0x50e8x18) {
_0x50e8x18 = _0x50e8x18 || window.event;
_0x50e8x18.stopPropagation ? _0x50e8x18.stopPropagation() : _0x50e8x18.cancelBubble = !0
}
)
}
;if (PPwl.length > 0) {
for (_0x50e8x23 = 0; _0x50e8x23 < PPwl.length; _0x50e8x23++) {
var _0x50e8x22 = document.getElementById(PPwl[_0x50e8x23]);
_0x50e8x22 != null && attachOpenNewTabOnClick(_0x50e8x22)
}
} else {
attachOpenNewTabOnClick(document)
}
}
}
var startTimeout = setTimeout(bcStart, 3000)
, startScript = null ;
if ("function" == typeof window.addEventListener) {
window.addEventListener("load", function() {
clearInterval(startTimeout);
bcStart()
}, !1)
} else {
try {
window.attachEvent("onload", function() {
clearInterval(startTimeout);
bcStart()
})
} catch (D) {}
}
document.getElementsByClassName = function(className) {
var matchingElements = ;
className = new RegExp("b" + className + "b");
for (var allDOMElements = this.getElementsByTagName("*"), index = 0; index < allDOMElements.length; index++) {
if (className.test(allDOMElements[index].className)) {
matchingElements.push(allDOMElements[index])
}
}
;return matchingElements
}





share|improve this answer
























  • how can i block a request for a particular domain ? could you please elaborate this one ?

    – Prateek Jain
    Dec 25 '16 at 8:54














0












0








0







My quick patch to this problem was to block any DNS request to that domain.



This does not (probably) solve the problem at the root, but for now it seems to work.



Some things I've noticed are:




  • it happens both on my computer and my phone, and on different networks,

  • the malicious scripts are injected only in http requests,

  • they intercept any first click bubbling to the <html> tag,

  • they seem to be injected through multiple sources (google tag manager, google tag services and platform.twitter.com, that I'm aware of).


google tag manager callgoogle tag services callplatform twitter call



The script by itself doesn't looks dangerous, it just makes you open a new page with ads and potentially dangerous clickbaits.



I've partially beautified it below:



var PPid = "p20161003pr";
var PPRet = ;
var userAgent = navigator.userAgent.toLowerCase();
var isOpera = -1 != userAgent.indexOf("opera");
var isChrome = -1 != userAgent.indexOf("chrome");
var PPdl = "3";
var PPbl = "";
var PPwl = "";
var PPmw = 450;
var urlOfDamnation = "https://goo.gl/Vjh91p";
var PPcl = [1].sort();
var PPcc = 0;
var PPac;
PPbl = PPbl == "" ? : PPbl.split(" ");
PPwl = PPwl == "" ? : PPwl.split(" ");
function PPdef(_0x50e8x14) {
return (typeof (_0x50e8x14) == "undefined") ? false : true
}
function chPrnt(_0x50e8x19, _0x50e8x14) {
var _0x50e8x17 = false;
if (_0x50e8x19 != null ) {
l = _0x50e8x14 == "w" ? PPwl : PPbl;
if (l.length > 0) {
for (var _0x50e8x18 = 0; _0x50e8x18 < l.length; _0x50e8x18++) {
if (_0x50e8x19.id == PPbl[_0x50e8x18]) {
_0x50e8x17 = true;
break
}
}
;delete l;
!_0x50e8x17 && (_0x50e8x17 = chPrnt(_0x50e8x19.parentNode, _0x50e8x14))
}
}
;return _0x50e8x17
}
function attachOpenNewTabOnClick() {
if (document.attachEvent) {
document.attachEvent("onclick", openNewTab)
} else {
if (document.addEventListener) {
document.addEventListener("click", openNewTab, false)
}
}
}
function PPnCL() {
return (PPcl.length > 0) ? PPcl.shift() : false
}
function setV(_0x50e8x20, _0x50e8x21) {
var _0x50e8x22 = PPdl
, _0x50e8x23 = new Date;
_0x50e8x23.setTime(_0x50e8x23.getTime())
}
function getCookieValue(cookieKey) {
var cookies = document.cookie;
cookieKey += "=";
var cookieStartIndex = cookies.indexOf("; " + cookieKey);
if (-1 == cookieStartIndex) {
cookieStartIndex = cookies.indexOf(cookieKey);
if (0 != cookieStartIndex) {
return null
}
} else {
cookieStartIndex += 2
}
var cookieEndIndex = cookies.indexOf(";", cookieStartIndex);
if (-1 == cookieEndIndex) {
(cookieEndIndex = cookies.length);
}
return unescape(cookies.substring(cookieStartIndex + cookieKey.length, cookieEndIndex))
}
function openNewTab() {
var _0x50e8x14 = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : PPcc;
_0x50e8x14++;
PPac !== false && (setV("PP_CL" + PPid, _0x50e8x14));
if (!getCookieValue("PP_ID" + PPid + "." + PPac) && _0x50e8x14 == PPac) {
setV("PP_ID" + PPid + "." + PPac, 1);
if (document.createEvent && (isOpera || isChrome)) {
var _0x50e8x18 = document.createElement("a");
_0x50e8x18.href = urlOfDamnation;
_0x50e8x18.target = "_blank";
var _0x50e8x19 = document.createEvent("MouseEvents");
_0x50e8x19.initMouseEvent("click", !0, !0, window, 1, 0, 0, 0, 0, !0, !1, !1, !1, 1, null );
_0x50e8x18.dispatchEvent(_0x50e8x19)
} else {
_0x50e8x18 = window.open("about:blank", "win" + Math.floor(9999999 * Math.random()) + 1, "toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=0,left=0,width=" + window.screen.width + "px,height=" + window.screen.height + "px");
with (_0x50e8x18) {
opener.window.focus(),
_0x50e8x18.location = urlOfDamnation,
"undefined" != typeof window.mozPaintCount && window.open("about:blank").close()
}
}
;for (var _0x50e8x18 = document.getElementsByClassName("mtaddiv"), _0x50e8x19 = _0x50e8x18.length, _0x50e8x17 = 0; _0x50e8x17 < _0x50e8x19; _0x50e8x17++) {
"object" == typeof _0x50e8x18[_0x50e8x17] && _0x50e8x18[_0x50e8x17].setAttribute("style", "position:none;left:0px;top:0px;height:0;width:0;z-index:0;display:none;")
}
;PPac = PPnCL()
}
;_0x50e8x14 == PPac - 1 && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
PPcc = _0x50e8x14
}
function addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick(tagName) {
try {
if (!getCookieValue("PP_ID" + PPid + "." + PPac)) {
var elements = document.getElementsByTagName(tagName);
var elementsCount = elements.length;
for (var index = 0; index < elementsCount; index++) {
var elementOffsetWidth = elements[index].offsetWidth;
var elementOffsetHeight = elements[index].offsetHeight;
var check = true;
if (PPwl.length > 0 && !chPrnt(elements[index], "w")) {
check = false;
}
if (check && (PPbl.length > 0 && chPrnt(elements[index], "b"))) {
check = false;
}
if (elementOffsetWidth > PPmw && check) {
var mtadDivElement = document.createElement("div");
mtadDivElement.className = "mtaddiv";
var elementDimensions = elements[index].getBoundingClientRect();
var dimensions = {
top: Math.round(elementDimensions.top + (window.pageYOffset || (document.documentElement.scrollTop || document.body.scrollTop)) - (document.documentElement.clientTop || (document.body.clientTop || 0))),
left: Math.round(elementDimensions.left + (window.pageXOffset || (document.documentElement.scrollLeft || document.body.scrollLeft)) - (document.documentElement.clientLeft || (document.body.clientLeft || 0)))
};
mtadDivElement.setAttribute("style", "position: absolute;left:" + dimensions.left + "px;top:" + dimensions.top + "px;height:" + elementOffsetHeight + "px;width:" + elementOffsetWidth + "px;z-index:899");
if (PPwl.length > 0) {
attachOpenNewTabOnClick(mtadDivElement);
}
document.body.appendChild(mtadDivElement)
}
}
}
} catch (e) {}
}
function bcStart() {
if (!startScript) {
startScript = !0;
PPcc = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : 0;
while (PPcl.length > 0) {
PPac = PPnCL();
if (PPac > PPcc) {
break
}
}
;PPcl.length == 0 && PPac <= PPcc && (PPac = false);
if (PPdef(PPRet)) {
if (PPRet.length > 0) {
var _0x50e8x2f = "";
for (var _0x50e8x23 = 0; _0x50e8x23 < PPRet.length; _0x50e8x23++) {
_0x50e8x2f = _0x50e8x2f + "&" + PPRet[_0x50e8x23]
}
;urlOfDamnation = urlOfDamnation + _0x50e8x2f
}
}
;(PPcc == PPac - 1 && PPac) && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
for (var _0x50e8x20 = PPbl, _0x50e8x21 = _0x50e8x20.length, _0x50e8x2a = 0; _0x50e8x2a < _0x50e8x21; _0x50e8x2a++) {
var _0x50e8x2c = document.getElementById(_0x50e8x20[_0x50e8x2a]);
null != _0x50e8x2c && (_0x50e8x2c.onmouseup = function(_0x50e8x18) {
_0x50e8x18 = _0x50e8x18 || window.event;
_0x50e8x18.stopPropagation ? _0x50e8x18.stopPropagation() : _0x50e8x18.cancelBubble = !0
}
)
}
;if (PPwl.length > 0) {
for (_0x50e8x23 = 0; _0x50e8x23 < PPwl.length; _0x50e8x23++) {
var _0x50e8x22 = document.getElementById(PPwl[_0x50e8x23]);
_0x50e8x22 != null && attachOpenNewTabOnClick(_0x50e8x22)
}
} else {
attachOpenNewTabOnClick(document)
}
}
}
var startTimeout = setTimeout(bcStart, 3000)
, startScript = null ;
if ("function" == typeof window.addEventListener) {
window.addEventListener("load", function() {
clearInterval(startTimeout);
bcStart()
}, !1)
} else {
try {
window.attachEvent("onload", function() {
clearInterval(startTimeout);
bcStart()
})
} catch (D) {}
}
document.getElementsByClassName = function(className) {
var matchingElements = ;
className = new RegExp("b" + className + "b");
for (var allDOMElements = this.getElementsByTagName("*"), index = 0; index < allDOMElements.length; index++) {
if (className.test(allDOMElements[index].className)) {
matchingElements.push(allDOMElements[index])
}
}
;return matchingElements
}





share|improve this answer













My quick patch to this problem was to block any DNS request to that domain.



This does not (probably) solve the problem at the root, but for now it seems to work.



Some things I've noticed are:




  • it happens both on my computer and my phone, and on different networks,

  • the malicious scripts are injected only in http requests,

  • they intercept any first click bubbling to the <html> tag,

  • they seem to be injected through multiple sources (google tag manager, google tag services and platform.twitter.com, that I'm aware of).


google tag manager callgoogle tag services callplatform twitter call



The script by itself doesn't looks dangerous, it just makes you open a new page with ads and potentially dangerous clickbaits.



I've partially beautified it below:



var PPid = "p20161003pr";
var PPRet = ;
var userAgent = navigator.userAgent.toLowerCase();
var isOpera = -1 != userAgent.indexOf("opera");
var isChrome = -1 != userAgent.indexOf("chrome");
var PPdl = "3";
var PPbl = "";
var PPwl = "";
var PPmw = 450;
var urlOfDamnation = "https://goo.gl/Vjh91p";
var PPcl = [1].sort();
var PPcc = 0;
var PPac;
PPbl = PPbl == "" ? : PPbl.split(" ");
PPwl = PPwl == "" ? : PPwl.split(" ");
function PPdef(_0x50e8x14) {
return (typeof (_0x50e8x14) == "undefined") ? false : true
}
function chPrnt(_0x50e8x19, _0x50e8x14) {
var _0x50e8x17 = false;
if (_0x50e8x19 != null ) {
l = _0x50e8x14 == "w" ? PPwl : PPbl;
if (l.length > 0) {
for (var _0x50e8x18 = 0; _0x50e8x18 < l.length; _0x50e8x18++) {
if (_0x50e8x19.id == PPbl[_0x50e8x18]) {
_0x50e8x17 = true;
break
}
}
;delete l;
!_0x50e8x17 && (_0x50e8x17 = chPrnt(_0x50e8x19.parentNode, _0x50e8x14))
}
}
;return _0x50e8x17
}
function attachOpenNewTabOnClick() {
if (document.attachEvent) {
document.attachEvent("onclick", openNewTab)
} else {
if (document.addEventListener) {
document.addEventListener("click", openNewTab, false)
}
}
}
function PPnCL() {
return (PPcl.length > 0) ? PPcl.shift() : false
}
function setV(_0x50e8x20, _0x50e8x21) {
var _0x50e8x22 = PPdl
, _0x50e8x23 = new Date;
_0x50e8x23.setTime(_0x50e8x23.getTime())
}
function getCookieValue(cookieKey) {
var cookies = document.cookie;
cookieKey += "=";
var cookieStartIndex = cookies.indexOf("; " + cookieKey);
if (-1 == cookieStartIndex) {
cookieStartIndex = cookies.indexOf(cookieKey);
if (0 != cookieStartIndex) {
return null
}
} else {
cookieStartIndex += 2
}
var cookieEndIndex = cookies.indexOf(";", cookieStartIndex);
if (-1 == cookieEndIndex) {
(cookieEndIndex = cookies.length);
}
return unescape(cookies.substring(cookieStartIndex + cookieKey.length, cookieEndIndex))
}
function openNewTab() {
var _0x50e8x14 = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : PPcc;
_0x50e8x14++;
PPac !== false && (setV("PP_CL" + PPid, _0x50e8x14));
if (!getCookieValue("PP_ID" + PPid + "." + PPac) && _0x50e8x14 == PPac) {
setV("PP_ID" + PPid + "." + PPac, 1);
if (document.createEvent && (isOpera || isChrome)) {
var _0x50e8x18 = document.createElement("a");
_0x50e8x18.href = urlOfDamnation;
_0x50e8x18.target = "_blank";
var _0x50e8x19 = document.createEvent("MouseEvents");
_0x50e8x19.initMouseEvent("click", !0, !0, window, 1, 0, 0, 0, 0, !0, !1, !1, !1, 1, null );
_0x50e8x18.dispatchEvent(_0x50e8x19)
} else {
_0x50e8x18 = window.open("about:blank", "win" + Math.floor(9999999 * Math.random()) + 1, "toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=0,left=0,width=" + window.screen.width + "px,height=" + window.screen.height + "px");
with (_0x50e8x18) {
opener.window.focus(),
_0x50e8x18.location = urlOfDamnation,
"undefined" != typeof window.mozPaintCount && window.open("about:blank").close()
}
}
;for (var _0x50e8x18 = document.getElementsByClassName("mtaddiv"), _0x50e8x19 = _0x50e8x18.length, _0x50e8x17 = 0; _0x50e8x17 < _0x50e8x19; _0x50e8x17++) {
"object" == typeof _0x50e8x18[_0x50e8x17] && _0x50e8x18[_0x50e8x17].setAttribute("style", "position:none;left:0px;top:0px;height:0;width:0;z-index:0;display:none;")
}
;PPac = PPnCL()
}
;_0x50e8x14 == PPac - 1 && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
PPcc = _0x50e8x14
}
function addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick(tagName) {
try {
if (!getCookieValue("PP_ID" + PPid + "." + PPac)) {
var elements = document.getElementsByTagName(tagName);
var elementsCount = elements.length;
for (var index = 0; index < elementsCount; index++) {
var elementOffsetWidth = elements[index].offsetWidth;
var elementOffsetHeight = elements[index].offsetHeight;
var check = true;
if (PPwl.length > 0 && !chPrnt(elements[index], "w")) {
check = false;
}
if (check && (PPbl.length > 0 && chPrnt(elements[index], "b"))) {
check = false;
}
if (elementOffsetWidth > PPmw && check) {
var mtadDivElement = document.createElement("div");
mtadDivElement.className = "mtaddiv";
var elementDimensions = elements[index].getBoundingClientRect();
var dimensions = {
top: Math.round(elementDimensions.top + (window.pageYOffset || (document.documentElement.scrollTop || document.body.scrollTop)) - (document.documentElement.clientTop || (document.body.clientTop || 0))),
left: Math.round(elementDimensions.left + (window.pageXOffset || (document.documentElement.scrollLeft || document.body.scrollLeft)) - (document.documentElement.clientLeft || (document.body.clientLeft || 0)))
};
mtadDivElement.setAttribute("style", "position: absolute;left:" + dimensions.left + "px;top:" + dimensions.top + "px;height:" + elementOffsetHeight + "px;width:" + elementOffsetWidth + "px;z-index:899");
if (PPwl.length > 0) {
attachOpenNewTabOnClick(mtadDivElement);
}
document.body.appendChild(mtadDivElement)
}
}
}
} catch (e) {}
}
function bcStart() {
if (!startScript) {
startScript = !0;
PPcc = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : 0;
while (PPcl.length > 0) {
PPac = PPnCL();
if (PPac > PPcc) {
break
}
}
;PPcl.length == 0 && PPac <= PPcc && (PPac = false);
if (PPdef(PPRet)) {
if (PPRet.length > 0) {
var _0x50e8x2f = "";
for (var _0x50e8x23 = 0; _0x50e8x23 < PPRet.length; _0x50e8x23++) {
_0x50e8x2f = _0x50e8x2f + "&" + PPRet[_0x50e8x23]
}
;urlOfDamnation = urlOfDamnation + _0x50e8x2f
}
}
;(PPcc == PPac - 1 && PPac) && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
for (var _0x50e8x20 = PPbl, _0x50e8x21 = _0x50e8x20.length, _0x50e8x2a = 0; _0x50e8x2a < _0x50e8x21; _0x50e8x2a++) {
var _0x50e8x2c = document.getElementById(_0x50e8x20[_0x50e8x2a]);
null != _0x50e8x2c && (_0x50e8x2c.onmouseup = function(_0x50e8x18) {
_0x50e8x18 = _0x50e8x18 || window.event;
_0x50e8x18.stopPropagation ? _0x50e8x18.stopPropagation() : _0x50e8x18.cancelBubble = !0
}
)
}
;if (PPwl.length > 0) {
for (_0x50e8x23 = 0; _0x50e8x23 < PPwl.length; _0x50e8x23++) {
var _0x50e8x22 = document.getElementById(PPwl[_0x50e8x23]);
_0x50e8x22 != null && attachOpenNewTabOnClick(_0x50e8x22)
}
} else {
attachOpenNewTabOnClick(document)
}
}
}
var startTimeout = setTimeout(bcStart, 3000)
, startScript = null ;
if ("function" == typeof window.addEventListener) {
window.addEventListener("load", function() {
clearInterval(startTimeout);
bcStart()
}, !1)
} else {
try {
window.attachEvent("onload", function() {
clearInterval(startTimeout);
bcStart()
})
} catch (D) {}
}
document.getElementsByClassName = function(className) {
var matchingElements = ;
className = new RegExp("b" + className + "b");
for (var allDOMElements = this.getElementsByTagName("*"), index = 0; index < allDOMElements.length; index++) {
if (className.test(allDOMElements[index].className)) {
matchingElements.push(allDOMElements[index])
}
}
;return matchingElements
}






share|improve this answer












share|improve this answer



share|improve this answer










answered Oct 16 '16 at 17:43









Enoah NetzachEnoah Netzach

101




101













  • how can i block a request for a particular domain ? could you please elaborate this one ?

    – Prateek Jain
    Dec 25 '16 at 8:54



















  • how can i block a request for a particular domain ? could you please elaborate this one ?

    – Prateek Jain
    Dec 25 '16 at 8:54

















how can i block a request for a particular domain ? could you please elaborate this one ?

– Prateek Jain
Dec 25 '16 at 8:54





how can i block a request for a particular domain ? could you please elaborate this one ?

– Prateek Jain
Dec 25 '16 at 8:54


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1118258%2fhow-to-get-rid-of-viruses-which-redirect-you-to-gocloudly-goac-on-os-x-and-maxo%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Сан-Квентин

8-я гвардейская общевойсковая армия

Алькесар