1. /
  2. Security Response/
  3. Adware.OneStep

Adware.OneStep

Updated:
November 26, 2008 3:51:40 PM
Type:
Adware
Name:
OneStep
Version:
1.0
Publisher:
onestepsearch.net
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the program is executed, it creates the following folders:
  • %SystemDrive%\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\foo
  • %ProgramFiles%\OneStep\OneStep_deleted0


It also creates the following files:
  • C:\Documents and Settings\All Users\Documents\HBEPGUID.TXT
  • %SystemDrive%\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\foo\XPC.mfl
  • %SystemDrive%\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\chrome\onestep.jar
  • %SystemDrive%\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\chrome.manifest
  • %SystemDrive%\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\defaults\preferences\prefs.js
  • %SystemDrive%\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\install.rdf
  • %SystemDrive%\INSTALLED\Mozilla Firefox\searchplugins\onestep.xml
  • %ProgramFiles%\OneStep\home.js
  • %ProgramFiles%\OneStep\onestep.dll
  • %ProgramFiles%\OneStep\onestep.exe
  • %ProgramFiles%\OneStep\OneStep_deleted_\onestep.dll
  • %ProgramFiles%\OneStep\OneStep_deleted_\onestep.exe
  • %ProgramFiles%\OneStep\osopt.exe
  • %ProgramFiles%\OneStep\readme.html
  • %ProgramFiles%\OneStep\uninstall.exe
  • %Windìr%\Temp\ONE[RANDOM NUMBERS].tmp\upgrade.exe
  • %Windìr%\Temp\[RANDOM CHARACTERS].tmp\Au_.exe


Next, the the program creates the following registry subkeys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneStep
  • HKEY_LOCAL_MACHINE\SOFTWARE\OneStep
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OneStep Service


It may then modify registry entries under the following registry subkeys:
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes


The program installs itself as a browser search plug-in.

It then re-directs the browser to the following Web site:
[http://]www.OneStepSearch.net

It embeds search results from the above Web site with hidden advertisements that use size zero iframe tags.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver