Adware/OneStep

description-logoAnalysis

Adware/OneStep is classified as Adware.  Adware are software components that display unsolicited advertisements. For additional information about Adware and how Fortinet classifies Spyware threats, please see Fortinet's paper in PDF format: Spyware Classification and Terms.

Adware/OneStep displays pop-up advertisements on the infected computer. It installs itself as a Mozilla Firefox search plug-in. Once installed, it embeds search results from OneStepSearch.net with hidden advertisements.

  • It creates the following files and folders:
    • undefinedWINDIRundefined\Temp\ONE{random_number}.tmp\upgrade.exe
    • undefinedWINDIRundefined\Temp\{random_name}.tmp\Au_.exe
    • undefinedPROGRAMFILESundefined\OneStep\home.js
    • undefinedPROGRAMFILESundefined\OneStep\onestep.dll
    • undefinedPROGRAMFILESundefined\OneStep\onestep.exe
    • undefinedPROGRAMFILESundefined\OneStep\OneStep_deleted_\onestep.dll
    • undefinedPROGRAMFILESundefined\OneStep\OneStep_deleted_\onestep.exe
    • undefinedPROGRAMFILESundefined\OneStep\osopt.exe
    • undefinedPROGRAMFILESundefined\OneStep\readme.html
    • undefinedPROGRAMFILESundefined\OneStep\uninstall.exe
    • C:\Documents and Settings\All Users\Documents\HBEPGUID.TXT
    • C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\foo\XPC.mfl
    • C:\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\chrome\onestep.jar
    • C:\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\chrome.manifest
    • C:\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\defaults\preferences\prefs.js
    • C:\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\install.rdf
    • C:\INSTALLED\Mozilla Firefox\searchplugins\onestep.xml
  • It adds the following registry keys:
    • key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneStep
    • key: HKLM\SOFTWARE\OneStep
    • key: HKLM\SYSTEM\CurrentControlSet\Services\OneStep Service
  • It tries to access the following URL:
    • www.OneStepSearch.net

    recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    Extended
    FortiClient
    FortiMail
    FortiSandbox
    FortiWeb
    Web Application Firewall
    FortiIsolator
    FortiDeceptor
    FortiEDR

    Version Updates

    Date Version Detail
    2024-03-28 92.02861
    2024-03-27 92.02832
    2024-03-24 92.02745
    2024-03-21 92.02661
    2024-03-18 92.02564
    2024-03-06 92.02185
    2024-02-29 92.02027
    2024-02-29 92.02022
    2024-01-30 92.01113
    2024-01-29 92.01093