ID	366972
Released	Jul 19, 2007
Description Updated	Jul 06, 2009

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Threat Profile

Aliases:

Kaspersky: AdWare.Win32.OneStep.{a
b
c}
McAfee: Adware-OneStep

Platform: Adware

Adware typically display advertising content to the user. This advertising content may take many forms, but is typically in the form of web browser pop-up advertisements. In most circumstances, the user is not aware of the Adware component being installed on the local machine.

Update History

Date	Version	Detail
2023-05-25	91.03576
2023-05-15	91.03300
2023-05-05	91.02987
2023-05-03	91.02937
2023-05-02	91.02896
2023-04-25	91.02686
2023-04-19	91.02517
2023-04-18	91.02476
2023-04-13	91.02326
2023-03-28	91.01840

Refine Search

Threat Encyclopedia

Adware/OneStep

Analysis

Adware/OneStep is classified as Adware. Adware are software components that display unsolicited advertisements. For additional information about Adware and how Fortinet classifies Spyware threats, please see Fortinet's paper in PDF format: Spyware Classification and Terms.

Adware/OneStep displays pop-up advertisements on the infected computer. It installs itself as a Mozilla Firefox search plug-in. Once installed, it embeds search results from OneStepSearch.net with hidden advertisements.

It creates the following files and folders:

undefinedWINDIRundefined\Temp\ONE{random_number}.tmp\upgrade.exe
undefinedWINDIRundefined\Temp\{random_name}.tmp\Au_.exe
undefinedPROGRAMFILESundefined\OneStep\home.js
undefinedPROGRAMFILESundefined\OneStep\onestep.dll
undefinedPROGRAMFILESundefined\OneStep\onestep.exe
undefinedPROGRAMFILESundefined\OneStep\OneStep_deleted_\onestep.dll
undefinedPROGRAMFILESundefined\OneStep\OneStep_deleted_\onestep.exe
undefinedPROGRAMFILESundefined\OneStep\osopt.exe
undefinedPROGRAMFILESundefined\OneStep\readme.html
undefinedPROGRAMFILESundefined\OneStep\uninstall.exe
C:\Documents and Settings\All Users\Documents\HBEPGUID.TXT
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\foo\XPC.mfl
C:\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\chrome\onestep.jar
C:\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\chrome.manifest
C:\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\defaults\preferences\prefs.js
C:\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\install.rdf
C:\INSTALLED\Mozilla Firefox\searchplugins\onestep.xml

It adds the following registry keys:

key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneStep
key: HKLM\SOFTWARE\OneStep
key: HKLM\SYSTEM\CurrentControlSet\Services\OneStep Service

It tries to access the following URL:

www.OneStepSearch.net

Recommended Action

FortiGate Systems

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
Quarantine/delete files that are detected and replace infected files with clean backup copies.

Network

Files and Endpoint

Application