BrowserModifier:Win32/OneStepSearch.B is a tool that may be installed with other software. It runs as a service in the background and automatically adds itself as a Search provider in Internet Explorer.
Installation
BrowserModifier:Win32/OneStepSearch.B is a tool that may be installed with other software, such as mytorrent or the Yahoo! toolbar.
Upon installation, it created the following folder and files:
- C:\Program Files\SearchInOneStep
- C:\Program Files\SearchInOneStep\home.js
- C:\Program Files\SearchInOneStep\readme.html
- C:\Program Files\SearchInOneStep\searchin1.dll
- C:\Program Files\SearchInOneStep\searchin1.exe
- C:\Program Files\SearchInOneStep\si1opt.exe
- C:\Program Files\SearchInOneStep\uninstall.exe
A user may note the following interface when this program is installed:
It then creates the following registry entries as part of its installation routine:
Adds value: "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
With data: "32, BD, 99, EF, FB, C1, D2, 11, 89, 2F, 00, 90, 27, 1D, 4F, 88"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Adds value: "Cid"
With data: "dd76b5fb444c4d13b7fdf09d34accdb3"
Adds value: "DllPath"
With data: "C:\Program Files\SearchInOneStep\searchin1.dll"
Adds value: "Initial"
With data: "01, 00, 00, 00"
Adds value: "Partner"
With data: "SI1PRT1"
Adds value: "Primary"
With data: "04, BE, 00, 00"
Adds value: "ShowBarSign"
With data: "00, 00, 00, 00"
Adds value: "ShowToolbarButton"
With data: "00, 00, 00, 00"
Adds value: "Src"
With data: "searchin1"
Adds value: "Version"
With data: "2A, 00, 01, 00"
To subkey: HKLM\SOFTWARE\SearchInOneStep
Adds value: "DisplayName"
With data: "SearchInOneStep 1.0 build 142"
Adds value: "UninstallString"
With data: "C:\Program Files\SearchInOneStep\uninstall.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchInOneStep
It installs itself as a service by creating the following registry keys and its associated entries:
Adds value: "NextInstance"
With data: "01, 00, 00, 00"
To subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEARCHINONESTEP_SERVICE
Adds value: "Class"
With data: "LegacyDriver"
Adds value: "ClassGUID"
With data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
Adds value: "ConfigFlags"
With data: "00, 00, 00, 00"
Adds value: "DeviceDesc"
With data: "SearchInOneStep Service"
Adds value: "Legacy"
With data: "01, 00, 00, 00"
Adds value: "Service"
With data: "SearchInOneStep Service"
To subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEARCHINONESTEP_SERVICE\0000
Adds value: "*NewlyCreated*"
With data: "00, 00, 00, 00"
Adds value: "ActiveService"
With data: "SearchInOneStep Service"
To subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEARCHINONESTEP_SERVICE\0000\Control
Adds value: "Description"
With data: "Update and control for SearchInOneStep"
Adds value: "DisplayName"
With data: "SearchInOneStep Service"
Adds value: "ErrorControl"
With data: "00, 00, 00, 00"
Adds value: "ImagePath"
With data: "C:\Program Files\SearchInOneStep\searchin1.exe" "C:\Program Files\SearchInOneStep\searchin1.dll" Service
Adds value: "ObjectName"
With data: "LocalSystem"
Adds value: "Start"
With data: "02, 00, 00, 00"
Adds value: "Type"
With data: "10, 00, 00, 00"
To subkey: HKLM\SYSTEM\ControlSet001\Services\SearchInOneStep Service
Adds value: "0"
With data: "Root\LEGACY_SEARCHINONESTEP_SERVICE\0000"
Adds value: "Count"
With data: "01, 00, 00, 00"
Adds value: "NextInstance"
With data: "01, 00, 00, 00"
To subkey: HKLM\SYSTEM\ControlSet001\Services\SearchInOneStep Service\Enum
Additional Information
Adds Itself as a Search Provider
BrowserModifier:Win32/OneStepSearch.B automatically adds itself as a Search provider by creating the following registry entries:
Adds value: "DisplayName"
With data: "SearchInOneStep"
Adds value: "URL"
With data: http://www.searchinonestep.com/?prt=SI1PRT1&keywords={searchTerms}
To subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{FD511088-776F-4893-B28D-8FB100254730}
When run, a user may note the following interface:
Analysis by Jaime Wong
