SPACEKITO, a new type of “adware protection”…

You know what adware is – the annoying program that keeps on displaying ads on your PC. Most people encounter them sooner or later. And if you try to remove them, you often just get a headache… One often never really rids oneself completely of them; they linger in the form of registry keys or files. And those pesky error messages! And if you restart your computer… Horrible!

Meet Spacekito

Well, if you thought things were bad enough, they just got worse. Meet SpaceKito, the latest development in the adware industry. SpaceKito makes the removal of adware even more nerve-racking!

SpaceKito is a kind of protection system for application browser plugins; when you install one bad-apple browser plugin, you get SpaceKito as well. It’s the latest trick used by unscrupulous adware vendors: in the last three months, over 1.9 million computers have been infected. That’s huge! But how does it make things worse? Let me explain.

How SpaceKito works

SpaceKito runs completely silently in the background. While you install the browser plugin, which you downloaded, you won’t realize that SpaceKito is installing as well. Once active, SpaceKito starts collecting private data from your PC and transfers it to the malware developer’s server. We know that most of this data will help adware developers display customized ads on your computer.

spacekito-adware spacekito-adware2

How do you uninstall SpaceKito?

Let’s take a look at what happens when you try to uninstall… On the registry side, the installer creates a service entry into the system. As a result, services will start automatically whenever you turn on your computer, and every time you try to remove the adware, you are confronted with the problem of having to stop all running processes on your system.

Step 1: Configuration Parameters

If you are ready for the fight, here’s the first step: search in the registry editor for “Protect your browser’s extensions”, you will find the key. Delete all folders which are labelled with “srvPlgProtect”

spacekito-delete

All other related keys to remove the adware are as follows:

HKEY_LOCAL_MACHINESOFTWAREPluginProtect.

In this key, all general related information are stored, including installation date, version… So, you can safely remove this key, which will bring you to the next stage of the fight.

Step 2: Delete files and configuration history

If you’ve reached this far, you will have successfully removed all configuration parameters related to Spacekito from your computer. But the fight is not over. You still have files and folders to delete: the installer always creates one folder in your Application folder. For example in: c:UsersuserAppData.

But take care what you delete. The easiest way is if you remember the software you originally installed and look for its name. Here are several examples:

%APPDATA%okitspace

%APPDATA%okitspaceProtect

%APPDATA%BaseFlash

%APPDATA%BaseFlash Protect

%APPDATA%ReWinUp

%APPDATA%ReWinUp Protect

%APPDATA%ReWinUp

%APPDATA%ReWinUp Protect

Now we deleted the files and the configuration in the registry. But what about the protection software for browser plugins? Browser plugins installations vary widely and are browser dependent. Here is an example of how you can identify the relevant browser plugin of SpaceKito in Mozilla Firefox:

Step 3: Delete Extension

Find the configuration of Add-ons in the bottom right, marked here in red.

If you click on extension, you will see all your installed add-ons. “Et voila”, if you see an add-on similar to this screenshot, you have it. This is SpaceKito. In our example, it operates under the under the pseudonym “OKitSpace”.

spacekito-okitspace-firefox-extension

Still wondering how to can delete this extension? My answer to you is unfortunately: “Not with the web browser!” With Mozilla Firefox, you have to look for the extension folder on your computer. In our example, the location of the extension is here:

c:UsersuserAppDataMozillaFirefoxProfilesXXXXXX.defaultextensionsOKitSpace@OKitSpace.es.xpi

OKitSpace@OKitSpace.es.xpi is the extension. You can delete this file. But before you do that you have to take care that your web browser is closed. It is the last action which you have to do for winning the fight!

“Bam! Congratulations!!” You have won the fight! The adware is removed from your computer.

Avira does all this for you

At Avira, all these steps are what we do in the virus lab every day. We are fighting for you, for the best detection and protection. We ensure that you do not have to go through all of this hassle – our software automatically removes infections such as these. SpaceKito is detected by Avira Free Antivirus, and with AIRS, the new Avira Intelligent Repair System, we take care of all the aforementioned steps.

Sven Carlsen and Alexander Vukcevic

This post is also available in: German

I love to deliver market-leading detection to millions of customers and see our work completed in products that secure and support the digital lifestyle of our customers!