Home / malware Adware:Win32/OKitSpace
First posted on 12 March 2014.
Source: MicrosoftAliases :
There are no other names known for Adware:Win32/OKitSpace.
Explanation :
Threat behavior
Installation
Adware:Win32/OKitSpace is usually installed in the following folders:
- %APPDATA% \okitspace
- %APPDATA% \ProtectExtension
In Internet Explorer, it's installed as a BHO with the name OKitSpace Object or BaseFlash Object:
It might create these registry entries when it's installed:
HKCR\OKitSpace
HKCR\OKitSpace.1
HKCR\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
HKLM\SOFTWARE\OKitSpace
HKLM\SOFTWARE\Classes\OKitSpace
HKLM\SOFTWARE\Classes\OKitSpace.1
HKLM\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
or
HKCR\BaseFlash
HKCR\BaseFlash.1
HKCR\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
HKLM\SOFTWARE\BaseFlash
HKLM\SOFTWARE\Classes\BaseFlash
HKLM\SOFTWARE\Classes\BaseFlash.1
HKLM\SOFTWARE\Classes\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
In Firefox, it's installed as a plugin with the name OKitSpace or BaseFlash:
In Chrome, it's installed as a plugin also with the name OKitSpace or BaseFlash:
Behavior
This adware might do the following when you browse the Internet using Internet Explorer, Firefox, or Chrome:
- Contact its servers (okitspace.com, baseflash.com) to get what pop-up ads will be displayed on your PC
- Show ads that have nothing to do with the websites you're visiting
- Show links that have nothing to do with the websites that you're visiting
Some of the pop-up ads might look like:
The websites hosted on its servers don't have much information about the program, and have identical text and layouts:
Analysis by Ric Robielos
Symptoms
The following could indicate that you have this program on your PC:
- You have one of these folders:
- %APPDATA%\okitspace
- %APPDATA%\ProtectExtension
- You see these keys in your registry:
HKCR\OKitSpace
HKCR\OKitSpace.1
HKCR\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
HKLM\SOFTWARE\OKitSpace
HKLM\SOFTWARE\Classes\OKitSpace
HKLM\SOFTWARE\Classes\OKitSpace.1
HKLM\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
or
HKCR\BaseFlash
HKCR\BaseFlash.1
HKCR\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
HKLM\SOFTWARE\BaseFlash
HKLM\SOFTWARE\Classes\BaseFlash
HKLM\SOFTWARE\Classes\BaseFlash.1
HKLM\SOFTWARE\Classes\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
- You see these pop-up ads:
Last update 12 March 2014