What is ScanTack?
The Malwarebytes research team has determined that ScanTack is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the effected browser visits their site or one of their choice. This one also displays advertisements.
How do I know if my computer is effected by ScanTack?
You may see this warning:
And you may see these toolbars/add-ons:
How did ScanTack get on my computer?
Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.
How do I remove ScanTack?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. You will need Malwarebytes Anti-Malware version 2.00 (beta) or newer to disable the Chrome and Firefox extensions.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-consumer.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Once the program has loaded, select Scan now.
- When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
- Reboot your computer if prompted.
Is there anything else I need to do to get rid of ScanTack?
- No, but for a full removal of the Firefox add-on you will need Malwarebytes Anti-Malware 2.00 beta or newer.
How would the full version of Malwarebytes Anti-Malware help protect me?
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the ScanTack hijacker. It would have warned you before the browser helper object could install itself, giving you a chance to stop it before it became too late.
Signs in a HijackThis log:
O2 - BHO: ScanTack - {d332cff8-358e-4c9e-8af3-a08872ef22c1} - C:\Program Files\ScanTack\ScanTackbho.dll
O23 - Service: Update ScanTack - Unknown owner - C:\Program Files\ScanTack\updateScanTack.exeAlterations made by the installer:
File system details
---------------------------------------------
Adds the folder C:\Program Files\ScanTack
Adds the file 7za.exe"="2/25/2014 6:39 AM, 536064 bytes, A
Adds the file ScanTack.FirstRun.exe"="2/26/2014 6:01 AM, 1727264 bytes, A
Adds the file ScanTack.ico"="2/26/2014 6:01 AM, 1150 bytes, A
Adds the file ScanTackBHO.dll"="2/26/2014 6:01 AM, 249632 bytes, A
Adds the file ScanTackUninstall.exe"="3/8/2014 9:00 AM, 241101 bytes, A
Adds the file updateScanTack.exe"="2/26/2014 6:01 AM, 111904 bytes, A
Adds the file updateScanTack.InstallState"="3/8/2014 9:00 AM, 5012 bytes, A
Adds the folder C:\Users\Malwarebytes\AppData\Roaming\Mozilla\Firefox\Profiles\joxsq3f5.default\extensions
Adds the file {9acd1534-e8f8-40cb-b5ac-4996fe01175b}.xpi"="2/26/2014 6:01 AM, 7956 bytes, A
Registry details
------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}]
"(Default)"="REG_SZ, "59C96EB9-9F88-4EC3-9DA8-69DAA2B20E04"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}]
"(Default)"="REG_SZ, "5680A9F2-9109-4DDB-9873-6E25BE9B6F4A"
"id"="REG_SZ, "159"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d332cff8-358e-4c9e-8af3-a08872ef22c1}]
"(Default)"="REG_SZ, "ScanTack"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d332cff8-358e-4c9e-8af3-a08872ef22c1}\InprocServer32]
"(Default)"="REG_SZ, "C:\Program Files\ScanTack\ScanTackbho.dll"
"ThreadingModel"="REG_SZ, "Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d332cff8-358e-4c9e-8af3-a08872ef22c1}\Programmable]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d332cff8-358e-4c9e-8af3-a08872ef22c1}\TypeLib]
"(Default)"="REG_SZ, "{96ee63e6-6942-46f3-a1a0-2250e4e93d23}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d332cff8-358e-4c9e-8af3-a08872ef22c1}\Version]
"(Default)"="REG_SZ, "1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD836A49-1150-48E7-8841-BD466E20B0B0}]
"(Default)"="REG_SZ, "IScanTackBHO"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD836A49-1150-48E7-8841-BD466E20B0B0}\ProxyStubClsid]
"(Default)"="REG_SZ, "{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD836A49-1150-48E7-8841-BD466E20B0B0}\ProxyStubClsid32]
"(Default)"="REG_SZ, "{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD836A49-1150-48E7-8841-BD466E20B0B0}\TypeLib]
"(Default)"="REG_SZ, "{96EE63E6-6942-46F3-A1A0-2250E4E93D23}"
"Version"="REG_SZ, "1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{96EE63E6-6942-46F3-A1A0-2250E4E93D23}\1.0]
"(Default)"="REG_SZ, "ScanTackIEClientLib"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{96EE63E6-6942-46F3-A1A0-2250E4E93D23}\1.0\0\win32]
"(Default)"="REG_SZ, "C:\Program Files\ScanTack\ScanTackbho.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{96EE63E6-6942-46F3-A1A0-2250E4E93D23}\1.0\FLAGS]
"(Default)"="REG_SZ, "0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{96EE63E6-6942-46F3-A1A0-2250E4E93D23}\1.0\HELPDIR]
"(Default)"="REG_SZ, "C:\Program Files\ScanTack"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ScanTack_RASAPI32]
"ConsoleTracingMask"="REG_DWORD, -65536"
"EnableConsoleTracing"="REG_DWORD, 0"
"EnableFileTracing"="REG_DWORD, 0"
"FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
"FileTracingMask"="REG_DWORD, -65536"
"MaxFileSize"="REG_DWORD, 1048576"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ScanTack_RASMANCS]
"ConsoleTracingMask"="REG_DWORD, -65536"
"EnableConsoleTracing"="REG_DWORD, 0"
"EnableFileTracing"="REG_DWORD, 0"
"FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
"FileTracingMask"="REG_DWORD, -65536"
"MaxFileSize"="REG_DWORD, 1048576"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\updateScanTack_RASAPI32]
"ConsoleTracingMask"="REG_DWORD, -65536"
"EnableConsoleTracing"="REG_DWORD, 0"
"EnableFileTracing"="REG_DWORD, 0"
"FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
"FileTracingMask"="REG_DWORD, -65536"
"MaxFileSize"="REG_DWORD, 1048576"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\updateScanTack_RASMANCS]
"ConsoleTracingMask"="REG_DWORD, -65536"
"EnableConsoleTracing"="REG_DWORD, 0"
"EnableFileTracing"="REG_DWORD, 0"
"FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"
"FileTracingMask"="REG_DWORD, -65536"
"MaxFileSize"="REG_DWORD, 1048576"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d332cff8-358e-4c9e-8af3-a08872ef22c1}]
"(Default)"="REG_SZ, "ScanTack"
"NoExplorer"="REG_DWORD, 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScanTack]
"DisplayIcon"="REG_SZ, "C:\Program Files\ScanTack\ScanTack.ico"
"DisplayName"="REG_SZ, "ScanTack"
"DisplayVersion"="REG_SZ, "2014.02.26.045520"
"EstimatedSize"="REG_DWORD, 2569"
"HelpLink"="REG_SZ, "mailto:[email protected]"
"InstallLocation"="REG_SZ, "C:\Program Files\ScanTack"
"InstallTime"="REG_SZ, "2014-03-08 9:00:22"
"NoModify"="REG_DWORD, 1"
"NoRepair"="REG_DWORD, 1"
"Publisher"="REG_SZ, "ScanTack"
"QuietUninstallString"="REG_SZ, "C:\Program Files\ScanTack\ScanTackuninstall.exe /S"
"UninstallString"="REG_SZ, "C:\Program Files\ScanTack\ScanTackuninstall.exe"
"URLInfoAbout"="REG_SZ, "http://scantack.net/support"
"URLUpdateInfo"="REG_SZ, "http://scantack.net"
[HKEY_LOCAL_MACHINE\SOFTWARE\ScanTack\Chrome]
"sgc"="REG_SZ, "true"
[HKEY_LOCAL_MACHINE\SOFTWARE\ScanTack\Firefox]
"sff"="REG_SZ, "false"
[HKEY_LOCAL_MACHINE\SOFTWARE\ScanTack\Internet Explorer]
"sie"="REG_SZ, "false"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Update ScanTack]
"EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Update ScanTack]
"DisplayName"="REG_SZ, "Update ScanTack"
"ErrorControl"="REG_DWORD, 1"
"FailureActions"="REG_BINARY, ......................
"ImagePath"="REG_EXPAND_SZ, ""C:\Program Files\ScanTack\updateScanTack.exe""
"ObjectName"="REG_SZ, "LocalSystem"
"Start"="REG_DWORD, 2"
"Type"="REG_DWORD, 16"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Approved Extensions]
"{D332CFF8-358E-4C9E-8AF3-A08872EF22C1}"="REG_BINARY, ............
[HKEY_CURRENT_USER\Software\ScanTack]
"id"="REG_SZ, "2014-03-08 9:00:22"
"iid"="REG_SZ, "def_ScanTack"
"is"="REG_SZ, "def_ScanTack"
[HKEY_CURRENT_USER\Software\ScanTack\Firefox]
"ug"="REG_SZ, "1A984637-73DE-42AF-BF6E-39E7A41918D1"
[HKEY_CURRENT_USER\Software\ScanTack\Internet Explorer]
"ug"="REG_SZ, "C62A7B3B-9039-4321-975C-D09C9BB181DB"
Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 3/8/2014
Scan Time: 9:07:54 AM
Logfile: mbamScantack.txt
Administrator: Yes
Version: 2.00.0.0504
Malware Database: v2014.03.08.03
Rootkit Database: v2014.02.20.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Malwarebytes
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 199715
Time Elapsed: 2 min, 38 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled
Processes: 2
PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\updateScanTack.exe, 7728, Delete-on-Reboot, [5e7515eb8cef1a1cb2e22b7afc059e62]
PUP.Optional.Sambreel.A, C:\Program Files\ScanTack\ScanTack.FirstRun.exe, 7896, Delete-on-Reboot, [b81b40c084f767cf1d4b781fb74a37c9]
Modules: 0
(No malicious items detected)
Registry Keys: 13
PUP.Optional.ScanTack.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Update ScanTack, Quarantined, [5e7515eb8cef1a1cb2e22b7afc059e62],
PUP.Optional.ScanTack.A, HKLM\SOFTWARE\CLASSES\CLSID\{d332cff8-358e-4c9e-8af3-a08872ef22c1}, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0],
PUP.Optional.ScanTack.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{96ee63e6-6942-46f3-a1a0-2250e4e93d23}, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0],
PUP.Optional.ScanTack.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{AD836A49-1150-48E7-8841-BD466E20B0B0}, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0],
PUP.Optional.ScanTack.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{D332CFF8-358E-4C9E-8AF3-A08872EF22C1}, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0],
PUP.Optional.ScanTack.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{D332CFF8-358E-4C9E-8AF3-A08872EF22C1}, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0],
PUP.Optional.ScanTack.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{D332CFF8-358E-4C9E-8AF3-A08872EF22C1}, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0],
PUP.Optional.ScanTack.A, HKLM\SOFTWARE\CLASSES\CLSID\{D332CFF8-358E-4C9E-8AF3-A08872EF22C1}\INPROCSERVER32, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0],
PUP.Optional.BrowseFox.A, HKLM\SOFTWARE\CLASSES\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}, Quarantined, [03d0d22ecab192a42e1aa6d12ad810f0],
PUP.Optional.ScanTack.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ScanTack, Quarantined, [577c41bfc6b5cd69e05d57389c66ae52],
PUP.Optional.ScanTack.A, HKLM\SOFTWARE\ScanTack, Quarantined, [894aba46cfacb87e0b34dfb053af7987],
PUP.Optional.Ligtning.A, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\cekcjpgehmohobmdiikfnopibipmgnml, Quarantined, [864d817fcbb03600038aa9eba65c28d8],
PUP.Optional.ScanTack.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\ScanTack, Quarantined, [33a006faaecd072fb38bc1ce30d2b749],
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 4
PUP.Optional.ScanTack.A, C:\Program Files\ScanTack, Delete-on-Reboot, [577c41bfc6b5cd69e05d57389c66ae52],
PUP.Optional.eSafe.A, C:\ProgramData\eSafe\log, Quarantined, [8251659bdf9c1e18b1f8c4d0e51d827e],
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml, Quarantined, [666da25e552624122a5a93f957ab3fc1],
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0, Quarantined, [666da25e552624122a5a93f957ab3fc1],
Files: 18
PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\updateScanTack.exe, Delete-on-Reboot, [5e7515eb8cef1a1cb2e22b7afc059e62],
PUP.Optional.Sambreel.A, C:\Program Files\ScanTack\ScanTack.FirstRun.exe, Delete-on-Reboot, [b81b40c084f767cf1d4b781fb74a37c9],
PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\ScanTackBHO.dll, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0],
PUP.Optional.ScanTack.A, C:\Users\{username}\Desktop\ScanTack installer.exe, Quarantined, [745f40c07efd66d02d661293d32eec14],
PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\ScanTack.ico, Quarantined, [577c41bfc6b5cd69e05d57389c66ae52],
PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\7za.exe, Quarantined, [577c41bfc6b5cd69e05d57389c66ae52],
PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\ScanTackUninstall.exe, Quarantined, [577c41bfc6b5cd69e05d57389c66ae52],
PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\updateScanTack.InstallState, Quarantined, [577c41bfc6b5cd69e05d57389c66ae52],
PUP.Optional.eSafe.A, C:\ProgramData\eSafe\log\eGdpSvc.LOG, Quarantined, [8251659bdf9c1e18b1f8c4d0e51d827e],
PUP.Optional.NewTab.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\newtab.crx, Quarantined, [d4ff42bed5a6ce68f3309df8db27837d],
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\background.html, Quarantined, [666da25e552624122a5a93f957ab3fc1],
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\background.js, Quarantined, [666da25e552624122a5a93f957ab3fc1],
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\data.json, Quarantined, [666da25e552624122a5a93f957ab3fc1],
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\icon128.png, Quarantined, [666da25e552624122a5a93f957ab3fc1],
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\jquery.js, Quarantined, [666da25e552624122a5a93f957ab3fc1],
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\manifest.json, Quarantined, [666da25e552624122a5a93f957ab3fc1],
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\xa.js, Quarantined, [666da25e552624122a5a93f957ab3fc1],
PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\xagainit.js, Quarantined, [666da25e552624122a5a93f957ab3fc1],
Physical Sectors: 0
(No malicious items detected)
(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention
Back to top
Sign In
Create Account
