What is ScanTack?
The Malwarebytes research team has determined that ScanTack is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the effected browser visits their site or one of their choice. This one also displays advertisements.
How do I know if my computer is effected by ScanTack?
You may see this warning:

And you may see these toolbars/add-ons:


How did ScanTack get on my computer?
Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.
How do I remove ScanTack?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. You will need Malwarebytes Anti-Malware version 2.00 (beta) or newer to disable the Chrome and Firefox extensions.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-consumer.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Once the program has loaded, select Scan now.
- When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
- Reboot your computer if prompted.
Is there anything else I need to do to get rid of ScanTack?
- No, but for a full removal of the Firefox add-on you will need Malwarebytes Anti-Malware 2.00 beta or newer.
How would the full version of Malwarebytes Anti-Malware help protect me?
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the ScanTack hijacker. It would have warned you before the browser helper object could install itself, giving you a chance to stop it before it became too late.
Signs in a HijackThis log:
O2 - BHO: ScanTack - {d332cff8-358e-4c9e-8af3-a08872ef22c1} - C:\Program Files\ScanTack\ScanTackbho.dll O23 - Service: Update ScanTack - Unknown owner - C:\Program Files\ScanTack\updateScanTack.exe
Alterations made by the installer:
File system details --------------------------------------------- Adds the folder C:\Program Files\ScanTack Adds the file 7za.exe"="2/25/2014 6:39 AM, 536064 bytes, A Adds the file ScanTack.FirstRun.exe"="2/26/2014 6:01 AM, 1727264 bytes, A Adds the file ScanTack.ico"="2/26/2014 6:01 AM, 1150 bytes, A Adds the file ScanTackBHO.dll"="2/26/2014 6:01 AM, 249632 bytes, A Adds the file ScanTackUninstall.exe"="3/8/2014 9:00 AM, 241101 bytes, A Adds the file updateScanTack.exe"="2/26/2014 6:01 AM, 111904 bytes, A Adds the file updateScanTack.InstallState"="3/8/2014 9:00 AM, 5012 bytes, A Adds the folder C:\Users\Malwarebytes\AppData\Roaming\Mozilla\Firefox\Profiles\joxsq3f5.default\extensions Adds the file {9acd1534-e8f8-40cb-b5ac-4996fe01175b}.xpi"="2/26/2014 6:01 AM, 7956 bytes, A Registry details ------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}] "(Default)"="REG_SZ, "59C96EB9-9F88-4EC3-9DA8-69DAA2B20E04" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}] "(Default)"="REG_SZ, "5680A9F2-9109-4DDB-9873-6E25BE9B6F4A" "id"="REG_SZ, "159" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d332cff8-358e-4c9e-8af3-a08872ef22c1}] "(Default)"="REG_SZ, "ScanTack" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d332cff8-358e-4c9e-8af3-a08872ef22c1}\InprocServer32] "(Default)"="REG_SZ, "C:\Program Files\ScanTack\ScanTackbho.dll" "ThreadingModel"="REG_SZ, "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d332cff8-358e-4c9e-8af3-a08872ef22c1}\Programmable] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d332cff8-358e-4c9e-8af3-a08872ef22c1}\TypeLib] "(Default)"="REG_SZ, "{96ee63e6-6942-46f3-a1a0-2250e4e93d23}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d332cff8-358e-4c9e-8af3-a08872ef22c1}\Version] "(Default)"="REG_SZ, "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD836A49-1150-48E7-8841-BD466E20B0B0}] "(Default)"="REG_SZ, "IScanTackBHO" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD836A49-1150-48E7-8841-BD466E20B0B0}\ProxyStubClsid] "(Default)"="REG_SZ, "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD836A49-1150-48E7-8841-BD466E20B0B0}\ProxyStubClsid32] "(Default)"="REG_SZ, "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD836A49-1150-48E7-8841-BD466E20B0B0}\TypeLib] "(Default)"="REG_SZ, "{96EE63E6-6942-46F3-A1A0-2250E4E93D23}" "Version"="REG_SZ, "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{96EE63E6-6942-46F3-A1A0-2250E4E93D23}\1.0] "(Default)"="REG_SZ, "ScanTackIEClientLib" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{96EE63E6-6942-46F3-A1A0-2250E4E93D23}\1.0\0\win32] "(Default)"="REG_SZ, "C:\Program Files\ScanTack\ScanTackbho.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{96EE63E6-6942-46F3-A1A0-2250E4E93D23}\1.0\FLAGS] "(Default)"="REG_SZ, "0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{96EE63E6-6942-46F3-A1A0-2250E4E93D23}\1.0\HELPDIR] "(Default)"="REG_SZ, "C:\Program Files\ScanTack" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ScanTack_RASAPI32] "ConsoleTracingMask"="REG_DWORD, -65536" "EnableConsoleTracing"="REG_DWORD, 0" "EnableFileTracing"="REG_DWORD, 0" "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD, -65536" "MaxFileSize"="REG_DWORD, 1048576" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ScanTack_RASMANCS] "ConsoleTracingMask"="REG_DWORD, -65536" "EnableConsoleTracing"="REG_DWORD, 0" "EnableFileTracing"="REG_DWORD, 0" "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD, -65536" "MaxFileSize"="REG_DWORD, 1048576" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\updateScanTack_RASAPI32] "ConsoleTracingMask"="REG_DWORD, -65536" "EnableConsoleTracing"="REG_DWORD, 0" "EnableFileTracing"="REG_DWORD, 0" "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD, -65536" "MaxFileSize"="REG_DWORD, 1048576" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\updateScanTack_RASMANCS] "ConsoleTracingMask"="REG_DWORD, -65536" "EnableConsoleTracing"="REG_DWORD, 0" "EnableFileTracing"="REG_DWORD, 0" "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD, -65536" "MaxFileSize"="REG_DWORD, 1048576" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d332cff8-358e-4c9e-8af3-a08872ef22c1}] "(Default)"="REG_SZ, "ScanTack" "NoExplorer"="REG_DWORD, 1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScanTack] "DisplayIcon"="REG_SZ, "C:\Program Files\ScanTack\ScanTack.ico" "DisplayName"="REG_SZ, "ScanTack" "DisplayVersion"="REG_SZ, "2014.02.26.045520" "EstimatedSize"="REG_DWORD, 2569" "HelpLink"="REG_SZ, "mailto:[email protected]" "InstallLocation"="REG_SZ, "C:\Program Files\ScanTack" "InstallTime"="REG_SZ, "2014-03-08 9:00:22" "NoModify"="REG_DWORD, 1" "NoRepair"="REG_DWORD, 1" "Publisher"="REG_SZ, "ScanTack" "QuietUninstallString"="REG_SZ, "C:\Program Files\ScanTack\ScanTackuninstall.exe /S" "UninstallString"="REG_SZ, "C:\Program Files\ScanTack\ScanTackuninstall.exe" "URLInfoAbout"="REG_SZ, "http://scantack.net/support" "URLUpdateInfo"="REG_SZ, "http://scantack.net" [HKEY_LOCAL_MACHINE\SOFTWARE\ScanTack\Chrome] "sgc"="REG_SZ, "true" [HKEY_LOCAL_MACHINE\SOFTWARE\ScanTack\Firefox] "sff"="REG_SZ, "false" [HKEY_LOCAL_MACHINE\SOFTWARE\ScanTack\Internet Explorer] "sie"="REG_SZ, "false" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Update ScanTack] "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Update ScanTack] "DisplayName"="REG_SZ, "Update ScanTack" "ErrorControl"="REG_DWORD, 1" "FailureActions"="REG_BINARY, ...................... "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files\ScanTack\updateScanTack.exe"" "ObjectName"="REG_SZ, "LocalSystem" "Start"="REG_DWORD, 2" "Type"="REG_DWORD, 16" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Approved Extensions] "{D332CFF8-358E-4C9E-8AF3-A08872EF22C1}"="REG_BINARY, ............ [HKEY_CURRENT_USER\Software\ScanTack] "id"="REG_SZ, "2014-03-08 9:00:22" "iid"="REG_SZ, "def_ScanTack" "is"="REG_SZ, "def_ScanTack" [HKEY_CURRENT_USER\Software\ScanTack\Firefox] "ug"="REG_SZ, "1A984637-73DE-42AF-BF6E-39E7A41918D1" [HKEY_CURRENT_USER\Software\ScanTack\Internet Explorer] "ug"="REG_SZ, "C62A7B3B-9039-4321-975C-D09C9BB181DB"
Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 3/8/2014 Scan Time: 9:07:54 AM Logfile: mbamScantack.txt Administrator: Yes Version: 2.00.0.0504 Malware Database: v2014.03.08.03 Rootkit Database: v2014.02.20.01 License: Trial Malware Protection: Disabled Malicious Website Protection: Disabled Chameleon: Disabled OS: Windows 7 Service Pack 1 CPU: x86 File System: NTFS User: Malwarebytes Scan Type: Threat Scan Result: Completed Objects Scanned: 199715 Time Elapsed: 2 min, 38 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Shuriken: Enabled PUP: Enabled PUM: Enabled Processes: 2 PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\updateScanTack.exe, 7728, Delete-on-Reboot, [5e7515eb8cef1a1cb2e22b7afc059e62] PUP.Optional.Sambreel.A, C:\Program Files\ScanTack\ScanTack.FirstRun.exe, 7896, Delete-on-Reboot, [b81b40c084f767cf1d4b781fb74a37c9] Modules: 0 (No malicious items detected) Registry Keys: 13 PUP.Optional.ScanTack.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Update ScanTack, Quarantined, [5e7515eb8cef1a1cb2e22b7afc059e62], PUP.Optional.ScanTack.A, HKLM\SOFTWARE\CLASSES\CLSID\{d332cff8-358e-4c9e-8af3-a08872ef22c1}, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0], PUP.Optional.ScanTack.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{96ee63e6-6942-46f3-a1a0-2250e4e93d23}, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0], PUP.Optional.ScanTack.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{AD836A49-1150-48E7-8841-BD466E20B0B0}, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0], PUP.Optional.ScanTack.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{D332CFF8-358E-4C9E-8AF3-A08872EF22C1}, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0], PUP.Optional.ScanTack.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{D332CFF8-358E-4C9E-8AF3-A08872EF22C1}, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0], PUP.Optional.ScanTack.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{D332CFF8-358E-4C9E-8AF3-A08872EF22C1}, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0], PUP.Optional.ScanTack.A, HKLM\SOFTWARE\CLASSES\CLSID\{D332CFF8-358E-4C9E-8AF3-A08872EF22C1}\INPROCSERVER32, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0], PUP.Optional.BrowseFox.A, HKLM\SOFTWARE\CLASSES\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}, Quarantined, [03d0d22ecab192a42e1aa6d12ad810f0], PUP.Optional.ScanTack.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ScanTack, Quarantined, [577c41bfc6b5cd69e05d57389c66ae52], PUP.Optional.ScanTack.A, HKLM\SOFTWARE\ScanTack, Quarantined, [894aba46cfacb87e0b34dfb053af7987], PUP.Optional.Ligtning.A, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\cekcjpgehmohobmdiikfnopibipmgnml, Quarantined, [864d817fcbb03600038aa9eba65c28d8], PUP.Optional.ScanTack.A, HKU\S-1-5-21-4016700205-1717049133-1125222536-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\ScanTack, Quarantined, [33a006faaecd072fb38bc1ce30d2b749], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 4 PUP.Optional.ScanTack.A, C:\Program Files\ScanTack, Delete-on-Reboot, [577c41bfc6b5cd69e05d57389c66ae52], PUP.Optional.eSafe.A, C:\ProgramData\eSafe\log, Quarantined, [8251659bdf9c1e18b1f8c4d0e51d827e], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml, Quarantined, [666da25e552624122a5a93f957ab3fc1], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0, Quarantined, [666da25e552624122a5a93f957ab3fc1], Files: 18 PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\updateScanTack.exe, Delete-on-Reboot, [5e7515eb8cef1a1cb2e22b7afc059e62], PUP.Optional.Sambreel.A, C:\Program Files\ScanTack\ScanTack.FirstRun.exe, Delete-on-Reboot, [b81b40c084f767cf1d4b781fb74a37c9], PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\ScanTackBHO.dll, Quarantined, [f4df1be5c7b490a6c1d2891cec1510f0], PUP.Optional.ScanTack.A, C:\Users\{username}\Desktop\ScanTack installer.exe, Quarantined, [745f40c07efd66d02d661293d32eec14], PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\ScanTack.ico, Quarantined, [577c41bfc6b5cd69e05d57389c66ae52], PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\7za.exe, Quarantined, [577c41bfc6b5cd69e05d57389c66ae52], PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\ScanTackUninstall.exe, Quarantined, [577c41bfc6b5cd69e05d57389c66ae52], PUP.Optional.ScanTack.A, C:\Program Files\ScanTack\updateScanTack.InstallState, Quarantined, [577c41bfc6b5cd69e05d57389c66ae52], PUP.Optional.eSafe.A, C:\ProgramData\eSafe\log\eGdpSvc.LOG, Quarantined, [8251659bdf9c1e18b1f8c4d0e51d827e], PUP.Optional.NewTab.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\newtab.crx, Quarantined, [d4ff42bed5a6ce68f3309df8db27837d], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\background.html, Quarantined, [666da25e552624122a5a93f957ab3fc1], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\background.js, Quarantined, [666da25e552624122a5a93f957ab3fc1], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\data.json, Quarantined, [666da25e552624122a5a93f957ab3fc1], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\icon128.png, Quarantined, [666da25e552624122a5a93f957ab3fc1], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\jquery.js, Quarantined, [666da25e552624122a5a93f957ab3fc1], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\manifest.json, Quarantined, [666da25e552624122a5a93f957ab3fc1], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\xa.js, Quarantined, [666da25e552624122a5a93f957ab3fc1], PUP.Optional.Lightning.A, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.3_0\xagainit.js, Quarantined, [666da25e552624122a5a93f957ab3fc1], Physical Sectors: 0 (No malicious items detected) (end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention