BazookaTM Adware and Spyware Scanner v1.13.03. reported that it found Pacerd.bundle on a Windows XP system, G, when I scanned it.
The uninstall procedure on the Kephyr webage suggested using "Add or Remove Programs" from the Windows Control Panel to remove entries named "Surf Sidekick", "ItalMgr", "Command", "RelevantKnowledge" and "MarketScore" before going through the manual uninstall instructions. However, none of those existed.
The Kephyr site indicates that the presence of any of the files or directories listed below may indicate a system is infected with this malware.
%ProgramsDir%\Msnmaker\
%ProgramsDir%\Quick Links\
%ProgramsDir%\InetGet\
%ProgramsDir%\FREEPR~1\
%ProgramsDir%\Freeprod Toolbar\
%ProgramsDir%\Cas\
%ProgramsDir%\CasStub\
%ProgramsDir%\CMSystem\
%ProgramsDir%\System Files\System.exe
%ProgramsDir%\System Files\plugin.dll
%ProgramsDir%\Yazzle Sudoku\
%WinDir%\etb\pokapoka73.exe
%WinDir%\etb\pokapoka75.exe
%WinDir%\exe82.exe
%WinDir%\bsx32\
%WinDir%\etb\
%WinDir%\jptc.dat
%WinDir%\offun.exe
%WinDir%\rk.exe
%WinDir%\rlvknlg.exe
%SystemDir%\PSof1.exe
%SystemDir%\exp.exe
%SystemDir%\wintask.exe
%SystemDir%\adcomplusanalytic.exe
%SystemDir%\ichckupd.exe
%SystemDir%\bho.dll
%SystemDir%\nsb12.dll
%SystemDir%\APD123.exe
%SystemDir%\wuauclt.dll
%SystemDir%\202_app13.exe
%SystemDir%\APD123.exe
%SystemDir%\MTE2ODM6ODoxNg.exe
%SystemDir%\PopOops.dll
%SystemDir%\PopOops.dll
%SystemDir%\SI.exe
%SystemDir%\SWLAD1.dll
%SystemDir%\SWLAD1.dll
%SystemDir%\atmtd.dll
%SystemDir%\atmtd.dll._
%SystemDir%\dist001.exe
%SystemDir%\installer216.exe
%SystemDir%\nstD.dll
%SystemDir%\uc.exe
%SystemDir%\wuauclt.dll
%SystemDir%\AOP2.exe
%SystemDir%\repairs302972979.dll
%WinDir% is a
variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or
C:\WINNT (Windows NT/2000).
%SystemDir% is a
variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%ProgramsDir% is a
variable. By default, this is C:\Program Files.
I created a batch file, pacerd_bundle-files.bat to search for any intances of the above files or directories on the system. None were found.
I then checked the registry for the presence of any of the registry keys the Kephyr webpage listed as being associated with the malware. I found only one of the listed registry keys. The one I found was associated with a Windows startup entry for winsync.
C:\>reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /
v winsync
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winsync REG_SZ C:\WINDOWS\System32\kdkgpx.exe reg_run
However, I did not see that file on the system, even when I booted into safe mode. And none of the listed files were found on the system when I checked under safe mode, also.
I deleted the registry key with the reg delete command.
C:\Documents and Settings\Administrator\My Documents>reg delete HKEY_LOCAL_MACHI
NE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winsync
Delete the registry value winsync (Y/N)? y
The operation completed successfully
When I scanned the system again with Bazooka, it did not report the presence of Pacerd.bundle. The registry key it found previously was likely a remnant of spyware previously removed by another antispyware program on the system.
References:
