TROJ_INJECTOR.JFK


 ALIASES:

TrojanSpy:MSIL/Golroted.A (Microsoft); RDN/Generic Dropper!uq (McAfee); Trojan-Dropper.Win32.Sysn.ahcm (Kaspersky); Trojan.Win32.Generic!BT (Sunbelt); Worm/MSIL.YE (AVG)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

839,168 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

15 Jul 2014

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan creates the following folders:

  • %User Profile%\10.0\Forms
  • %User Profile%\10.0\Collab
  • %User Profile%\10.0\Security
  • %User Profile%\Security\CRLCache

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Update = "%User Profile%\Application Data\WindowsUpdate.exe"

Other System Modifications

This Trojan deletes the following files:

  • %User Profile%\10.0\ReaderMessages-journal
  • %Application Data%\Adobe\Acrobat\10.0\SharedDataEvents-journal

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It adds the following registry keys:

HKEY_CURRENT_USER\Software\Adobe\
Adobe Acrobat\10.0

HKEY_CURRENT_USER\Software\Adobe\
Adobe Synchronizer\10.0

HKEY_LOCAL_MACHINE\System\Acrobatbrokerserverdispatchercpp789

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Installer\
Migrated

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Originals

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\AVGeneral

HKEY_CURRENT_USER\Software\Adobe\
Adobe Synchronizer\10.0\Acrobat.com

HKEY_CURRENT_USER\Software\Adobe\
Adobe Synchronizer\10.0\Acrobat.com.v2

HKEY_CURRENT_USER\Software\Adobe\
Adobe Acrobat\10.0\DiskCabs

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cDocumentCenter

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cDocumentCenter\cSettings

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cEmailDistribution

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cEmailDistribution\cSettings

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cInitiationWizardFirstLaunch

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cHandlers

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c290FA7E61053E8763C6055E6333A99EFB83ECACB

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c290FA7E61053E8763C6055E6333A99EFB83ECACB\cAdobe_OCSPRevChecker

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c290FA7E61053E8763C6055E6333A99EFB83ECACB\cAdobe_OCSPRevChecker\cAuthorizedResponder

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c290FA7E61053E8763C6055E6333A99EFB83ECACB\cAdobe_OCSPRevChecker\cAuthorizedResponder\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c0\cValue

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cAuthorizedResponder

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cAuthorizedResponder\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSendNonce

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSendNonce\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSignCertOID

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSignCertOID\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSignRequest

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSignRequest\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cURLToConsult

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cURLToConsult\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c0\cValue

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cAuthorizedResponder

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cAuthorizedResponder\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSendNonce

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSendNonce\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSignCertOID

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSignCertOID\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSignRequest

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSignRequest\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cURLToConsult

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cURLToConsult\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_CRLRevChecker

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_CRLRevChecker\cRequireAKI

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_CRLRevChecker\cRequireAKI\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_ChainBuilder

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_ChainBuilder\cAllowCAToIssueAC

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_ChainBuilder\cAllowCAToIssueAC\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_ChainBuilder\cCheckCABasicConstraints

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_ChainBuilder\cCheckCABasicConstraints\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_OCSPRevChecker

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_OCSPRevChecker\cAllowOCSPNoCheck

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_OCSPRevChecker\cAllowOCSPNoCheck\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_OCSPRevChecker\cRequireOCSPCertHash

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_OCSPRevChecker\cRequireOCSPCertHash\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_Validation

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_Validation\cValidityModel

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_Validation\cValidityModel\
c0

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cPPKHandler

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
ESENT\Process\firefox

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
ESENT\Process\firefox\
DEBUG

HKEY_LOCAL_MACHINE\Software\Adobe\
Acrobat Reader\10.0\AdobeViewer

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Installer\
Migrated
{AC76BA86-7AD7-1033-7B44-AA0000000001} = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Originals
bDisplayedSplash = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\AVGeneral
bLastExitNormal = "0"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cDocumentCenter
bAlwaysUseServer = "0"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cDocumentCenter
bAlwaysUseServerFD = "0"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cDocumentCenter
bDefault = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cDocumentCenter
bDefaultFD = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cDocumentCenter
tDistMethod = "UPLOAD"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cDocumentCenter\cSettings
tcSetting = "https://api.{BLOCKED}e.acrobat.com"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cDocumentCenter
tUI = "Acrobat.com (Recommended)"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cDocumentCenter
tURL = "urn://ns.{BLOCKED}e.com/Collaboration/SharedReview/Acrobat.com"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cEmailDistribution
bAlwaysUseServerFD = "0"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cEmailDistribution
bDefaultFD = "0"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cEmailDistribution
tDistMethod = "EMAIL"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cEmailDistribution
tUI = "Manually collect responses in my email inbox"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cEmailDistribution
tURL = "urn://ns.{BLOCKED}e.com/Collaboration/Forms/Email"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cInitiationWizardFirstLaunch
bIsFirstLaunchER = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cInitiationWizardFirstLaunch
bIsFirstLaunchFD = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cInitiationWizardFirstLaunch
bIsFirstLaunchSF = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cInitiationWizardFirstLaunch
bIsFirstLaunchSR = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Collab\
cInitiationWizardFirstLaunch
bIsFirstLaunchUF = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cHandlers
aPrivKey = "Adobe.PPKLite"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c290FA7E61053E8763C6055E6333A99EFB83ECACB\cAdobe_OCSPRevChecker\cAuthorizedResponder\
c0
bValue = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c0
iEnd = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c0
iStart = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c0\cValue
s0 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c0\cValue
s1 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1
iEnd = "2"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1
iStart = "2"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s0 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s1 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s2 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s3 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s4 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s5 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s6 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s7 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s8 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s9 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s10 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s11 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cAuthorizedResponder\
c0
bValue = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSendNonce\
c0
iValue = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSignCertOID\
c0
sValue = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSignRequest\
c0
bValue = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cURLToConsult\
c0
iValue = "3"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c0
iEnd = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c0
iStart = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c0\cValue
s0 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c0\cValue
s1 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1
iEnd = "2"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1
iStart = "2"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s0 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s1 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s2 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s3 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s4 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s5 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s6 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s7 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s8 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s9 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s10 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\
c1\cValue
s11 = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cAuthorizedResponder\
c0
bValue = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSendNonce\
c0
iValue = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSignCertOID\
c0
sValue = "{random values}"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSignRequest\
c0
bValue = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cURLToConsult\
c0
iValue = "3"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_CRLRevChecker\cRequireAKI\
c0
bValue = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_ChainBuilder\cAllowCAToIssueAC\
c0
bValue = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_ChainBuilder\cCheckCABasicConstraints\
c0
bValue = "0"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_OCSPRevChecker\cAllowOCSPNoCheck\
c0
bValue = "0"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_OCSPRevChecker\cRequireOCSPCertHash\
c0
bValue = "0"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cASPKI\cASPKI\cCustomCertPrefs\
c312E332E33362E382E312E310000\cAdobe_Validation\cValidityModel\
c0
iValue = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\Security\
cPPKHandler
bCustomPrefsCreated = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\
Acrobat Reader\10.0\AdobeViewer
EULA = "1"

HKEY_CURRENT_USER\Software\Adobe\
Acrobat Reader\10.0\AdobeViewer
EULA = "1"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
EventMessageFile = "%System%\ESENT.dll"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
CategoryMessageFile = "%System%\ESENT.dll"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
CategoryCount = "1"

(Note: The default value data of the said registry entry is 10.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
TypesSupported = "7"

(Note: The default value data of the said registry entry is 7.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "1"

(Note: The default value data of the said registry entry is 2.)

Dropping Routine

This Trojan drops the following files:

  • %User Temp%\Purchase Order July Delivery.pdf
  • %User Temp%\firefox.exe
  • %Application Data%\Adobe\Color\ACECache11.lst
  • %Application Data%\Adobe\Acrobat\10.0\UserCache.bin
  • %User Temp%\Temporary Internet Files
  • %User Temp%\Temporary Internet Files\Content.IE5
  • %User Temp%\Temporary Internet Files\Content.IE5\CZ2RUTWT
  • %User Temp%\Temporary Internet Files\Content.IE5\8R6BUDWB
  • %User Temp%\Temporary Internet Files\Content.IE5\VK9VFWJG
  • %User Temp%\Temporary Internet Files\Content.IE5\GLQ38PUB
  • %User Temp%\Cookies
  • %User Temp%\History
  • %User Temp%\History\History.IE5
  • %User Profile%\10.0\rdrmessage.zip
  • %User Profile%\10.0\Forms
  • %User Profile%\10.0\Collab
  • %User Profile%\10.0\Security
  • %User Profile%\Security\CRLCache
  • %User Profile%\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl
  • %User Profile%\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl
  • %User Profile%\Application Data\pid.txt
  • %User Profile%\Application Data\pidloc.txt
  • A:\autorun.inf
  • %User Temp%\holderwb.txt
  • %User Profile%\Application Data\WindowsUpdate.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://acroipm.{BLOCKED}e.com/10/rdr/ENU/win/nooem/none/message.zip
  • {BLOCKED}0.1
  • {BLOCKED}20.96
  • {BLOCKED}.248.172
  • {BLOCKED}4.68.108

This report is generated via an automated analysis system.

  SOLUTION

Minimum Scan Engine:

9.700

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat
    • 10.0
  • In HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer
    • 10.0
  • In HKEY_LOCAL_MACHINE\System
    • Acrobatbrokerserverdispatchercpp789
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Installer
    • Migrated
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0
    • Originals
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0
    • AVGeneral
  • In HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\10.0
    • Acrobat.com
  • In HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\10.0
    • Acrobat.com.v2
  • In HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\10.0
    • DiskCabs
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0
    • Collab
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab
    • cDocumentCenter
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cDocumentCenter
    • cSettings
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab
    • cEmailDistribution
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cEmailDistribution
    • cSettings
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab
    • cInitiationWizardFirstLaunch
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0
    • Security
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security
    • cHandlers
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security
    • cASPKI
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security
    • cASPKI
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI
    • cCustomCertPrefs
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs
    • c290FA7E61053E8763C6055E6333A99EFB83ECACB
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c290FA7E61053E8763C6055E6333A99EFB83ECACB
    • cAdobe_OCSPRevChecker
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c290FA7E61053E8763C6055E6333A99EFB83ECACB\cAdobe_OCSPRevChecker
    • cAuthorizedResponder
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c290FA7E61053E8763C6055E6333A99EFB83ECACB\cAdobe_OCSPRevChecker\cAuthorizedResponder
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs
    • c312E322E3834302E3131343032312E310000
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000
    • cAdobe_ChainBuilder
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder
    • cAcceptablePolicyOIDs
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c0
    • cValue
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs
    • c1
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1
    • cValue
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000
    • cAdobe_OCSPRevChecker
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker
    • cAuthorizedResponder
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cAuthorizedResponder
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker
    • cSendNonce
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSendNonce
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker
    • cSignCertOID
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSignCertOID
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker
    • cSignRequest
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSignRequest
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker
    • cURLToConsult
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cURLToConsult
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs
    • c312E322E3834302E3131343032312E312E312E310000
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000
    • cAdobe_ChainBuilder
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder
    • cAcceptablePolicyOIDs
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c0
    • cValue
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs
    • c1
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1
    • cValue
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000
    • cAdobe_OCSPRevChecker
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker
    • cAuthorizedResponder
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cAuthorizedResponder
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker
    • cSendNonce
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSendNonce
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker
    • cSignCertOID
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSignCertOID
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker
    • cSignRequest
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSignRequest
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker
    • cURLToConsult
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cURLToConsult
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs
    • c312E332E33362E382E312E310000
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000
    • cAdobe_CRLRevChecker
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_CRLRevChecker
    • cRequireAKI
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_CRLRevChecker\cRequireAKI
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000
    • cAdobe_ChainBuilder
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_ChainBuilder
    • cAllowCAToIssueAC
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_ChainBuilder\cAllowCAToIssueAC
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_ChainBuilder
    • cCheckCABasicConstraints
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_ChainBuilder\cCheckCABasicConstraints
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000
    • cAdobe_OCSPRevChecker
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_OCSPRevChecker
    • cAllowOCSPNoCheck
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_OCSPRevChecker\cAllowOCSPNoCheck
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_OCSPRevChecker
    • cRequireOCSPCertHash
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_OCSPRevChecker\cRequireOCSPCertHash
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000
    • cAdobe_Validation
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_Validation
    • cValidityModel
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_Validation\cValidityModel
    • c0
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security
    • cPPKHandler
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process
    • firefox
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\firefox
    • DEBUG
  • In HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader\10.0
    • AdobeViewer

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Windows Update = "%User Profile%\Application Data\WindowsUpdate.exe"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Installer\Migrated
    • {AC76BA86-7AD7-1033-7B44-AA0000000001} = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Originals
    • bDisplayedSplash = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\AVGeneral
    • bLastExitNormal = "0"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cDocumentCenter
    • bAlwaysUseServer = "0"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cDocumentCenter
    • bAlwaysUseServerFD = "0"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cDocumentCenter
    • bDefault = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cDocumentCenter
    • bDefaultFD = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cDocumentCenter
    • tDistMethod = "UPLOAD"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cDocumentCenter\cSettings
    • tcSetting = "https://api.{BLOCKED}e.acrobat.com"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cDocumentCenter
    • tUI = "Acrobat.com (Recommended)"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cDocumentCenter
    • tURL = "urn://ns.{BLOCKED}e.com/Collaboration/SharedReview/Acrobat.com"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cEmailDistribution
    • bAlwaysUseServerFD = "0"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cEmailDistribution
    • bDefaultFD = "0"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cEmailDistribution
    • tDistMethod = "EMAIL"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cEmailDistribution
    • tUI = "Manually collect responses in my email inbox"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cEmailDistribution
    • tURL = "urn://ns.{BLOCKED}e.com/Collaboration/Forms/Email"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cInitiationWizardFirstLaunch
    • bIsFirstLaunchER = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cInitiationWizardFirstLaunch
    • bIsFirstLaunchFD = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cInitiationWizardFirstLaunch
    • bIsFirstLaunchSF = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cInitiationWizardFirstLaunch
    • bIsFirstLaunchSR = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Collab\cInitiationWizardFirstLaunch
    • bIsFirstLaunchUF = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cHandlers
    • aPrivKey = "Adobe.PPKLite"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c290FA7E61053E8763C6055E6333A99EFB83ECACB\cAdobe_OCSPRevChecker\cAuthorizedResponder\c0
    • bValue = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c0
    • iEnd = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c0
    • iStart = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c0\cValue
    • s0 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c0\cValue
    • s1 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1
    • iEnd = "2"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1
    • iStart = "2"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s0 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s1 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s2 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s3 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s4 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s5 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s6 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s7 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s8 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s9 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s10 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s11 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cAuthorizedResponder\c0
    • bValue = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSendNonce\c0
    • iValue = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSignCertOID\c0
    • sValue = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cSignRequest\c0
    • bValue = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E310000\cAdobe_OCSPRevChecker\cURLToConsult\c0
    • iValue = "3"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c0
    • iEnd = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c0
    • iStart = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c0\cValue
    • s0 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c0\cValue
    • s1 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1
    • iEnd = "2"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1
    • iStart = "2"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s0 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s1 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s2 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s3 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s4 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s5 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s6 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s7 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s8 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s9 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s10 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_ChainBuilder\cAcceptablePolicyOIDs\c1\cValue
    • s11 = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cAuthorizedResponder\c0
    • bValue = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSendNonce\c0
    • iValue = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSignCertOID\c0
    • sValue = "{random values}"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cSignRequest\c0
    • bValue = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E322E3834302E3131343032312E312E312E310000\cAdobe_OCSPRevChecker\cURLToConsult\c0
    • iValue = "3"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_CRLRevChecker\cRequireAKI\c0
    • bValue = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_ChainBuilder\cAllowCAToIssueAC\c0
    • bValue = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_ChainBuilder\cCheckCABasicConstraints\c0
    • bValue = "0"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_OCSPRevChecker\cAllowOCSPNoCheck\c0
    • bValue = "0"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_OCSPRevChecker\cRequireOCSPCertHash\c0
    • bValue = "0"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cASPKI\cASPKI\cCustomCertPrefs\c312E332E33362E382E312E310000\cAdobe_Validation\cValidityModel\c0
    • iValue = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Security\cPPKHandler
    • bCustomPrefsCreated = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\10.0\AdobeViewer
    • EULA = "1"
  • In HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\AdobeViewer
    • EULA = "1"

Step 5

Restore these modified registry values

[ Learn More ]

Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
    • From: EventMessageFile = "%System%\ESENT.dll"
      To: EventMessageFile = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
    • From: CategoryMessageFile = "%System%\ESENT.dll"
      To: CategoryMessageFile = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
    • From: CategoryCount = "1"
      To: CategoryCount = ""10""
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
    • From: TypesSupported = "7"
      To: TypesSupported = ""7""
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • From: Hidden = "1"
      To: Hidden = ""2""

Step 6

Search and delete these components

[ Learn More ]
There may be some components that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %User Temp%\Purchase Order July Delivery.pdf
  • %User Temp%\firefox.exe
  • %Application Data%\Adobe\Color\ACECache11.lst
  • %Application Data%\Adobe\Acrobat\10.0\UserCache.bin
  • %User Temp%\Temporary Internet Files
  • %User Temp%\Temporary Internet Files\Content.IE5
  • %User Temp%\Temporary Internet Files\Content.IE5\CZ2RUTWT
  • %User Temp%\Temporary Internet Files\Content.IE5\8R6BUDWB
  • %User Temp%\Temporary Internet Files\Content.IE5\VK9VFWJG
  • %User Temp%\Temporary Internet Files\Content.IE5\GLQ38PUB
  • %User Temp%\Cookies
  • %User Temp%\History
  • %User Temp%\History\History.IE5
  • %User Profile%\10.0\rdrmessage.zip
  • %User Profile%\10.0\Forms
  • %User Profile%\10.0\Collab
  • %User Profile%\10.0\Security
  • %User Profile%\Security\CRLCache
  • %User Profile%\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl
  • %User Profile%\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl
  • %User Profile%\Application Data\pid.txt
  • %User Profile%\Application Data\pidloc.txt
  • A:\autorun.inf
  • %User Temp%\holderwb.txt
  • %User Profile%\Application Data\WindowsUpdate.exe

Step 7

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %User Profile%\10.0\Forms
  • %User Profile%\10.0\Collab
  • %User Profile%\10.0\Security
  • %User Profile%\Security\CRLCache

Step 8

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_INJECTOR.JFK. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 9

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

  • %User Profile%\10.0\ReaderMessages-journal
  • %Application Data%\Adobe\Acrobat\10.0\SharedDataEvents-journal


Did this description help? Tell us how we did.