5 year old Keylogger file? - acr*.tmp

Discussion in 'malware problems & news' started by Romulus, Aug 22, 2006.

Thread Status:
Not open for further replies.
  1. Romulus

    Romulus Registered Member

    Aug 22, 2006
    I have what I believe is a keylogger file that has been taking snapshots as far back as 5 years ago.

    The file is saved on a random basis every 7-14 days and is 2.0MB in size. It is stored (using W2k)under Documents and Settings\MY NAME\Local Settings\Temp\"filename"

    The file name format is always something like
    Acr**.tmp - (ex. Acr45.tmp or AcrC5.tmp)

    Windows explorer shows it as a .TMP file but it's associated with an MS Excel icon. I can open the file with Excel but all the characters are displayed in some cryptic code.

    I am obviously interested in fixing/removing if malware however I am more interested in having the following questions answered:

    1) Does anyone recognize this file formato_O?.....especially since it might be 5 years oldo_O
    2) Is it a know type of keylogger or other malware....or something harmless...?
    3) If it is malware is there a way to trace where it is going?

    Thanks for any ideas.
  2. Stem

    Stem Firewall Expert

    Oct 5, 2005
    Have you got acrobat reader installed?
    Please read

    More info

    Last edited: Aug 22, 2006
  3. ASpace

    ASpace Guest

    No , this seems to be a legitime file of Adobe's reader software

    You open it with MS Excel because you have accosiated the tmp file to be opened with this application (if you want to fix this , Control Panel -> Folder options-> File types tab -> find tmp and click Delete )

    Every time you suspect a file being infected by a computer virus/malware , submit it to VirusTotal

    If you have any other sign of infected , perform the General Malware removal instructions by Blackspear

  4. Romulus

    Romulus Registered Member

    Aug 22, 2006
    Thanks for the insight. I read over the posts that were referred to.

    Although there is still a doubt I have. When I opend the files with excel the vast majority of the text is cryptic (or possibly encrypted). However certain areas can still be seen as normal english text or would looks like HTML source.

    I can see in plain english that this is referencing various web sites I have visted.....as if it were keeping track of the web pages I have visited....In particular the several that it has been tracking have no Acrobat files on them that I might have opened online.

    It is recording just standard HTML pages I have visted.

    I keep getting a gut feeling this is more than just a randomly generated Acrobat file.

    As I stated earlier I will of course pursue cleaning my system if this is a form of malware.....but I stll want to understand what this is...o_O

    - Any other possible ideas concerning the likely hood this is a keylogger?
    - Do keylogger that were used 5 years ago use this type of reporting format?

    Thanks again
  5. Romulus

    Romulus Registered Member

    Aug 22, 2006

    I am posting again to see if there might be any suggestions.

    1) I am attempting to determine if the acr*.tmp type of file might also be a form used by any keylogger programs.

    2) Assuming this is a keylogger, does anyone know how I might be able to track when the file is sent back out and where is goes? (i.e any type of trace software that I can acquire to track details on a keylogger program)

  6. BlueZannetti

    BlueZannetti Registered Member

    Oct 19, 2003
    Since this seems, on the face of it, rather strange, could you provide a screenshot of what you mean?
    To be perfectly blunt, gut feelings on something you don't fully understand is a bad combination since you can invent associations which simply do not exist.
    At this point you have provided no definitive information that would point to a keylogger. Strip out your preconceived speculation, and the objective information still points to temporary Acrobat files.
    By the way, where does this 5 year timeline come from?

    Anything is possible, it is simply a filename
    Do you have a software firewall?

    Finally, have you tried the very simple test of attempting to open this file using Acrobat, seeing if it is rendered properly, and posting a screenshot of that?

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.