Detecting Keystroke Software


Oct 31, 2005
In most cases antivirus programs and anti-spyware programs will see them. If you don't trust the locally installed antivirus software, try Housecall from Trend Micro.


New Member
Oct 29, 2006
Try downloading a copy of Helios (do a Google search). It finds many of the known rootkits and hidden processes loaded behind the scenes that are normally invisible to users - and it is free. I have also found the new free product from AVG (the anti-virus folks) called AVG Anti-Spyware to be very effective in picking up processes and applications that most of the other commercial software seems to miss.

Hope that helps :D


Jan 2, 2006
Another option might be to run rootkit revealer. It might detect the tool, depending on it's behaviour. See:

w w w



New Member
Sep 3, 2006
Hy there
I use also the SVV (System Virginity Verifier) from Joana Rutkowska

This tool helps a loot.

May the force be with you
Dec 14, 2006
Check out Gargoyle.

<t>Check out Gargoyle Forensic pro by Wetstone Software. Its purpose is to find all MALWARE (malicious Software) installed, or previously installed, on a computer.<br/>
The purpose of Gargoyle is to have a fast and easy way to provide us with valuable information regarding the contents of a suspect’s computer along with essential information about it’s owner's computer use. How many times have we come across a program that was used and then uninstalled to cover the bad guy’s tracks? <br/>
This gives us the capability to quickly determine both the benign applications, (standard desktop software) resident on the system, as well as to determine what doesn’t belong there as well. Malware detection at this level provides an instant mini-profile of the user based on their use of a particular cyber weapon. Almost the same as finding a gun in a suspect’s possession. It doesn’t mean he used it, but he could have. And, that’s important. This layer of digital environmental detection and analysis provides a solid foundation for further investigation.<br/>
We all now how Known File Filtering (KFF) has become a common practice during our digital forensic investigations, but the purpose of KFF has been to filter out files from the investigation that are “known” and benign, in order reduce the amount of digital information that needs to be examined. This does not help when looking for programs that are unknown and can cause harm. This program allows us to go beyond filtering out the non-relevant programs as the National Software Reference Library has done in the past, and allows us to uncover potentially hostile programs on a suspect computer. Just finding traces of their existence or prior existence is sometimes all we need in an investigation. <br/>
As their product description says: “Gargoyle performs rapid searches for known “bad or hostile” programs, their associated files and remnants of files. Once identified, Gargoyle also maps the detected files to the associated cyber weapons, and classifies them into a category of malware. MalWare detection allows investigators to employ datasets like NSRL or build their own specialized databases of hash codes based on hostile or malicious content that can provide significant clues regarding the activities, motives and even the intent of suspects or potential suspects. And the process can be performed in just minutes. Speed and accuracy are the obvious objectives of such a process, however, an added benefits is the automatic generation of new clues and information not just more data. One of the interesting aspects of MalWare detection is the generation of the databases of hash codes that are needed to identify malware.”<br/>
A legitimate program that “can” be used for bad things will never show up in a McAfee or Norton scan.</t>


New Member
Jan 13, 2007
While keyloggers may or may not be considered a "rootkit", their behavior may mimic a rookit.

Trend Housecall to my knoweldge will not reveal a rootkit.

You can go a little deeper by using HijackThis and looking at the log, or having someone who is qualified to look over the log and see what is running in the background, as a service, etc..

F-Secure has a very good rootkit program called "Blacklight".



About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu