Agent.h is part of a large family called Agent. This particular installation is a rootkit.


Agent.h is not a standalone program. One would have to download another application, which may download this rootkit. The Rootkit itself isn't even malicious on its own, it simply allows the hacker/backdoor to be anonymous.

The rootkit will drop itself into the system directory:


It may also drop another key into the registry.



To remove the Rootkit only, boot into a bootable environment. After you have booted into an environment, proceed to delete both the msdirectx.sys file and the registry key. The user can then proceed to run MBAM scans to clear up.

Further Information

SecureList Definition


  • Kaspersky: Trojan.Win32.Rootkit.d
  • McAfee: Trojan: He4Hook, Trojan: He4Hook.sys
  • Sophos: Troj/He4Hook-C
  • ClamAV: Trojan.Rootkit-137, Trojan.Rootkit-135, Trojan.Rootkit-136
  • Panda: Rootkit/He4.A
  • FPROT: W32/He4RootKit.A
  • MS OneCare: VirTool:WinNT/He4Hook
  • Dr.Web: Trojan.He4RootKit
  • NOD32: Win32/Rootkit.Agent.H trojan, Win32/Rootkit.D trojan
  • BitDefender: Trojan.Rootkit.D
  • VirusBuster: Rootkit.Agent!Uqt3weX2yWQ, Rootkit.Agent.O, Trojan.He4RootKit!gO56LcZjgAQ
  • Ikarus: RootKit.Win32.Agent.h
  • Ikarus: Rootkit.Win32.Agent
  • AVG: Agent.FH, Backdoor.Agent.SL, BackDoor.Agent.SH
  • NAV: Hacktool.Rootkit
  • Norman: W32/He4Rootkit.C
  • Norman: W32/He4Rootkit.B
  • Norman: W32/He4Rootkit.A
  • NAI: He4Hook
  • NAI: He4Hook.sys
  • Rising AntiVirus Hack.He4Control,, Backdoor.RootKit
  • FSecure: Rootkit.Win32.Agent.h
  • Trend Micro: TROJ_Generic
  • Trend Micro: TROJ_AGENT.ATEK
  • Sunbelt: Hacktool.Rootkit
  • VirusBuster Beta: Trojan.He4RootKit!gO56LcZjgAQ, Rootkit.Agent!Uqt3weX2yWQ, Rootkit.Agent.O
  • Avast!: Win32:Trojan-gen
Community content is available under CC-BY-SA unless otherwise noted.