This Rootkit comes in the form of a Windows DLL application extension. The original file name HookNTQSI.dll, which in turn inspired the McAfee alias.


Like the other Rootkits in the Agent family, it is not a standalone piece of malware. This is normally bundled with other malicious files. The DLL is customized to hide Trojan programs in Task Manager, to avoid detetion. It can also be customized to hook and intercept Windows message boxes.


  • Boot into Safe Mode or a Live CD
  • Force delete the file %system%\HookNTQSI.dll
  • Clean up with an antivirus and/or MBAM



Securelist (Kaspersky Labs),