1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: ZeroAccess RootKit Activity 6

System Infected: ZeroAccess RootKit Activity 6

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


Your computer is infected - Action is recommended, see response section for further details on how to run the removal tool.

This IPS signature is designed to detect and block the network communications initiated by Trojan.Zeroaccess to prevent the threat from receiving additional commands and further updates even when antivirus might not be able to detect the infection.

Additional Information

Su equipo esta infectado. Se recomienda realizar alguna accion, consulte la seccion de respuesta para obtener mas detalles.
Votre ordinateur est infecte. Voir la section Reponse pour plus de details sur les mesures a prendre.

Ihr Computer ist infiziert - Sie sollten Massnahmen ergreifen. Weitere Informationen finden Sie im Response-Abschnitt.

Il tuo computer e infetto: e consigliabile intervenire subito, per ulteriori dettagli consulta la sezione delle risposte.

Trojan.Zeroaccess is a Trojan horse that opens a back door on the compromised computer. It hides itself on the computer by creating a hidden file system on the disk to store its own files.

When a computer is compromised by the Trojan, it may attempt to contact a remote computer to provide information or status and also to receive commands. If you see an alert informing you that this signature has been triggered, it means your computer is infected by a risk and you need to take action to contain and remove the risk from your computer.

Associated vulnerabilities:
• N/A

Associated risks:

Using IPS can help protect against the web attacks from exploiting vulnerabilities that may install malware such as Trojans and viruses.


  • Microsoft Windows based operating systems.


Your system is infected with a variant of Trojan.Zeroaccess. If your Symantec product reports this IPS signature, it could indicate the presence of a Trojan.Zeroaccess variant that is not detected by the current antivirus signatures on the computer.

We recommend the following steps to help protect and verify the integrity of the computer:
• Run the Trojan.Zeroaccess removal tool.
Update your product definitions and perform a full system scan.
Identify suspect files.
Submit suspected files to Symantec for analysis.

If you believe that the signature is reported erroneously, please try the following:
Changing the behavior of Symantec IPS signatures.
Report possible false positive to Symantec.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube