0acess replaced services.exe to a fake one

The service of BFE is disappeared after reboot ,and NIS pops up an error message. But NIS seems still working well, for the virus alerts come out every several minuteas. It seems similarly to the post here

 http://community.norton.com/t5/Norton-Internet-Security-Norton/Trojan-Errors-80000000-and-00000001/td-p/744954

 

http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-Keeps-Blocking-the-same-virus/td-p/743450

 

 

355.PNG

 

NPE could find a process named "services.exe" whose status is "Unknow", however, it couldn't be repaired by NPE.

 

347.png

 

Looking into the process of "services.exe", NPE shows as below. However, clicking the "locate" just laeds you to the folder of system32, but not the specific file.

 

.348.PNG

 

349.PNG

 

In fact, the file "services.exe" exists in folder "system32", but I don't know whether it is the file that NPE found. Anyway, it should have been replaced, according to the File Insight below. 

 

350.PNG

 

The File Insight is showed below. And the VT result is here https://www.virustotal.com/file/572a5bb0f0026b84e6e371f88b92f460fa607d4d85fa22965d121a5c8b15cd1d/analysis/1340636667/

 

351.PNG

 

352.PNG

 

353.PNG

 

 

 The first as well as the last picture show the relationship between 0access and service.exe clearly. So I am now a little doubting whether the file  reputation system of Symentec has any defects, for the services.exe is wrongly rated as "Favorable".

Anyone needs the suspicious origin virus can PM me your email address.