Hi all
I have a workstation that is now reporting the lssas.dll file to be infected with win32/psw.qqrob.naq virus.
The atatched screenshot shows the infection and NOD32 unable to remove it as its in use already.
After booting into safemode and trying doing another in-depth anaylis no infected files where found. While in safemode went directly to the system32 folder and deleted the lsass.dll file.

Booted into windows as normal, started the scan and again the lsass.dll file was found by NOD to be infected.

I will be taking the HDD out the case and set it as a slave to scan from another system.

Can someone make sense whats happening here?

Have you tried deleting it in safe mode? If it doesn't help, try using the Undll (http://www.nod32.it/tools/undll.zip) tool.

Thanks for the response Marco.
I did delete the file in safemode, so unsure why it is still re-generated back.
How do i use undll, and what is it for?

Try deactivating System Restore and then do another full scan in safe mode!

Running windows 2000 pro, so no sys restore.
Thanks for the feedback tho, appreciate it.

I'd suggest that you send a log from Autoruns (http://download.sysinternals.com/Files/Autoruns.zip) to support[at]eset.com with this thread's url in the subject.

{QUOTE-> I'd suggest that you send a log from Autoruns (http://download.sysinternals.com/Files/Autoruns.zip) to support[at]eset.com with this thread's url in the subject. <-QUOTE}

Autoruns.txt file sent to NOD.
Thanks