lsass.exe lovsan msblast port 1027 HELP!

On a notebook workstation on this network had msblast removed by trendmicro's online scan. Norton Antivirus picked up lovsan in what I think was a IE cache file, but I didn't delete it and on second scan it didn't pick it up again.

This above was just to note it's previous existence on my network.



the problem now
2 workstations have open constant connection between them on port 1027 or close number port.
lsass.exe is the process running on this port. (fport determined)
Constant connection always has data flow and only when both the workstations are on.



Does anyone know what this is? How do I fix it?
PLEASE HELP!


In think I noticed in netmonitor on server or a log on gateway something like "mail/browse" .


Would copying over with a known good copy of lsass.exe fix it?

Workstations running Win2000sp2 IE5.0 with netbios enabled.
(yes I know I need to update it)


While I have really no idea - could it be a netbios hack with data being collected to mail somewhere?

 

Run a virus scan from www.pandasoftware.com/activescan

It will detect all viruses and unknown ones if you select unknown virus detection.

However I had port 1027 open last week, I have NO virus atall and I just had to block it in my firewall.

I think it is the result of the new microsoft update to the RPC service.

 

Hi jump

lsass -> Local Security Authority Service

lsass.exe is something you will always see running in task manager. The port it opens and listens on is usually associated with IPSec. If you are not using IPSec on your network, go into Services, IPSec Policy Agent, stop it and set it to manual.

Regards,

CrazyM