On a notebook workstation on this network had msblast removed by trendmicro's online scan. Norton Antivirus picked up lovsan in what I think was a IE cache file, but I didn't delete it and on second scan it didn't pick it up again. This above was just to note it's previous existence on my network. the problem now 2 workstations have open constant connection between them on port 1027 or close number port. lsass.exe is the process running on this port. (fport determined) Constant connection always has data flow and only when both the workstations are on. Does anyone know what this is? How do I fix it? PLEASE HELP! In think I noticed in netmonitor on server or a log on gateway something like "mail/browse" . Would copying over with a known good copy of lsass.exe fix it? Workstations running Win2000sp2 IE5.0 with netbios enabled. (yes I know I need to update it) While I have really no idea - could it be a netbios hack with data being collected to mail somewhere?