Why is lsass.exe accessing the Internet? (long--sorry)

(Note that I've been reading the history with limited knowledge, so I may be getting paranoid.)

 

Yesterday, I updated Adobe reader, went online, and got this weird error in Vista. Firefox was taking forever, so I attempted to close it and it all went gray and frozen. I gave it a minute or so then tried Ctrl Alt Del. It didn't seem to do anything, so I waited a bit more.

 

The screen then went black and I got a dialog box titled "Logon process has failed to create the security options dialog." The message in the box was "Failure--Security Options" with an okay button.

 

I hit the okay button and I got back to a happily working Firefox. I attempted to google the error but halfway through typing it, the screen went black and it popped up again--only to go back to Firefox after hitting okay.

 

I found some info on the Microsoft forums which told me to run Checkdisk in Safe Mode. I went into Safe Mode, where Windows told me I could only run Checkdisk on my C drive at startup and I could schedule a scan to do so next time I restarted. So I ran that, and it fixed some things, but it ran by so quickly that I really couldn't see what they were. (Plus, I really don't know what I'm doing, so it wouldn't mean anything to me anyway.) It rebooted normally, and I haven't gotten the error again.

 

Now people on the Microsoft forums were saying that it was either a problem with S.M.A.R.T. something-or-other, a corrupted file, something wrong with my hard drive, or my anti-virus software wasn't Vista-compatible. I'm running NIS 2009 and it was installed remotely by a Norton employee (due to my old version getting corrupted), so I know the last one wasn't the case, but I figured I'd check the history to see if there were any problems.

 

So the history shows that "an instance of C:\Windows\System32\lsass.exe is preparing to access the Internet," right before it showed "User Logged On." I scrolled deeper into the history and this appears to be the first time this has ever been recorded. I googled lsass.exe and found out that it is some security thing related to logging onto Windows, and that certain viruses may imitate or infect it.

 

This file is in \System32, which is the right location for the legitimate file. It also starts with the letter L, like the legitimate file does. When I go into task manager, it's not running as a process. But combined with the weird error message I got that sounds related to Windows log-on security, I got worried.

 

I ran a full system scan in NIS which found nothing. I also downloaded the free version of MalwareBytes and ran a full system scan in that, which also found nothing. So figuring that maybe lsass.exe had built-in reporting or something, I turned off the computer.

 

When I turned it back on, I checked Norton's history again. Again, there was a report of lsass.exe accessing the Internet just before the user logged on report. From my limited knowledge of what lsass.exe is, I can't see any reason for it to be accessing the Internet. And I really can't see any reason for it to inexplicably start now, on a two year old computer, right after an error message.

 

I figure either one of two things happened. Either lsass.exe somehow became infected with a virus that caused the weird behavior yesterday and NIS and MalwareBytes can't pick it up; or CheckDisk somehow "fixed" lsass.exe into accessing the Internet, or "fixed" Norton into allowing it to do so.

 

Does anyone have any idea as to which it is? If it is a virus, how to I get rid of it when no one recognizes it? And if it isn't a virus, should I allow it to access the Internet or not, and if I shouldn't allow it to do so, how do I configure Norton to block it?

Message Edited by LisaAF on 11-27-2009 04:14 AM