is this a virus or trojan??

[JackAndCoke]

1.everytime i start up my comp i get windows explorer trying to connect to 239.255.255.250:1900 then its denied premission by zonealarm then another alert trying to connect to 127.0.0.1:1029 anyone know whats going on?
2.the past 2 days i've been getting an ip(142.177.1.64, 142.177.1.65, 142.176.33.178)
trying to connect to my comp trying like 10 different ports at a time(alot of times). i was getting alerts like crazy last night.what could the situation be here as i dont think it is a web server that i was recently at trying to reconnect? please advise..

[pcmech007]

Have you tried a virus scan? Try pc-cillin (not as many hoops to jump through as McAfee to just download it and it works just as well.)
The 239.255.255.250 doesn't have any domain name registered with it, and the 127.0.0.1 is defined as a loopback address, so all your computer does is test-bounce a message off of itself, so to speak.
The 142.177.1.x belongs to somebody using a dial-up connection to Sympatico in Nova Scotia, Canada (bluenoseII.ns.sympatico.ca).
I don't know any legit programs that try 10 different ports on your computer (usually 2 or 3 gives plenty of flexability for a legit internet app). Probably someone was port scanning you. Take note of the exact time it happens again (if it happens again) and let Sympatico know that someone using their network is trying to connect to your computer is a suspicious way.

[skippy]

The scanning and the Attempted external connections are not related. The scanning should be taken care of by documenting times and IP and sending an e-mail to abuse@sympatico.ca

As for the outbound connection, that is a little more complicated. I am assuming that you are using Windows ME as it will always happen in windows ME.

Port 1900 is used by ssdpsrv (Simple Service Discovery Protocol and is used for UPnP. Explorer is being used for the outbound connection and ssdsprv is used for the inbound connection.

This is what happens:

Universal Plug and Play functionality involves five processes:

Discovery - A Universal Plug and Play device advertises its presence on the network to other devices and control points by using the Simple Service Discovery Protocol (SSDP). A newly added control point uses SSDP to discover Universal Plug and Play devices on the network. The information exchanged between the device and the control point is limited to discovery messages that provide basic information about the devices and their services, along with a description URL, which can be used to gather additional information about the device.


Description - Using the URL provided in the discovery process, a control point receives XML information about the device, such as make, model, and serial number. In addition, the description process can also include a list of embedded devices, embedded services, and URLs used to access device features.


Control - Control points use URLs provided during the description process to access additional XML information that describes actions to which the Universal Plug and Play device services respond, along with parameters for each action. Control messages are formatted in XML and use the Simple Object Access Protocol (SOAP) protocol.


Eventing - When a control point subscribes to a service, the service sends event messages to the control point to announce changes in device status. Event messages are formatted in XML and use General Event Notification Architecture (GENA).


Presentation - If a Universal Plug and Play device provides a presentation URL, a browser can be used to access interface control features, device or service information, or any device-specific abilities implemented by the manufacturer.

Read more about it at http://support.microsoft.com/support.../Q262/4/58.ASP