n-add problem

i'm not exactly sure what's going on here. at 1st i got it (zone alarm popup) every now and then, now it seems to be more frequent. i've run scans and they all come up clear. i'm not sure if i set something to check for automatic updates?, or if this is legit? i think at one time (i'm not sure), that i saw someting on an ad-aware scan about n-add, however i'm not totally sure. i've attatched a few screen shots. notice that it tries to access the same address "172.16.0.1".

windows xp, sp2
sbc yahoo protection (computer associates antivirus)
sbc yahoo antispy
zone alarm firewall (home)
ad-aware se personal
spyware blaster
spybot s&d

 

here's a couple more screen shots. notice that these say gateway.2wire.net.

i have dsl from sbc, and my modem is a 2wire modem (which has 2wire software).

i also deleted all programs from zone alarm, thinking that i might have accidentally blocked something that needs access, but i'm still getting this popup. - sos

 

Go ahead and post a HijackThis log along with the BitDefender and Panda Logs.

 

ok, i've posted my 1st few scans (bitdefender 1st), then the panda scans. the "Potentially unwanted tool" is a program that i use, however i currently deleted it. as of this morning i haven't got anything (popup), but it wasn't all the time anyways. - sos

 

here are my hjt log files. these are before and after, i deleted that program file (in case it made a difference). - sos

 

Panda ActiveScan is alerting on pskill.exe, which is the file name of a Trojan Horse. The copy that was found may or may not be a Trojan.

Upload C:\Program Files\PgcEdit\bin\pskill.exe to http://virusscan.jotti.org/ for analysis.

 

sorry it took so long for me to respond (to my own thread, lol). anyway, i was almost totally convinced that this program might have been the culprit, as the frequency of the zonealarm popup has decreased. however, i got another one today, and when i checked the log i guess i got one yesterday. i saved the scan as an .html file and added it to my website. - sos

http://users3.ev1.net/~ahls/virusscan.html <-- jotti.org scan

 

From that report I would say that in this case pskill.exe is not a Trojan.


Running WinPfind by OldTimer Post the WinPFind text file after it has finished scanning.

 

ok, here's my results of that scan... - sos

 

Delete the following file: C:\WINDOWS\RMAgentOutput.dll

 

well, i think i finally know what it is/was? i believe (i haven't talked to 2wire yet), it has to do with my modem or something like that. i typed in the ip address in my browser and it came up to my 2wire software (where i can view/edit stuff), notice the web address in the 2nd and 3rd pic. i just don't know why i've never seen this before? maybe i blocked something this go around, or maybe the update for zone alarm catches this now?

 

That very well may be the case. You could deny access and if there are problems always go back and grant access.