In a HijackThis log (http://www.247fixes.com/forums/Resolvedvirtumode-infe-t2231.html#entry13323) we found this entry:

O4 - HKLM\..\Run: [egui] C:\WINDOWS\system32:egui.exe

As you can see it is using the same startup key NOD32 uses and it runs an executable file attached as an ADS stream to the System32 folder.

Have you ever seen this before?
Unfortunately we were unable to get a sample. :-\

Thanks in advance,

A few things to try: F-secure's Blacklight (http://www.f-secure.com/security_center/) tool for rootkit detection
With XP, try out this tool (http://www.visoracle.com/download/freeware/privacy/bojn.html) to view an alternative data stream. If you are using Vista, dir's /r switch allows you to see the ADS.

Thanks for your time SmackyTheFrog

We did get rid of the infection. Unfortunately without getting a sample.
I hadn't seen such a nasty ADS stream infection since the days of AFlooder.