egui

Discussion in 'ESET NOD32 Antivirus' started by Pieter_Arntz, Sep 23, 2008.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    In a HijackThis log we found this entry:

    O4 - HKLM\..\Run: [egui] C:\WINDOWS\system32:egui.exe

    As you can see it is using the same startup key NOD32 uses and it runs an executable file attached as an ADS stream to the System32 folder.

    Have you ever seen this before?
    Unfortunately we were unable to get a sample. :doubt:

    Thanks in advance,
     
    Pieter_Arntz, Sep 23, 2008
    #1
  2. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    A few things to try: F-secure's Blacklight tool for rootkit detection
    With XP, try out this tool to view an alternative data stream. If you are using Vista, dir's /r switch allows you to see the ADS.
     
    SmackyTheFrog, Sep 23, 2008
    #2
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Thanks for your time SmackyTheFrog

    We did get rid of the infection. Unfortunately without getting a sample.
    I hadn't seen such a nasty ADS stream infection since the days of AFlooder.
     
    Pieter_Arntz, Sep 24, 2008
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...