In a HijackThis log we found this entry: O4 - HKLM\..\Run: [egui] C:\WINDOWS\system32:egui.exe As you can see it is using the same startup key NOD32 uses and it runs an executable file attached as an ADS stream to the System32 folder. Have you ever seen this before? Unfortunately we were unable to get a sample. Thanks in advance,
A few things to try: F-secure's Blacklight tool for rootkit detection With XP, try out this tool to view an alternative data stream. If you are using Vista, dir's /r switch allows you to see the ADS.
Thanks for your time SmackyTheFrog We did get rid of the infection. Unfortunately without getting a sample. I hadn't seen such a nasty ADS stream infection since the days of AFlooder.