egui

Discussion in 'ESET NOD32 Antivirus' started by Pieter_Arntz, Sep 23, 2008.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    In a HijackThis log we found this entry:

    O4 - HKLM\..\Run: [egui] C:\WINDOWS\system32:egui.exe

    As you can see it is using the same startup key NOD32 uses and it runs an executable file attached as an ADS stream to the System32 folder.

    Have you ever seen this before?
    Unfortunately we were unable to get a sample. :doubt:

    Thanks in advance,
     
  2. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    A few things to try: F-secure's Blacklight tool for rootkit detection
    With XP, try out this tool to view an alternative data stream. If you are using Vista, dir's /r switch allows you to see the ADS.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Thanks for your time SmackyTheFrog

    We did get rid of the infection. Unfortunately without getting a sample.
    I hadn't seen such a nasty ADS stream infection since the days of AFlooder.
     
Thread Status:
Not open for further replies.