first things first, sorry to resurrect old thread.

lets suppose you have downloaded an unknown application that's precompiled.
that program waches and sends keystrokes to remote server... for that it needs root access. it should ask for access... why that program needs root... you wont allow it problem solved.

graph #1

lets suppose hacker find a way to watch keystrokes w/o needing root privilages. (thats not gonna happen look at graph #1)
then you noticed an unwanted 'movement' when looking iftop / htop / top whatever you want, then you 'killed' that process... with SIGKILL
what will that process do (unlike windows, it is KILLED)

again lets think about that process somehow gained root access and copied itself over $SHELL's location i will use /bin/sh, and moved that shell to /bin/.sh so process runs itself before that shell and forks original one to make itself 'invisible' to user.
you have noticed opening new xterm or logging in requires 'suspiciously longer' time and when digging recursive order you found /bin/.sh file, you checked 'x'sum of (md5,sha256 whatever) that .sh and sh files you found out sh is a 'fake' and .sh is original...
basically moving .sh to sh will OVERWRITES it but you should close all another shell sessions before doing it... use the script like that:


well, if that not worked shutdown your computer fire up with some 'live' distro... go to desired folder do your job and exit. you can test it by with chroot environment...

so where is your virus now :)