After replacing, rebuilding and getting scared to death... Consider that last time I did some semi-serious security stuff I was 14/15, reverse engineering CShow, IANAS (I'm not a sysadmin), that said... I've done all these things Installed ps through apt Installed ps from DVD Compiled and installed ps from ftp.suse.com Installed chkrootkit from source Installed chkrootkit from apt and the result ranged from no infected packages, no modules loaded to, top or/and ps infected and hidden modules etc... I doubt that just substituting 2 binaries I can "unload" trojan modules. I gave a look at the sources of chkrootkit and discovered which binary was checking for "hidden" modules. I discovered it has an option -v and got this output stige:~ # chkproc -v PID 3: not in ps output PID 4: not in ps output PID 5: not in ps output PID 6: not in ps output You have 4 process hidden for ps command then I did... // edited to fit in email stige:~ # ps aux USER PID VSZ RSS TTY STAT START TIME COMMAND root 1 620 256 ? S 22:00 0:04 init [3] root 2 0 0 ? SW 22:00 0:00 [keventd] root 0 0 0 ? SWN 22:00 0:00 [ksoftirqd_CPU0] root 0 0 0 ? SW 22:00 0:00 [kswapd] root 0 0 0 ? SW 22:00 0:00 [bdflush] root 0 0 0 ? SW 22:00 0:00 [kupdated] root 8 0 0 ? SW 22:00 0:00 [khubd] root 9 0 0 ? SW< 22:00 0:00 [mdrecoveryd] Curiously enough /proc/3 is actually ksoftirqd_CPU0 /proc/4 is kswapd ... bdflush, kupdated out of panic mode: reasonable???