setro, you are running linux. you are a power user. you can solve this virus problem manually.
do not destroy your install, you can probably save it.
1: what distro are you using?
2: disconnect the device from the internet if you have a spare mobile device or another computer - just yank the ethernet cable out if you can. (okay not really, but pull it out pronto)
2.5: no seriously, do that now if you can, right loving now
3: follow these steps exactly
1. open a terminal, and run this command: ps aux > processesbefore.txt
2. reboot computer
3. BEFORE LOGGING IN, press ctrl+alt+f1 and log in with your username and password - your password won't be visible at all while typing it in, this is normal, just type it carefully.
4. run this command in the resulting terminal: ps aux > processesafter.txt
5. run this command diff psbefore.txt psafter.txt > psdiff.txt
6. PM me this file, as well as the psafter.txt file (you should check them with less psafter.txt (scroll with arrow keys and stuff) to make sure no passwords or anything is in there. if there is, don't send them to me and then tell me so, i'll walk you through censoring the thing. otherwise leave them be.)
what those steps will do is cause an export of all processes names running on your computers to be put into a text file. from there, we reboot, then we get a new list. then we check which lines are missing and the same from before and after the reboot, allowing us to see things that started on boot, for example.
here's a condensed example output:
lugnut 834 3.8 7.2 266012 74232 ? Sl Jan18 3:42 /opt/google/chrome/chrome --type=renderer --lang=en-US --force-fieldtrials=AutocompleteDynamicTrial_2/DefaultControl_R2
lugnut 893 1.6 6.1 242084 63156 ? Sl Jan18 1:14 /opt/google/chrome/chrome --type=renderer --lang=en-US --force-fieldtrials=AutocompleteDynamicTrial_2/DefaultControl_R2
root 1081 0.1 0.0 0 0 ? S Jan18 0:03 [kworker/0:2]
root 1115 0.1 0.0 0 0 ? S 00:03 0:02 [kworker/0:0]
lugnut 1198 0.5 5.7 234400 59260 ? Sl 00:11 0:10 /opt/google/chrome/chrome --type=renderer --lang=en-US --force-fieldtrials=AutocompleteDynamicTrial_2/DefaultControl_R2
lugnut 1204 4.7 6.0 240400 61848 ? Sl 00:11 1:36 /opt/google/chrome/chrome --type=renderer --lang=en-US --force-fieldtrials=AutocompleteDynamicTrial_2/DefaultControl_R2
root 1714 0.0 0.0 0 0 ? S 00:39 0:00 [kworker/1:2]
root 1725 0.2 0.0 0 0 ? S 00:44 0:00 [kworker/0:1]
lugnut 1732 96.2 0.3 7948 3456 pts/0 R+ 00:44 0:07 python notavirus.py
lugnut 1737 8.2 0.3 6128 3180 pts/2 Ss 00:44 0:00 zsh
lugnut 1742 0.0 0.1 4344 1164 pts/2 R+ 00:45 0:00 ps aux
root 1927 0.0 0.0 2376 284 ? Ss 2013 0:08 /sbin/rpcbind -w
statd 1958 0.0 0.0 2648 300 ? Ss 2013 0:00 /sbin/rpc.statd
root 1963 0.0 0.0 0 0 ? S< 2013 0:00 [rpciod]
root 1965 0.0 0.0 0 0 ? S< 2013 0:00 [nfsiod]
root 1973 0.0 0.0 2576 28 ? Ss 2013 0:00 /usr/sbin/rpc.idmapd
root 2325 0.0 0.0 29224 936 ? Sl 2013 0:57 /usr/sbin/rsyslogd -c5
it's immediately apparent upon searching through this that you can see everything that got ran - particularly the "python notavirus.py" line. you see that this gives us a very useful bit of info about the malicious program - everything else on that list checks out.
we can then use scripts to search through every directory looking for "notavirus.py" isolate the file, brown townyze the file, delete the file, you name it. if we're really loving crafty and the malicious user is really loving stupid, we might even be able to get them busted. not even joking.
oh, and two other things
1: add me on steam lugnut1206 or lugnut, i don't remember how you find me
2: pm me your steam name when you do so - or pm me the steam name if you've already got me added
