Jeremy Sanders wrote: > Micky L Martin wrote: > >> Because rpm and rpmverify also seemed to have been modified so I cannot >> trust 'rpm -V' package verification. >> >> Already did lsof and process tracing but to no avail. Does anyone have >> any idea how to find that culprit? > > Are you sure it's not prelink that's modifying the files? You can google > how to disable this. > > Boot from a CD to check the checksums or run rpm if you want a clean > environment. Don't really know about prelink, but I strongly agree with the last suggestion: boot from a CD, or USB key, or something *other* than your hard drive - your comments strongly suggest that you've been infected. You *do* have backups of your configuration and data (and home directories, etc)? If so, you might want to do a reinstall without formatting... and then, and only then, rerun grub-install. mark