Persistent Bootkit/Rootkit/Spyware on x64/arm/ios/aarch

[LuckyBird]

I have several devices that behave in the same way the last couple of weeks. Couple years back I spend all hours of the day or days on end scraping the web and learning various linux processes while processing some personal stuff. I got unlucky and got caught in a web of only theoretically existing technology after one too many searches/domainvisits that triggered various departments. The syslogs showed anomaly's but I could not trace or fix it. No one believed me what was happening. They thought I went crazy since my findings, experiences and conclusions were pretty much stuff only seen movies. Ended up tossing out everything with a chip, moved places and used burner dumbphones for months and started using a laptop again a year later and only on public networks far from known places. Had a hard time recovering trust in tech/inet. They {tried} to bug my house during the extremely rare moments I went outside to do shopping. I usually ordered in. Several times I got followed and once I rushed back home to find a person rushing down the stairs quickly and disappearing in an alleyway. they eventually set up a system close by. They tracked my mums devices also and I ended up getting her a new laptop and phone and changed her modem and IP address. I genuinely forgot about that one laptop and a month ago I reinstalled linux on it for a temp solution. The same USB stick used to install that laptop was needed for one of my devices last month and ***** went south real fast almost instantly. Within  minutes I knew that I ff'd up big time. in the logs I saw various filesystems as router advertisements being broadcasted from a Pi4 Plex NFSv4 server and began to see webpages on my laptop about certain packages including repositories and for me very memorable named signingkey link but with a 12h earlier timestamp. A similar page found its way to my screen years back and even then the timestamp was recent while the software package is outdated for around 20 years and has known  securityflaws. Seeing that gave me a very warry feeling. Within hours I felt an odd energy in the house which were audio pulses/morsecode signals being sent and intercepted by mic enabled devices and just as back in the day some appliances started to act on this event too. Years back I knew why I got targeted even though it felt highly unfair. Why can an <insert profession> search for something specific but, when a normal guy wants to know all the ins and outs of something specific he end up on some list somewhere. But this time I was just really unlucky by opening pandora's box. I am spending hours and hours digging the filesystems, journals, systemd processes, conf files, git repos but can't figure out the purpose of the injected stuff. Find it odd they only gather info on default folders that are empty or non existent and not touch my actual files. I have SecureBoot enabled on my main device and so far the log reports that de GnuPG keychain is still secret. I am not planning to reinstall or update kernels even though weird stuff happens and more packages seem to install automatically on a daily base. My laptop is fully functional in a sense that I can still do personal stuff and so far all my accounts and services are still okay. Just banking seems an issue since they have stricter policies and red flag quirky connections pretty quickly.  

I used System Recovery on a almost similar device since I am a linux user and wanted to restore that device to windows hoping to "mask" the seemingly unharmful bootkit and sell it to the next guy who doesnt give a ***** about privacy. Under Windows 11 however this bootkit is very persistent and I can see the process in full glance. Every file got overshadowed by the same file but with different params. At first nothing seems to happen but the more webpages load the more code gets deflated. I literally don't know the purpose of it except messing with one's head. Since they got their spyware? already on my devices back in the day they should have root level access. It's a so over the top complete set of tools that I dont really understand the need to inject and/or alter JS scriptcode  onto a webpage and/or the url contains <string>packagenames<more string>another packagename<crypted instructions> and by the time you click links a corresponding file gets deflated somewhere into the registry. On my linux laptop I can't find the purpose of the config files that are appearing, they are lacking other files needed to work as a package and they generally are populated with data not applicable for my current setup. On Windows the code also does not do much(good). Browser Developer tools pretty much reports all code as deprecated or that the servers they are requesting files from are unreachable. This Windows box got updated to the latest firmware while doing the recovery. So I'm not sure about the integrity of the hardware. The registry lists that the SecureBoot got shadowed/bypassed. while also showing outdated info as if it still has factory default settings.

My devices are too new and too expensive to dump. I'm not being targeted this time, I am fairly certain that I am not a person of interest anymore. I'm just an odd fella who can put way too much time into obsessions, and who cares way too much about the right on privacy. (and the right to learn new stuff everyday)

Any help is appreciated. At this point I am willingly to ship my linux box (the old one) (or the usb stick) out so one could go trough the rabbithole themself and either go crazy or learn of all the secret service toolkits. All device identifiers are stored, kept and transfered onto the next target. I dont really see a way of cleaning it. Various fora claim firmware hacks are virtually unheard of but I have a device laying around that does not have a battery connected to the mainboard. placed a new ssd with an verified image and straight away performs the same identical tasks as the compromised devices.. Waranty doesnt cover virusses/software issues but I also dont feel good about selling or giving away a high end laptop  knowingly it performs some odd magic.

Don't know what to achieve here. Tried running av software but it returned nothing. Windows reports it is secure. HP also reports that hardware and its device keys are fine. Can't use USB with toolkits since data gets altered on insertion. I guess I am just tired of trying to learn all these processes alone while a whole team has carefully build it and put together. At the same time I must assume that everything on the web is either trying to trick you, showing altered pages in one way or another or maybe I am still not allowed to utilize the web fully and they put me on a smaller subnet with limited content and fewer users. many of the websites appear deserted when I look up stuff with just a handful of users (humans or ai generated ?) and post dates that goes quickly back a few years.

Preferably I want to solve it. It would give me a good feeling. But I have put in so many hours and learning and understanding everything alone is just too much. Writing about it ONLINE has been a massive step for me. I have not wrote a single word that is not config material on a computer in years.

[1PW]

Hello @LuckyBird and :

For now, please allow us to concentrate first on one Windows PC of your choosing and continue below:

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

1. Download the Malwarebytes Support Tool.
2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
4. Run the MBST Support Tool.
5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Edited March 5 by 1PW

[Maurice Naggar]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks