Persistent Rootkit with Compromised UEFI and GPU BIOS

I’m the family blacksheep, the paranoid nut who has been begging my IT employed brother and brother in law to help me get rid of a persistent Rootkit that compromised the system as soon as an airgapped install off a DVD was finished.

I even bought a complete hardware kit and only brought across my Nvidia 1080ti. The motherboard was compromised in a day at least so I have suspicions about the GPU as well.

It appears to have also embedded itself in my other 2 PCs and I don’t know if I can even trust my router at the moment.

I know I sound crazy but I’m not. I’m a quick learner and been tinkering with computers for the past 20 years, but this is out of my league guys.

I’M BEGGING FOR HELP AND FOR SOMEONE TO JUST TAKE ME SERIOUSLY.


  • Parrot version in use Currently downloading Parrot KDE Security 4.11.3 off my phone to avoid my router for now.

  • Kernel version *whatever ships with 4.11.3

I apologise if I have placed this in the wrong forum but right now I need all the help I can get :pray:t3:

Sorry how can you be sure you are infected by rootkit?
You are saying you have rootkit in your system / hardware but there is no other info that anybody can help you.
And if you really need some help on it, I’d suggest you ask on any forum about malware analysis and digital forensics.

Did my best running with the built-in tools and tried a few other security related distros as well. Eventually I unplugged everything I use to connect to the Internet.

I’m at a point where I managed to get the system to reveal a drive mounted, with a folder called Anti-X. I was trying out MX at the time. There was a my install called MX and another called RootMX filled with all manner of installation files.

I should have documented what happened but I was just trying my best on my own.

But what I do know is that there is a 300mb drive that is identified every time I install, including Parrot that when I look at the log file injects something called Daemon into the installation process, but I am so tired right now. I didn’t get much sleep.

I apologise if I’m not detailed enough

That sounds weird. It could be suspicious but it’s too soon to say what is going on. IT would be nice if you can capture some screenshots to see what is in there, and it’s even better if you can send log files, binaries, … I know basic reverse engineering and maybe i could help a bit.

Here are more log files for whoever is curious and/or may be able to provide me with some assistance. I have to copy/paste the bootlog file because it wont process it correctly when i try to upload it…

------------ Sun Mar 20 01:25:27 UTC 2022 ------------
[#[0;32m OK #[0m] Finished #[0;1;39mTell Plymouth To Write Out Runtime Data#[0m.
[#[0;32m OK #[0m] Mounted #[0;1;39mArbitrary Executable File Formats File System#[0m.
[#[0;32m OK #[0m] Finished #[0;1;39mCreate Volatile Files and Directories#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mEntropy Daemon based on the HAVEGE algorithm#[0m.
Starting #[0;1;39mlive-config configures a live system during the boot process (late userspace).#[0m…
Starting #[0;1;39mUpdate UTMP about System Boot/Shutdown#[0m…
[#[0;32m OK #[0m] Finished #[0;1;39mEnable support for additional executable binary formats#[0m.
[#[0;32m OK #[0m] Finished #[0;1;39mUpdate UTMP about System Boot/Shutdown#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mRule-based Manager for Device Events and Files#[0m.
Starting #[0;1;39mShow Plymouth Boot Screen#[0m…
[#[0;32m OK #[0m] Started #[0;1;39mShow Plymouth Boot Screen#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mForward Password Requests to Plymouth Directory Watch#[0m.
[#[0;32m OK #[0m] Reached target #[0;1;39mLocal Encrypted Volumes#[0m.
[#[0;32m OK #[0m] Reached target #[0;1;39mPaths#[0m.
[#[0;32m OK #[0m] Reached target #[0;1;39mSystem Initialization#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mDaily apt download activities#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mPeriodic ext4 Online Metadata Check for All Filesystems#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mDaily exim4-base housekeeping#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mDiscard unused blocks once a week#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mWeekly GeoIP update#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mDaily rotation of log files#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mDaily timer for the Lynis security audit and vulnerability scanner#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mDaily man-db regeneration#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mClean PHP session files every 30 mins#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mRun system activity accounting tool every 10 minutes#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mGenerate summary of yesterday’s process accounting#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mDaily Cleanup of Temporary Directories#[0m.
[#[0;32m OK #[0m] Reached target #[0;1;39mTimers#[0m.
[#[0;32m OK #[0m] Listening on #[0;1;39mD-Bus System Message Bus Socket#[0m.
[#[0;32m OK #[0m] Listening on #[0;1;39mPC/SC Smart Card Daemon Activation Socket#[0m.
[#[0;32m OK #[0m] Listening on #[0;1;39mUUID daemon activation socket#[0m.
[#[0;32m OK #[0m] Reached target #[0;1;39mSockets#[0m.
[#[0;32m OK #[0m] Reached target #[0;1;39mBasic System#[0m.
Starting #[0;1;39mAccounts Service#[0m…
Starting #[0;1;39marpwatch service#[0m…
Starting #[0;1;39mBluetooth management mechanism#[0m…
[#[0;32m OK #[0m] Started #[0;1;39mRegular background program processing daemon#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mD-Bus System Message Bus#[0m.
Starting #[0;1;39mNetwork Manager#[0m…
Starting #[0;1;39mRemove Stale Online ext4 Metadata Check Snapshots#[0m…
Starting #[0;1;39mInitialize hardware monitoring sensors#[0m…
Starting #[0;1;39mAuthorization Manager#[0m…
[#[0;32m OK #[0m] Started #[0;1;39mStart entropy gathering daemon (rngd)#[0m.
Starting #[0;1;39mSelf Monitoring and Reporting Technology (SMART) Daemon#[0m…
Starting #[0;1;39mResets System Activity Logs#[0m…
Starting #[0;1;39mUser Login Management#[0m…
Starting #[0;1;39mDisk Manager#[0m…
Starting #[0;1;39mWPA supplicant#[0m…
[#[0;32m OK #[0m] Finished #[0;1;39marpwatch service#[0m.
[#[0;32m OK #[0m] Finished #[0;1;39mResets System Activity Logs#[0m.
[#[0;32m OK #[0m] Finished #[0;1;39mInitialize hardware monitoring sensors#[0m.
[#[0;32m OK #[0m] Created slice #[0;1;39msystem-systemd\x2dbacklight.slice#[0m.
Starting #[0;1;39mLoad/Save Screen Backlight Brightness of backlight:intel_backlight#[0m…
[#[0;32m OK #[0m] Finished #[0;1;39mLoad/Save Screen Backlight Brightness of backlight:intel_backlight#[0m.
[#[0;32m OK #[0m] Listening on #[0;1;39mLoad/Save RF Kill Switch Status /dev/rfkill Watch#[0m.
Starting #[0;1;39mLoad/Save RF Kill Switch Status#[0m…
[#[0;32m OK #[0m] Started #[0;1;39mLoad/Save RF Kill Switch Status#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mUser Login Management#[0m.
Starting #[0;1;39mBluetooth service#[0m…
[#[0;32m OK #[0m] Started #[0;1;39mAuthorization Manager#[0m.
Starting #[0;1;39mModem Manager#[0m…
[#[0;32m OK #[0m] Started #[0;1;39mAccounts Service#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mSelf Monitoring and Reporting Technology (SMART) Daemon#[0m.
[#[0;32m OK #[0m] Finished #[0;1;39mRaise network interfaces#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mWPA supplicant#[0m.
[#[0;32m OK #[0m] Finished #[0;1;39mSet console font and keymap#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mDisk Manager#[0m.
[#[0;32m OK #[0m] Finished #[0;1;39mRemove Stale Online ext4 Metadata Check Snapshots#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mNetwork Manager#[0m.
[#[0;32m OK #[0m] Reached target #[0;1;39mNetwork#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mhostapd-wpe - Modified hostapd to facilitate AP impersonation attacks#[0m.
Starting #[0;1;39mOpenSnitch is a GNU/Linux application firewall.#[0m…
Starting #[0;1;39mOpenVPN service#[0m…
[#[0;32m OK #[0m] Started #[0;1;39mSSL/SSH multiplexer#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mOpenSnitch is a GNU/Linux application firewall.#[0m.
[#[0;32m OK #[0m] Finished #[0;1;39mOpenVPN service#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mBluetooth service#[0m.
[#[0;32m OK #[0m] Reached target #[0;1;39mBluetooth#[0m.
Starting #[0;1;39mSave/Restore Sound Card State#[0m…
Starting #[0;1;39mHostname Service#[0m…
[#[0;32m OK #[0m] Finished #[0;1;39mSave/Restore Sound Card State#[0m.
[#[0;32m OK #[0m] Reached target #[0;1;39mSound Card#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mHostname Service#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mModem Manager#[0m.
Starting #[0;1;39mNetwork Manager Script Dispatcher Service#[0m…
[#[0;32m OK #[0m] Started #[0;1;39mNetwork Manager Script Dispatcher Service#[0m.
[#[0;32m OK #[0m] Started #[0;1;39mBluetooth management mechanism#[0m.
[#[0;32m OK #[0m] Finished #[0;1;39mlive-config configures a live system during the boot process (late userspace).#[0m.
Starting #[0;1;39mlive-tools - System Support Scripts#[0m…
Starting #[0;1;39mPermit User Sessions#[0m…
[#[0;32m OK #[0m] Finished #[0;1;39mlive-tools - System Support Scripts#[0m.
[#[0;32m OK #[0m] Finished #[0;1;39mPermit User Sessions#[0m.
Starting #[0;1;39mLight Display Manager#[0m…
Starting #[0;1;39mHold until boot process finishes up#[0m…

And here is output of Mate Terminal when I tried to Udate/Upgrade…

Parrot Upgrade Terminal Output 3-20-22.odt.log (25.0 KB)

EVERYONE, I would encourage all of you here to listen to Kelvin_Stone, as well as me. PLEASE, do not be dismissive. I am in a very similar situation, but i’ll provide a bunch of logs. BTW, Kelvin, I feel for you on the black sheep thing. My wool is actually so dark when other black sheep see me they bleat sighs of relief in thankfulness that they aren’t this dark. LOL. But, onto the matters of importance… My issues started even before I switched to Linux. I used to do independent investigations into many things and publish my findings, which consistently rattled the cages of some very large and dangerous animals. I hung the gloves up years ago for various reasons. However, I started looking into the whole Convid-19 program when it became apparent that it was being taken well beyond fear-mongering on the “news”. In doing so I ended up discovering some sensitive information connecting a number of certain individuals and groups (including politicians, radio hosts, false religious leaders, and military intelligence agents posing as activists and social media content creaotors) that are currently working together on a large-scale psychological operation to socially engineer certain demographics by way of political astroturfing, as well as surveilling and influencing the public (especially activists and influencers) by electronic means, social platforms, and infiltration. Thats the tip of the iceberg. Since then, I have been through multiple laptops and even more phones. The issue is always the same, much like Kelvin_Stone. Persistent rootkit(s) that survive clean re-installs. With Windows the big giveaways are an abundance of remote log-ons from a dozen or more users/groups, files disappearing or becoming inexplicably corrupted, and when I’d factory reset or clean re-install the OS there is a split-second flash of what looks like the hollow outline of a Command Prompt or File Explorer window on the screen after it “wipes” the drive and the “new” install begins. After the “new” install, the system is the same version it was previously, even though i’ve tried to go from Windows 10 to 11 and from 11 to 10. I have pulled at least 2 brand new laptops out of the box and witnessed them be in an already-corrupted state as soon as I turned them on. One gave an error notification the second it was powered on and then immediately rebooted itself, and the others were also corrupted with rootkits and/or altered BIOS or firmware before I could even get through the set up process and get to the desktop for the first time. I’ve experienced the same issues with numerous cell phones. These machines were brand new out of the sealed boxes, never previously turned on, and were never connected to the internet, not even during set-up. I looked into how to bypass that nonsense in Windows. After multiple machines I did more research, hence me moving to Linux. I actually want to run Qubes+Whonix with Parrot running inside Qubes, but at the time that was too much new knowledge to take on all at once while trying to figure out to recover files safely and so on. Parrot sounded secure enough to use on its own for at least a short period of time, so i created a Parrot live bootable USB, ran it for a couple days. It seemed to be safe but I can’t know if it was for sure. I did the install to my system and after I did an update I noticed that Anonsurf started consistently displaying an error message when I would click “Yes” in response to the “Do you want to kill harmfull applications?” dialogue. As soon as I click “Yes”, it says “Error trying to kill harmful applications”, but will then go green and say it is enabled. As well, like Kelvin, I cannot log into my router securely. I get the exclamation point in the triangle error, telling me the connection is not secure, every time i go to the the log-in page. All this being said, although my BIOS is compromised, I am not sure if the rootkit/malware is only on my hard drive or if it is in the firmware (although I am leaning towards it being a hard drive issue at the moment). I am wondering if its possible to clean up a compromised install or if I have to do a clean re-install, and how to clean up the malware if possible, and if someone can provide me with a verified clean ISO or how I can get one that is legitimate, considering every time I download a version of Parrot it ends up being compromised and always installs as Parrot 5.14.0, even if I download old versions such as 4.6 or 4.8, etc. I will post some of the output logs I got when running RKHunter and Lynis. These will be long strings of info. Any advice would be greatly appreciated, and if anyone has a way to get me a live-bootable USB of Qubes+Whonix and a 2nd one with Parrot (using USB sticks with secure firmware and physical write-protection lock switches) i’d be happy to compensate someone, unless one of you kind folks out there feel like doing me the favor without charge, as going through 10 or more devices over the last 9 months or so has decimated my finances. Thanks to anyone who read all of that and can offer any help. See logs below.

RkHunter 3-19-22.log (152.8 KB)

Xorg.0.log (71.8 KB)

I don’t see anything wrong here except it seems like user didn’t know what is rootkit nor system applications