That’s a lot of words and no actual evidence. Like you see 20copyfiles, but what does it actually do? You see privoxy installed, but how is it configured?

Like 80% of this is just you seeing something and making wild assumptions. Like a trivial google search for “kernel drop_monitor”, since I’ve never heard of it:

www.kernelconfig.io/CONFIG_NET_DROP_MONITOR

This feature provides an alerting service to userspace in the event that packets are discarded in the network stack.

I know remote-fs is normal because it’s part of every install I’ve seen: ubuntu-mate.community/t/…/24640

Neither of these are evidence of compromise.

And while privoxy can be used with tor, it’s by no means a good way to do anything, and certainly not the primary way to use Tor (that would be their own client).

The stuff clamav is picking up could certainly be malware, if you downloaded some cracked software or something. But as I mentioned last time, exploiting Linux via Wine is an extremely unlikely attack vector.