sync: auto-sync from GURU-BEAST-ROG at 2026-07-09 10:09:06
Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-07-09 10:09:06
This commit is contained in:
@@ -0,0 +1,138 @@
|
||||
# Len's Auto Brokerage — Brian's PC browser hijack remediation (DESKTOP-0J55V6L)
|
||||
|
||||
## User
|
||||
- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
|
||||
- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
|
||||
- **Role:** automation (acting on the requester's behalf)
|
||||
|
||||
## Session Summary
|
||||
|
||||
Winter reported via Discord (#tech-department) that Brian's computer, DESKTOP-0J55V6L at
|
||||
Len's Auto Brokerage, had "the browser set to Yahoo by mistake" and asked to set the default
|
||||
browser to Chrome and determine how Yahoo got set.
|
||||
|
||||
Investigation via GuruRMM (agent 8cd35efc-ac09-4013-9a04-eba1905fd457, online) showed the
|
||||
Windows default browser was already Chrome (ChromeHTML for http/https) — no change needed
|
||||
there. The "Yahoo" was a Chrome search hijack: the default search provider was named "Yahoo"
|
||||
but routed through joblikedrumscool.com (Yahoo-monetized redirect), and 5 hijack startup pages
|
||||
were stuffed into the session (velis-browser.com, ldhukelpmetore.com, roundandroundhe.com,
|
||||
forhedidnotapp.com, joblikedrumscool.com). Root cause: malicious Chrome Web Store extension
|
||||
"Tap to Sign" (id bejnegmdcklnfcipmkdbmcngioddenpo, perms incl. debugger/webRequest/scripting),
|
||||
installed Fri 2026-06-05 08:25 AM AZ — one minute before "tax-document (1).pdf" hit Brian's
|
||||
Downloads. Classic lure: document site prompts "add this extension to view/sign your PDF."
|
||||
Also found an unrelated OneBrowser PUP (AppData\Local\OB, installed 2026-01-05) with an
|
||||
OneBUpdate scheduled task.
|
||||
|
||||
Remediation (Winter approved closing Chrome mid-session): added the extension id to HKLM
|
||||
Chrome ExtensionInstallBlocklist; killed Chrome; backed up and cleaned Preferences + Secure
|
||||
Preferences (removed default_search_provider_data, startup_urls, restore_on_startup, homepage;
|
||||
removed extension entry); deleted the extension folder; removed OneBrowser entirely (folder,
|
||||
OneBUpdate task, HKU uninstall key, Start Menu shortcut); relaunched Chrome in Brian's session
|
||||
via user_session context. Verified: search = Google default, startup URLs clean, extension
|
||||
files gone (only an inert disabled stub entry remains, reinstall blocked by policy), remaining
|
||||
extensions all legitimate (Manheim Media Player, Capital One Shopping, Web Store Payments).
|
||||
|
||||
Mid-session time confusion: bot reported current time as "4:40 PM AZ" — Git Bash
|
||||
`TZ=America/Phoenix date` silently ignored TZ (no tzdata) and printed UTC labeled AZ. Winter
|
||||
caught it. Verified against Google/Cloudflare/Microsoft HTTP Date headers + BEAST NTP-synced
|
||||
clock: Thursday 2026-07-09, ~9:43 AM AZ. BEAST time settings were already correct (Arizona TZ,
|
||||
NTP-synced); no system change needed. Logged friction entry + memory rule
|
||||
(feedback_gitbash_tz_ignored.md). Incident timeline unaffected (June 5 install stands; Winter's
|
||||
"Sunday" concern traced to July 5 being a Sunday, June 5 a Friday).
|
||||
|
||||
Syncro: created ticket #32525 (customer-emailed initial issue per Winter), posted resolution
|
||||
comment, billed 0.5 hr Labor - Remote Business attributed to Winter (user_id 1737), invoice
|
||||
#68012 netted $0.00 applying 0.5 prepay hrs (block 4.25 -> 3.75), invoice low-block note set,
|
||||
ticket marked Invoiced, low-block renewal alert tagged Winter in #bot-alerts.
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- Diagnosed before acting: Windows default browser was already Chrome, so "set default to
|
||||
Chrome" was a non-action; the real fix was inside Chrome's profile.
|
||||
- Used HKLM ExtensionInstallBlocklist policy for the hijacker (survives reinstall attempts,
|
||||
works even while Chrome runs) in addition to file/prefs removal.
|
||||
- Edited Preferences/Secure Preferences directly with Chrome closed; MAC mismatch on tracked
|
||||
prefs makes Chrome reset those settings to factory defaults (Google) — desired outcome.
|
||||
Backups left on the endpoint (*.acgbak).
|
||||
- Asked Winter before killing Brian's active Chrome session (44 processes, user logged on);
|
||||
she approved. Tabs lost by design (startup pages were hijacked anyway).
|
||||
- "Manheim Media Player" extension judged legitimate (2018 install, auto-auction tooling fits
|
||||
a car brokerage); left in place.
|
||||
- Billing line item user_id set to Winter (1737) so attribution/commission goes to the
|
||||
requesting tech, not the API-key owner (Mike's key).
|
||||
- Trusted external time sources (3x HTTP Date headers) over both the local tooling output and
|
||||
the human assertion; result: clock correct, my formatting wrong, month = July.
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- Git Bash `TZ=America/Phoenix date` silently printed UTC labeled as AZ -> wrong "current
|
||||
time" reported to Winter. Fixed by using PowerShell Get-Date / external HTTP Date; logged
|
||||
to errorlog (--friction) and memory (feedback_gitbash_tz_ignored.md).
|
||||
- Inline heredoc JSON dispatch to RMM collapsed `\\` in the Chrome path ("invalid escape")
|
||||
-> used ps-encoded.sh script-file dispatch instead (the documented pattern).
|
||||
- Residual extension entry in Secure Preferences after Chrome restart: verified inert
|
||||
(disabled stub, no path, no files, blocklisted) — expected Chrome blocklist tombstone.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
On DESKTOP-0J55V6L (Len's Auto Brokerage):
|
||||
- HKLM:\Software\Policies\Google\Chrome\ExtensionInstallBlocklist -> value "1" =
|
||||
bejnegmdcklnfcipmkdbmcngioddenpo (ADDED)
|
||||
- Chrome Default profile Preferences + Secure Preferences: removed
|
||||
default_search_provider_data, session.startup_urls, session.restore_on_startup, homepage,
|
||||
extensions.settings.bejnegmd... (backups: Preferences.acgbak, "Secure Preferences.acgbak")
|
||||
- Deleted: ...\User Data\Default\Extensions\bejnegmdcklnfcipmkdbmcngioddenpo\
|
||||
- Deleted: C:\Users\Brian\AppData\Local\OB\ (OneBrowser PUP), scheduled task "OneBUpdate",
|
||||
HKU uninstall key "OneBrowser", Start Menu shortcut OneBrowser.lnk
|
||||
|
||||
In repo:
|
||||
- .claude/memory/feedback_gitbash_tz_ignored.md (NEW) + MEMORY.md index line
|
||||
- errorlog.md: friction entry (bash/env TZ mislabel)
|
||||
- This session log
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- None created or discovered. GuruRMM API creds read from vault
|
||||
infrastructure/gururmm-server.sops.yaml (paths only). Syncro per-user key (Mike's, baked
|
||||
into /syncro skill) used for API calls.
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- Endpoint: DESKTOP-0J55V6L, Windows 11 Home build 26200, user Brian
|
||||
(SID S-1-5-21-2383568754-549522589-2070366018-1001), Chrome at
|
||||
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe. Avast consumer AV present
|
||||
(Overseer task) — noted, not addressed.
|
||||
- GuruRMM agent id: 8cd35efc-ac09-4013-9a04-eba1905fd457 (client "Len's Auto Brokerage",
|
||||
site Main) — UUIDs change on re-enroll, resolve live.
|
||||
- Hijack domains observed: joblikedrumscool.com, velis-browser.com, ldhukelpmetore.com,
|
||||
roundandroundhe.com, forhedidnotapp.com (search param source=hj).
|
||||
- BEAST clock: Arizona TZ, NTP time.windows.com, verified correct 2026-07-09.
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- RMM dispatch pattern: `bash .claude/scripts/ps-encoded.sh rmm <agent-id> <script.ps1>
|
||||
[--user-session]` (inline heredoc JSON mangles `\\` — use script files).
|
||||
- Key command ids: recon 27192edc / 920d05ef / 3f640b55; blocklist+evidence 7a96a8ec;
|
||||
Chrome fix c96da74b; PUP removal b797a07e; relaunch 2901545c; verify 3d3d79f1, 4c558d8f.
|
||||
- Verification output: "Search provider: default (Google) / Startup URLs: none (clean) /
|
||||
Hijacker ext folder present: False / OB folder: False / Default browser ProgId: ChromeHTML".
|
||||
- Time check: `curl -sI https://www.google.com | grep -i date` (authoritative UTC) +
|
||||
PowerShell `Get-Date` + `w32tm /query /status`.
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- Len's Auto prepay block at 3.75 hrs (< 4) — renewal outreach flagged to Winter via
|
||||
#bot-alerts low-block ping.
|
||||
- Avast consumer AV on the endpoint — possible cleanup/standardization candidate, not in
|
||||
scope this session.
|
||||
- Optional: user education note sent in ticket (decline "install extension to view document"
|
||||
prompts).
|
||||
|
||||
## Reference Information
|
||||
|
||||
- Syncro ticket #32525 (id 113665965): https://computerguru.syncromsp.com/tickets/113665965
|
||||
- Syncro invoice #68012 (id 1650996463), $0.00, applied 0.5 prepay hrs
|
||||
- Syncro customer: Len's Auto Brokerage id 3289131 (contact Becky Kahn); Winter user_id 1737
|
||||
- Discord thread: 1524812126814994563 (#tech-department)
|
||||
- Hijacker extension id: bejnegmdcklnfcipmkdbmcngioddenpo ("Tap to Sign")
|
||||
- Memory: .claude/memory/feedback_gitbash_tz_ignored.md
|
||||
Reference in New Issue
Block a user