sync: auto-sync from GURU-BEAST-ROG at 2026-07-09 10:09:06

Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-07-09 10:09:06
This commit is contained in:
Winter Williams
2026-07-09 10:09:53 -07:00
parent b3ea44a8ff
commit 252d22048b
4 changed files with 165 additions and 2 deletions

View File

@@ -0,0 +1,138 @@
# Len's Auto Brokerage — Brian's PC browser hijack remediation (DESKTOP-0J55V6L)
## User
- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
- **Role:** automation (acting on the requester's behalf)
## Session Summary
Winter reported via Discord (#tech-department) that Brian's computer, DESKTOP-0J55V6L at
Len's Auto Brokerage, had "the browser set to Yahoo by mistake" and asked to set the default
browser to Chrome and determine how Yahoo got set.
Investigation via GuruRMM (agent 8cd35efc-ac09-4013-9a04-eba1905fd457, online) showed the
Windows default browser was already Chrome (ChromeHTML for http/https) — no change needed
there. The "Yahoo" was a Chrome search hijack: the default search provider was named "Yahoo"
but routed through joblikedrumscool.com (Yahoo-monetized redirect), and 5 hijack startup pages
were stuffed into the session (velis-browser.com, ldhukelpmetore.com, roundandroundhe.com,
forhedidnotapp.com, joblikedrumscool.com). Root cause: malicious Chrome Web Store extension
"Tap to Sign" (id bejnegmdcklnfcipmkdbmcngioddenpo, perms incl. debugger/webRequest/scripting),
installed Fri 2026-06-05 08:25 AM AZ — one minute before "tax-document (1).pdf" hit Brian's
Downloads. Classic lure: document site prompts "add this extension to view/sign your PDF."
Also found an unrelated OneBrowser PUP (AppData\Local\OB, installed 2026-01-05) with an
OneBUpdate scheduled task.
Remediation (Winter approved closing Chrome mid-session): added the extension id to HKLM
Chrome ExtensionInstallBlocklist; killed Chrome; backed up and cleaned Preferences + Secure
Preferences (removed default_search_provider_data, startup_urls, restore_on_startup, homepage;
removed extension entry); deleted the extension folder; removed OneBrowser entirely (folder,
OneBUpdate task, HKU uninstall key, Start Menu shortcut); relaunched Chrome in Brian's session
via user_session context. Verified: search = Google default, startup URLs clean, extension
files gone (only an inert disabled stub entry remains, reinstall blocked by policy), remaining
extensions all legitimate (Manheim Media Player, Capital One Shopping, Web Store Payments).
Mid-session time confusion: bot reported current time as "4:40 PM AZ" — Git Bash
`TZ=America/Phoenix date` silently ignored TZ (no tzdata) and printed UTC labeled AZ. Winter
caught it. Verified against Google/Cloudflare/Microsoft HTTP Date headers + BEAST NTP-synced
clock: Thursday 2026-07-09, ~9:43 AM AZ. BEAST time settings were already correct (Arizona TZ,
NTP-synced); no system change needed. Logged friction entry + memory rule
(feedback_gitbash_tz_ignored.md). Incident timeline unaffected (June 5 install stands; Winter's
"Sunday" concern traced to July 5 being a Sunday, June 5 a Friday).
Syncro: created ticket #32525 (customer-emailed initial issue per Winter), posted resolution
comment, billed 0.5 hr Labor - Remote Business attributed to Winter (user_id 1737), invoice
#68012 netted $0.00 applying 0.5 prepay hrs (block 4.25 -> 3.75), invoice low-block note set,
ticket marked Invoiced, low-block renewal alert tagged Winter in #bot-alerts.
## Key Decisions
- Diagnosed before acting: Windows default browser was already Chrome, so "set default to
Chrome" was a non-action; the real fix was inside Chrome's profile.
- Used HKLM ExtensionInstallBlocklist policy for the hijacker (survives reinstall attempts,
works even while Chrome runs) in addition to file/prefs removal.
- Edited Preferences/Secure Preferences directly with Chrome closed; MAC mismatch on tracked
prefs makes Chrome reset those settings to factory defaults (Google) — desired outcome.
Backups left on the endpoint (*.acgbak).
- Asked Winter before killing Brian's active Chrome session (44 processes, user logged on);
she approved. Tabs lost by design (startup pages were hijacked anyway).
- "Manheim Media Player" extension judged legitimate (2018 install, auto-auction tooling fits
a car brokerage); left in place.
- Billing line item user_id set to Winter (1737) so attribution/commission goes to the
requesting tech, not the API-key owner (Mike's key).
- Trusted external time sources (3x HTTP Date headers) over both the local tooling output and
the human assertion; result: clock correct, my formatting wrong, month = July.
## Problems Encountered
- Git Bash `TZ=America/Phoenix date` silently printed UTC labeled as AZ -> wrong "current
time" reported to Winter. Fixed by using PowerShell Get-Date / external HTTP Date; logged
to errorlog (--friction) and memory (feedback_gitbash_tz_ignored.md).
- Inline heredoc JSON dispatch to RMM collapsed `\\` in the Chrome path ("invalid escape")
-> used ps-encoded.sh script-file dispatch instead (the documented pattern).
- Residual extension entry in Secure Preferences after Chrome restart: verified inert
(disabled stub, no path, no files, blocklisted) — expected Chrome blocklist tombstone.
## Configuration Changes
On DESKTOP-0J55V6L (Len's Auto Brokerage):
- HKLM:\Software\Policies\Google\Chrome\ExtensionInstallBlocklist -> value "1" =
bejnegmdcklnfcipmkdbmcngioddenpo (ADDED)
- Chrome Default profile Preferences + Secure Preferences: removed
default_search_provider_data, session.startup_urls, session.restore_on_startup, homepage,
extensions.settings.bejnegmd... (backups: Preferences.acgbak, "Secure Preferences.acgbak")
- Deleted: ...\User Data\Default\Extensions\bejnegmdcklnfcipmkdbmcngioddenpo\
- Deleted: C:\Users\Brian\AppData\Local\OB\ (OneBrowser PUP), scheduled task "OneBUpdate",
HKU uninstall key "OneBrowser", Start Menu shortcut OneBrowser.lnk
In repo:
- .claude/memory/feedback_gitbash_tz_ignored.md (NEW) + MEMORY.md index line
- errorlog.md: friction entry (bash/env TZ mislabel)
- This session log
## Credentials & Secrets
- None created or discovered. GuruRMM API creds read from vault
infrastructure/gururmm-server.sops.yaml (paths only). Syncro per-user key (Mike's, baked
into /syncro skill) used for API calls.
## Infrastructure & Servers
- Endpoint: DESKTOP-0J55V6L, Windows 11 Home build 26200, user Brian
(SID S-1-5-21-2383568754-549522589-2070366018-1001), Chrome at
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe. Avast consumer AV present
(Overseer task) — noted, not addressed.
- GuruRMM agent id: 8cd35efc-ac09-4013-9a04-eba1905fd457 (client "Len's Auto Brokerage",
site Main) — UUIDs change on re-enroll, resolve live.
- Hijack domains observed: joblikedrumscool.com, velis-browser.com, ldhukelpmetore.com,
roundandroundhe.com, forhedidnotapp.com (search param source=hj).
- BEAST clock: Arizona TZ, NTP time.windows.com, verified correct 2026-07-09.
## Commands & Outputs
- RMM dispatch pattern: `bash .claude/scripts/ps-encoded.sh rmm <agent-id> <script.ps1>
[--user-session]` (inline heredoc JSON mangles `\\` — use script files).
- Key command ids: recon 27192edc / 920d05ef / 3f640b55; blocklist+evidence 7a96a8ec;
Chrome fix c96da74b; PUP removal b797a07e; relaunch 2901545c; verify 3d3d79f1, 4c558d8f.
- Verification output: "Search provider: default (Google) / Startup URLs: none (clean) /
Hijacker ext folder present: False / OB folder: False / Default browser ProgId: ChromeHTML".
- Time check: `curl -sI https://www.google.com | grep -i date` (authoritative UTC) +
PowerShell `Get-Date` + `w32tm /query /status`.
## Pending / Incomplete Tasks
- Len's Auto prepay block at 3.75 hrs (< 4) — renewal outreach flagged to Winter via
#bot-alerts low-block ping.
- Avast consumer AV on the endpoint — possible cleanup/standardization candidate, not in
scope this session.
- Optional: user education note sent in ticket (decline "install extension to view document"
prompts).
## Reference Information
- Syncro ticket #32525 (id 113665965): https://computerguru.syncromsp.com/tickets/113665965
- Syncro invoice #68012 (id 1650996463), $0.00, applied 0.5 prepay hrs
- Syncro customer: Len's Auto Brokerage id 3289131 (contact Becky Kahn); Winter user_id 1737
- Discord thread: 1524812126814994563 (#tech-department)
- Hijacker extension id: bejnegmdcklnfcipmkdbmcngioddenpo ("Tap to Sign")
- Memory: .claude/memory/feedback_gitbash_tz_ignored.md