sync: auto-sync from GURU-BEAST-ROG at 2026-07-07 14:18:48
Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-07-07 14:18:48
This commit is contained in:
committed by
ClaudeTools Bot
parent
5edab36df6
commit
30c20df2b9
@@ -0,0 +1,116 @@
|
||||
# Session Log — TPM-PC Security Popup Investigation / Ace PUP Removal
|
||||
|
||||
## User
|
||||
- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
|
||||
- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
|
||||
- **Role:** automation (acting on the requester's behalf)
|
||||
|
||||
## Session Summary
|
||||
|
||||
Winter reported (Discord #tech-department, thread 1524159746490241207) that Tom Moore at
|
||||
Mineralogical Record was getting recurring security warning popups on TPM-PC and asked for
|
||||
an infection/malware check.
|
||||
|
||||
Located TPM-PC in GuruRMM (agent `03322f46-42b8-432d-a103-bdcae244ab55`, Mineralogical
|
||||
Record / Main, Windows, online, agent v0.6.79). Ran a three-pass remote recon via RMM
|
||||
PowerShell dispatch: (1) AV posture — Datto AV active and healthy (productState 266240),
|
||||
Datto EDR present, Windows Defender dormant (normal when Datto AV owns RTP), zero threat
|
||||
detections in Defender history; user `tpm` logged in at console. (2) Autoruns / recent
|
||||
installs / scheduled tasks — surfaced the "Ace" browser (BrowseAI LLC, a known
|
||||
Chromium-based PUP) installed 6/26/2026 in the TPM user profile with AceAutoLaunch +
|
||||
AceUpdater run keys and a per-user updater scheduled task; also flagged a ScreenConnect
|
||||
client installed 7/5. (3) Deep-dive — Ace's browser profile had push notifications ALLOWED
|
||||
from `d96l780hubcc73atdgc0.authorax.co.in`, a scareware push-notification domain: the
|
||||
source of the fake security alerts. Chrome/Edge notification grants were benign
|
||||
(facebook, yahoo, jds.fr, thecountyoffice.com). Ace's binary is validly signed by
|
||||
"BrowseAI LLC" (Delaware).
|
||||
|
||||
Verified the 7/5 ScreenConnect install is legitimate: relay
|
||||
`instance-kgc7jt-relay.screenconnect.com`, client ID `1912bf3444b41a08` — ACG's own
|
||||
ScreenConnect Cloud instance (confirmed against wiki: dataforth-dos.md, glaztech.md,
|
||||
ucryo.md). Custom fields "MinRec / Moore" match the client/contact.
|
||||
|
||||
Mike approved removal in-thread. Executed full Ace cleanup via RMM (cmd df60f39d, exit 0):
|
||||
no Ace processes running; removed both run keys (verified gone), the AceUpdater scheduled
|
||||
task, the per-user uninstall registry key ("Ace Ace"), the `Software\Ace` hive, the entire
|
||||
`C:\Users\TPM\AppData\Local\Ace` folder (verified gone), and Ace shortcuts from Desktop,
|
||||
Start Menu, and Quick Launch. The scareware notification grant lived inside Ace's profile,
|
||||
so it was removed with the folder.
|
||||
|
||||
Winter then asked for a Syncro ticket. Created ticket #32511 (customer Mineralogical
|
||||
Record 207770, contact Tom Moore 744293, Issue Type Security, assigned Winter 1737,
|
||||
Resolved), posted the full investigation/remediation narrative as the Initial Issue
|
||||
comment (do_not_email), billed 0.5 hr Labor - Remote Business @ $150 (line credited to
|
||||
Winter, user_id 1737), created invoice #67997 ($75.00, customer has no prepaid block),
|
||||
set the block-rate upsell invoice note, and marked the ticket Invoiced. Bot alerts posted
|
||||
to #dev-alerts (RMM dispatches + remediation) and #bot-alerts (ticket + billing).
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- Classified as PUP/scareware, not a true infection: Datto AV/EDR healthy with zero
|
||||
detections; the popups traced to Ace's push-notification grant from authorax.co.in.
|
||||
- Did NOT treat the disabled Windows Defender as a finding — Defender is dormant by design
|
||||
when Datto AV registers as primary AV.
|
||||
- Verified the fresh (7/5) ScreenConnect install against the wiki before trusting it —
|
||||
ScreenConnect is a common scammer tool, but instance kgc7jt / client 1912bf3444b41a08 is
|
||||
ACG's own.
|
||||
- Gated the destructive cleanup on explicit approval (Mike: "yes") per hard rule on
|
||||
file deletion; gated billing on a dollar-figure preview (Winter confirmed).
|
||||
- Left Chrome/Edge notification grants alone: benign sites, and editing Preferences while
|
||||
the browser may be running is unreliable/futile.
|
||||
- Billed with `add_line_item` direct (no timer), price_retail fetched live (150.0),
|
||||
product_category verified non-null ("Labor"), taxable:false explicit, line user_id set
|
||||
to Winter so commission attribution is correct despite Mike's API key.
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- First recon dispatch returned exit 1 despite full output — caused by `query user`
|
||||
returning a nonzero exit in the SYSTEM context. Output was complete; ignored.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
- TPM-PC (remote endpoint): removed Ace PUP browser — run keys (AceAutoLaunch,
|
||||
AceUpdaterTaskUser148.0.7782.0) from HKU\S-1-5-21-2859265824-3766688748-477818468-1001,
|
||||
scheduled task `AceUpdaterTaskUser148.0.7782.0{25A1EC0B-3DD4-4B9D-86A4-8F6FEF9BD284}`,
|
||||
per-user uninstall key "Ace Ace", `HKCU\Software\Ace` hive,
|
||||
`C:\Users\TPM\AppData\Local\Ace` folder, shortcuts (Desktop / Start Menu / Quick Launch).
|
||||
- No ClaudeTools repo files changed other than this session log.
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- None created or discovered. Vault reads: none (GuruRMM auth via
|
||||
`infrastructure/gururmm-server.sops.yaml` through rmm-auth.sh; Syncro via per-user key
|
||||
baked into /syncro skill, Mike's key).
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- TPM-PC — Mineralogical Record / Main, Windows, GuruRMM agent
|
||||
`03322f46-42b8-432d-a103-bdcae244ab55`, v0.6.79. Console user `tpm` (SID
|
||||
S-1-5-21-2859265824-3766688748-477818468-1001).
|
||||
- AV stack: Datto AV (primary, healthy) + Datto EDR (infocyte agent, HUNTAgent service).
|
||||
- ScreenConnect: ACG cloud instance kgc7jt, client ID 1912bf3444b41a08 (legit).
|
||||
- Backup: Carbonite present.
|
||||
- GuruRMM API: http://172.16.3.30:3001.
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- RMM recon cmds: b7fae325 (Defender/AV/users), 8daec6a2 (autoruns/installs/tasks),
|
||||
85cfdd9b (Ace detail + notification grants + SC service path).
|
||||
- Remediation cmd: df60f39d — all steps verified in-output (run keys removed, task
|
||||
removed, folder deleted, 3 shortcuts removed), exit 0.
|
||||
- Scareware indicator: Ace profile notification allow for
|
||||
`https://d96l780hubcc73atdgc0.authorax.co.in:443`.
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- None. If Tom reports further popups, check what site/download bundled Ace on 6/26
|
||||
(likely a freeware installer) and re-audit browser notification grants.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- Syncro ticket #32511 (id 113590558): https://computerguru.syncromsp.com/tickets/113590558
|
||||
- Syncro invoice #67997 (id 1650974680), $75.00, 0.5 hr remote
|
||||
- Customer: Mineralogical Record (207770), contact Tom Moore (744293), prepay_hours 0.0
|
||||
- Discord thread: 1524159746490241207 (#tech-department)
|
||||
- Bot alerts: #dev-alerts msgs 1524160693321076787 / 1524161303139193056; #bot-alerts
|
||||
msgs 1524162218864803941 / 1524162487203659886
|
||||
Reference in New Issue
Block a user