sync: auto-sync from GURU-BEAST-ROG at 2026-07-07 14:18:48

Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-07-07 14:18:48
This commit is contained in:
Winter Williams
2026-07-07 14:19:54 -07:00
committed by ClaudeTools Bot
parent 5edab36df6
commit 30c20df2b9

View File

@@ -0,0 +1,116 @@
# Session Log — TPM-PC Security Popup Investigation / Ace PUP Removal
## User
- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
- **Role:** automation (acting on the requester's behalf)
## Session Summary
Winter reported (Discord #tech-department, thread 1524159746490241207) that Tom Moore at
Mineralogical Record was getting recurring security warning popups on TPM-PC and asked for
an infection/malware check.
Located TPM-PC in GuruRMM (agent `03322f46-42b8-432d-a103-bdcae244ab55`, Mineralogical
Record / Main, Windows, online, agent v0.6.79). Ran a three-pass remote recon via RMM
PowerShell dispatch: (1) AV posture — Datto AV active and healthy (productState 266240),
Datto EDR present, Windows Defender dormant (normal when Datto AV owns RTP), zero threat
detections in Defender history; user `tpm` logged in at console. (2) Autoruns / recent
installs / scheduled tasks — surfaced the "Ace" browser (BrowseAI LLC, a known
Chromium-based PUP) installed 6/26/2026 in the TPM user profile with AceAutoLaunch +
AceUpdater run keys and a per-user updater scheduled task; also flagged a ScreenConnect
client installed 7/5. (3) Deep-dive — Ace's browser profile had push notifications ALLOWED
from `d96l780hubcc73atdgc0.authorax.co.in`, a scareware push-notification domain: the
source of the fake security alerts. Chrome/Edge notification grants were benign
(facebook, yahoo, jds.fr, thecountyoffice.com). Ace's binary is validly signed by
"BrowseAI LLC" (Delaware).
Verified the 7/5 ScreenConnect install is legitimate: relay
`instance-kgc7jt-relay.screenconnect.com`, client ID `1912bf3444b41a08` — ACG's own
ScreenConnect Cloud instance (confirmed against wiki: dataforth-dos.md, glaztech.md,
ucryo.md). Custom fields "MinRec / Moore" match the client/contact.
Mike approved removal in-thread. Executed full Ace cleanup via RMM (cmd df60f39d, exit 0):
no Ace processes running; removed both run keys (verified gone), the AceUpdater scheduled
task, the per-user uninstall registry key ("Ace Ace"), the `Software\Ace` hive, the entire
`C:\Users\TPM\AppData\Local\Ace` folder (verified gone), and Ace shortcuts from Desktop,
Start Menu, and Quick Launch. The scareware notification grant lived inside Ace's profile,
so it was removed with the folder.
Winter then asked for a Syncro ticket. Created ticket #32511 (customer Mineralogical
Record 207770, contact Tom Moore 744293, Issue Type Security, assigned Winter 1737,
Resolved), posted the full investigation/remediation narrative as the Initial Issue
comment (do_not_email), billed 0.5 hr Labor - Remote Business @ $150 (line credited to
Winter, user_id 1737), created invoice #67997 ($75.00, customer has no prepaid block),
set the block-rate upsell invoice note, and marked the ticket Invoiced. Bot alerts posted
to #dev-alerts (RMM dispatches + remediation) and #bot-alerts (ticket + billing).
## Key Decisions
- Classified as PUP/scareware, not a true infection: Datto AV/EDR healthy with zero
detections; the popups traced to Ace's push-notification grant from authorax.co.in.
- Did NOT treat the disabled Windows Defender as a finding — Defender is dormant by design
when Datto AV registers as primary AV.
- Verified the fresh (7/5) ScreenConnect install against the wiki before trusting it —
ScreenConnect is a common scammer tool, but instance kgc7jt / client 1912bf3444b41a08 is
ACG's own.
- Gated the destructive cleanup on explicit approval (Mike: "yes") per hard rule on
file deletion; gated billing on a dollar-figure preview (Winter confirmed).
- Left Chrome/Edge notification grants alone: benign sites, and editing Preferences while
the browser may be running is unreliable/futile.
- Billed with `add_line_item` direct (no timer), price_retail fetched live (150.0),
product_category verified non-null ("Labor"), taxable:false explicit, line user_id set
to Winter so commission attribution is correct despite Mike's API key.
## Problems Encountered
- First recon dispatch returned exit 1 despite full output — caused by `query user`
returning a nonzero exit in the SYSTEM context. Output was complete; ignored.
## Configuration Changes
- TPM-PC (remote endpoint): removed Ace PUP browser — run keys (AceAutoLaunch,
AceUpdaterTaskUser148.0.7782.0) from HKU\S-1-5-21-2859265824-3766688748-477818468-1001,
scheduled task `AceUpdaterTaskUser148.0.7782.0{25A1EC0B-3DD4-4B9D-86A4-8F6FEF9BD284}`,
per-user uninstall key "Ace Ace", `HKCU\Software\Ace` hive,
`C:\Users\TPM\AppData\Local\Ace` folder, shortcuts (Desktop / Start Menu / Quick Launch).
- No ClaudeTools repo files changed other than this session log.
## Credentials & Secrets
- None created or discovered. Vault reads: none (GuruRMM auth via
`infrastructure/gururmm-server.sops.yaml` through rmm-auth.sh; Syncro via per-user key
baked into /syncro skill, Mike's key).
## Infrastructure & Servers
- TPM-PC — Mineralogical Record / Main, Windows, GuruRMM agent
`03322f46-42b8-432d-a103-bdcae244ab55`, v0.6.79. Console user `tpm` (SID
S-1-5-21-2859265824-3766688748-477818468-1001).
- AV stack: Datto AV (primary, healthy) + Datto EDR (infocyte agent, HUNTAgent service).
- ScreenConnect: ACG cloud instance kgc7jt, client ID 1912bf3444b41a08 (legit).
- Backup: Carbonite present.
- GuruRMM API: http://172.16.3.30:3001.
## Commands & Outputs
- RMM recon cmds: b7fae325 (Defender/AV/users), 8daec6a2 (autoruns/installs/tasks),
85cfdd9b (Ace detail + notification grants + SC service path).
- Remediation cmd: df60f39d — all steps verified in-output (run keys removed, task
removed, folder deleted, 3 shortcuts removed), exit 0.
- Scareware indicator: Ace profile notification allow for
`https://d96l780hubcc73atdgc0.authorax.co.in:443`.
## Pending / Incomplete Tasks
- None. If Tom reports further popups, check what site/download bundled Ace on 6/26
(likely a freeware installer) and re-audit browser notification grants.
## Reference Information
- Syncro ticket #32511 (id 113590558): https://computerguru.syncromsp.com/tickets/113590558
- Syncro invoice #67997 (id 1650974680), $75.00, 0.5 hr remote
- Customer: Mineralogical Record (207770), contact Tom Moore (744293), prepay_hours 0.0
- Discord thread: 1524159746490241207 (#tech-department)
- Bot alerts: #dev-alerts msgs 1524160693321076787 / 1524161303139193056; #bot-alerts
msgs 1524162218864803941 / 1524162487203659886