From 30c20df2b938fdd3fe22c954cbbf23ab8f7088fa Mon Sep 17 00:00:00 2001 From: Winter Williams Date: Tue, 7 Jul 2026 14:19:54 -0700 Subject: [PATCH] sync: auto-sync from GURU-BEAST-ROG at 2026-07-07 14:18:48 Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-07-07 14:18:48 --- ...7-07-discord-bot-tpm-pc-ace-pup-removal.md | 116 ++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 clients/mineralogical-record/session-logs/2026-07/2026-07-07-discord-bot-tpm-pc-ace-pup-removal.md diff --git a/clients/mineralogical-record/session-logs/2026-07/2026-07-07-discord-bot-tpm-pc-ace-pup-removal.md b/clients/mineralogical-record/session-logs/2026-07/2026-07-07-discord-bot-tpm-pc-ace-pup-removal.md new file mode 100644 index 00000000..f40e22d8 --- /dev/null +++ b/clients/mineralogical-record/session-logs/2026-07/2026-07-07-discord-bot-tpm-pc-ace-pup-removal.md @@ -0,0 +1,116 @@ +# Session Log — TPM-PC Security Popup Investigation / Ace PUP Removal + +## User +- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG) +- **Requested by:** Winter Williams (@winterguru, via Discord) - tech +- **Role:** automation (acting on the requester's behalf) + +## Session Summary + +Winter reported (Discord #tech-department, thread 1524159746490241207) that Tom Moore at +Mineralogical Record was getting recurring security warning popups on TPM-PC and asked for +an infection/malware check. + +Located TPM-PC in GuruRMM (agent `03322f46-42b8-432d-a103-bdcae244ab55`, Mineralogical +Record / Main, Windows, online, agent v0.6.79). Ran a three-pass remote recon via RMM +PowerShell dispatch: (1) AV posture — Datto AV active and healthy (productState 266240), +Datto EDR present, Windows Defender dormant (normal when Datto AV owns RTP), zero threat +detections in Defender history; user `tpm` logged in at console. (2) Autoruns / recent +installs / scheduled tasks — surfaced the "Ace" browser (BrowseAI LLC, a known +Chromium-based PUP) installed 6/26/2026 in the TPM user profile with AceAutoLaunch + +AceUpdater run keys and a per-user updater scheduled task; also flagged a ScreenConnect +client installed 7/5. (3) Deep-dive — Ace's browser profile had push notifications ALLOWED +from `d96l780hubcc73atdgc0.authorax.co.in`, a scareware push-notification domain: the +source of the fake security alerts. Chrome/Edge notification grants were benign +(facebook, yahoo, jds.fr, thecountyoffice.com). Ace's binary is validly signed by +"BrowseAI LLC" (Delaware). + +Verified the 7/5 ScreenConnect install is legitimate: relay +`instance-kgc7jt-relay.screenconnect.com`, client ID `1912bf3444b41a08` — ACG's own +ScreenConnect Cloud instance (confirmed against wiki: dataforth-dos.md, glaztech.md, +ucryo.md). Custom fields "MinRec / Moore" match the client/contact. + +Mike approved removal in-thread. Executed full Ace cleanup via RMM (cmd df60f39d, exit 0): +no Ace processes running; removed both run keys (verified gone), the AceUpdater scheduled +task, the per-user uninstall registry key ("Ace Ace"), the `Software\Ace` hive, the entire +`C:\Users\TPM\AppData\Local\Ace` folder (verified gone), and Ace shortcuts from Desktop, +Start Menu, and Quick Launch. The scareware notification grant lived inside Ace's profile, +so it was removed with the folder. + +Winter then asked for a Syncro ticket. Created ticket #32511 (customer Mineralogical +Record 207770, contact Tom Moore 744293, Issue Type Security, assigned Winter 1737, +Resolved), posted the full investigation/remediation narrative as the Initial Issue +comment (do_not_email), billed 0.5 hr Labor - Remote Business @ $150 (line credited to +Winter, user_id 1737), created invoice #67997 ($75.00, customer has no prepaid block), +set the block-rate upsell invoice note, and marked the ticket Invoiced. Bot alerts posted +to #dev-alerts (RMM dispatches + remediation) and #bot-alerts (ticket + billing). + +## Key Decisions + +- Classified as PUP/scareware, not a true infection: Datto AV/EDR healthy with zero + detections; the popups traced to Ace's push-notification grant from authorax.co.in. +- Did NOT treat the disabled Windows Defender as a finding — Defender is dormant by design + when Datto AV registers as primary AV. +- Verified the fresh (7/5) ScreenConnect install against the wiki before trusting it — + ScreenConnect is a common scammer tool, but instance kgc7jt / client 1912bf3444b41a08 is + ACG's own. +- Gated the destructive cleanup on explicit approval (Mike: "yes") per hard rule on + file deletion; gated billing on a dollar-figure preview (Winter confirmed). +- Left Chrome/Edge notification grants alone: benign sites, and editing Preferences while + the browser may be running is unreliable/futile. +- Billed with `add_line_item` direct (no timer), price_retail fetched live (150.0), + product_category verified non-null ("Labor"), taxable:false explicit, line user_id set + to Winter so commission attribution is correct despite Mike's API key. + +## Problems Encountered + +- First recon dispatch returned exit 1 despite full output — caused by `query user` + returning a nonzero exit in the SYSTEM context. Output was complete; ignored. + +## Configuration Changes + +- TPM-PC (remote endpoint): removed Ace PUP browser — run keys (AceAutoLaunch, + AceUpdaterTaskUser148.0.7782.0) from HKU\S-1-5-21-2859265824-3766688748-477818468-1001, + scheduled task `AceUpdaterTaskUser148.0.7782.0{25A1EC0B-3DD4-4B9D-86A4-8F6FEF9BD284}`, + per-user uninstall key "Ace Ace", `HKCU\Software\Ace` hive, + `C:\Users\TPM\AppData\Local\Ace` folder, shortcuts (Desktop / Start Menu / Quick Launch). +- No ClaudeTools repo files changed other than this session log. + +## Credentials & Secrets + +- None created or discovered. Vault reads: none (GuruRMM auth via + `infrastructure/gururmm-server.sops.yaml` through rmm-auth.sh; Syncro via per-user key + baked into /syncro skill, Mike's key). + +## Infrastructure & Servers + +- TPM-PC — Mineralogical Record / Main, Windows, GuruRMM agent + `03322f46-42b8-432d-a103-bdcae244ab55`, v0.6.79. Console user `tpm` (SID + S-1-5-21-2859265824-3766688748-477818468-1001). +- AV stack: Datto AV (primary, healthy) + Datto EDR (infocyte agent, HUNTAgent service). +- ScreenConnect: ACG cloud instance kgc7jt, client ID 1912bf3444b41a08 (legit). +- Backup: Carbonite present. +- GuruRMM API: http://172.16.3.30:3001. + +## Commands & Outputs + +- RMM recon cmds: b7fae325 (Defender/AV/users), 8daec6a2 (autoruns/installs/tasks), + 85cfdd9b (Ace detail + notification grants + SC service path). +- Remediation cmd: df60f39d — all steps verified in-output (run keys removed, task + removed, folder deleted, 3 shortcuts removed), exit 0. +- Scareware indicator: Ace profile notification allow for + `https://d96l780hubcc73atdgc0.authorax.co.in:443`. + +## Pending / Incomplete Tasks + +- None. If Tom reports further popups, check what site/download bundled Ace on 6/26 + (likely a freeware installer) and re-audit browser notification grants. + +## Reference Information + +- Syncro ticket #32511 (id 113590558): https://computerguru.syncromsp.com/tickets/113590558 +- Syncro invoice #67997 (id 1650974680), $75.00, 0.5 hr remote +- Customer: Mineralogical Record (207770), contact Tom Moore (744293), prepay_hours 0.0 +- Discord thread: 1524159746490241207 (#tech-department) +- Bot alerts: #dev-alerts msgs 1524160693321076787 / 1524161303139193056; #bot-alerts + msgs 1524162218864803941 / 1524162487203659886