thinkpads.com Support Community Forum Index Bill Morrow's thinkpads.com Open Forum - The Original Thinkpad Support Forum
Follow ThinkpadsForum on Twitter
Goodbye Lorita, wherever you've gone..

If you've found this forum useful, please consider donating a dollar or two

It is currently Thu Mar 23, 2017 3:16 am

All times are UTC-05:00




Post new topic  Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Mon Sep 12, 2016 5:28 pm 
Offline
Admin
Admin

Joined: Mon Sep 18, 2006 5:17 am
Posts: 17101
Location: Mt. Cobb, PA USA
Today I was absolutely stumped by seeing a warning in a T61 BIOS that Computrace was active!
I just put a new T61 mobo from TuuS in a T60 chassis, to create my Frankie #74 (I kid you not!).
During installation last week of this new mobo with nVidia NVS140M chip from 2010 I had no problems.
When I used the HDM to put in TYPE, S/N and UUID I had no problems either.
When I put in Middleton's BIOS I had no problems either.
Everything was hunky-dory, UNTIL I put in one of my test-HDs with W7-Pro.
Checking the functionality of the new Frankie went without a hitch and I had a test-run of almost 24 hours.
Still no problems.
Checked it again the next day to start charging the battery, still no problem.
However, I hadn't gone into the BIOS again, since I had no need for checking/changing anything there, yet.
On Friday last week I finished my testing, which was still all OK as far as I knew.

Then today (Monday morning) I was ready to pack up this T601FL and ship it out to its new owner.
To make sure, I had removed the HD, battery and AC were in, just wanted to check the BIOS settings before shipping.
All alarm bells went ringing when I went into the BIOS and saw this Computrace warning:
http://www.kundracomputers.co.uk/laptop ... utrace.jpg

In the T61 BIOS there are no settings for Computrace, so what had happened?
After a lot of investigation I found this:
The HD I used for testing this Frankie came from a T400 I have.
That T400 has Anti-Theft settings in BIOS, including Computrace (not available in T61).
Upon checking that T400, I found that Computrace was ENabled, but NOT activated.
Apparently that is enough to install the rpcnet*.* files in Windows or Linux!
These files make a call to http://www.absolute.com at every fresh computer start.
But here is the crunch!
When I installed this T400 HD as a test-HD in my new T601 Frankie, it created havoc in the T601 innards and put in an activated Computrace in the BIOS! WTF? :evil:

Luckily I know how to kill Computrace (a.k.a. LoJack), so I got rid of it in no time.
But herewith you are WARNED TO NOT EVER put in a HD/SSD from a Computrace-activated laptop in any other machine!

_________________
Lovely day for a Guinness! (The Real Black Stuff)

Check out The Boardroom for Parts, Mods and Other Services.
And don't forget the Motherboards! Refreshing webpages is advised!


Top
   
PostPosted: Mon Sep 12, 2016 9:10 pm 
Offline
ThinkPadder
ThinkPadder

Joined: Thu Aug 09, 2012 3:08 pm
Posts: 1410
Location: Calgary, Alberta, Canada
Interesting indeed RBS. Thanks for sharing.


Top
   
PostPosted: Fri Jan 13, 2017 6:07 am 
Offline
Freshman Member

Joined: Mon Mar 26, 2012 4:51 am
Posts: 56
Location: Chesapeake, VA
This software gets more insane the more I read about it, so not only can computrace inject code from the bios into the OS, the OS from a computrace computer can alter the bios of another laptop it runs on and rewrite the bios? I thought computrace needed a dedicated chip on the board for it to actually work??


Top
   
PostPosted: Fri Jan 13, 2017 7:13 am 
Offline
SuperUserGeorge
SuperUserGeorge

Joined: Sun Feb 25, 2007 11:28 am
Posts: 15644
Location: Brodheadsville, Pennsylvania
Digitalhorizons wrote:
I thought computrace needed a dedicated chip on the board for it to actually work??


The "hooks" for it are present on T43 and later ThinkPads. So yes, this stuff has been around for well over a decade.

_________________
...Knowledge is a deadly friend when no one sets the rules...(King Crimson)

Cheers,

George (your grouchy retired FlexView farmer)

AARP club members:A31p, T43pSF

Abused daily: R61

PMs requesting personal tech support will be ignored.


Top
   
PostPosted: Tue Jan 31, 2017 5:55 am 
Offline
Admin
Admin

Joined: Mon Sep 18, 2006 5:17 am
Posts: 17101
Location: Mt. Cobb, PA USA
If you get hit: Make sure to also clean up this junk:

Code:
Indicators of Computrace Agent Activity

1.    One of the following processes is running:
     1.   rpcnet.exe
     2.   rpcnetp.exe
     3.   32-bit svchost.exe running on 64-bit system (can’t serve as complete indicator)

2.    One of the following files exist on the hard drive:
     1.   %WINDIR%\System32\rpcnet.exe
     2.   %WINDIR%\System32\rpcnetp.exe
     3.   %WINDIR%\System32\wceprv.dll
     4.   %WINDIR%\System32\identprv.dll
     5.   %WINDIR%\System32\Upgrd.exe
     6.   %WINDIR%\System32\autochk.exe.bak (for FAT)
     7.   %WINDIR%\System32\autochk.exe:bak (for NTFS)

    Note: on a 64-bit OS the above files can be found in: %WINDIR%\SysWOW64\

3.    The system resolves one of the following domain names using DNS:
     1.   search.namequery.com
     2.   search.us.namequery.com
     3.   search64.namequery.com
     4.   bh.namequery.com
     5.   namequery.nettrace.co.za
     6.   search2.namequery.com
     7.   m229.absolute.com or any m*.absolute.com

4.    The system connects to the following IP: 209.53.113.223

5.    One of the following registry keys exist:
     1.   HKLM\System\CurrentControlSet\Services\rpcnet
     2.   HKLM\System\CurrentControlSet\Services\rpcnetp
     


Top
   
PostPosted: Mon Mar 20, 2017 9:28 pm 
Offline
Senior ThinkPadder
Senior ThinkPadder

Joined: Fri Sep 30, 2005 3:27 am
Posts: 2772
Location: Glendora, CA
Might I suggest that if you want to re-use a computrace HDD the following:

1. Wipe it with Dban
2. Wipe it with Linux
3. Wipe it with Dban again
4. Reload the OS and see if computrace it still there. If so I can only advise to either use the HDD as a non-OS drive (i.e. - external drive in a carrier), or use it as a linux drive.

This is of course assuming that CompuTrace doesn't write or save anything into the HDD controllers and pre-inject it's "crap" onto a system. If that's the case, then if it were me, I would physically destroy the drive. It's simply not to be trusted at that point.

_________________
New:
Thinkpad X301 U9400 6GB DDR3 250GB SSD
Old:
E6520, Precision M4400, D630, Latitude E6520
ThinkPad Tablet 16GB 1838-22U
IBM Thinkpad X61T, T61, T43, X41T, T60, T41P, T42, T410


Top
   
PostPosted: Mon Mar 20, 2017 10:34 pm 
Offline
Junior Member
Junior Member

Joined: Wed May 16, 2012 3:36 pm
Posts: 408
Location: Salinas, CA
Computrace probably injected something into the boot sector, or something loaded by the boot sector.
You didn't mention whether it was GPT or MBR, but it probably does something sneaky at boot,
either way.

_________________
Daily Drivers: W520 i7-2860QM | T420 FHD IPS i7-2640m | W701
Others: W510 | T400 | W500 WUXGA | 701C (on its shrine) | R61 14W (in the boneyard)
Non-TP: 2x Dell T7500 (workstation)
Currently Experimenting With: T420s


Top
   
PostPosted: Tue Mar 21, 2017 3:58 am 
Offline
Admin
Admin

Joined: Mon Sep 18, 2006 5:17 am
Posts: 17101
Location: Mt. Cobb, PA USA
No, they don't go that far.
As mentioned above, any ThinkPad from T43 onward has Computrace in an EEPROM on the motherboard.
From T400/T500 onward there are also settings in the BIOS available.
When activated, the EEPROM installs the phone-home crap on the HD/SSD somewhere inside the Operating System.
So it's irrelevant whether you use MBR or GPT.
Wiping the HD/SSD gets rid of the installed crap, but as soon as you install ANY fresh OS, the EEPROM also starts afresh, UNLESS you permanently disabled that pest!


Top
   
PostPosted: Wed Mar 22, 2017 12:23 pm 
Offline
Junior Member
Junior Member

Joined: Fri Jan 02, 2015 12:22 am
Posts: 307
Location: Vancouver, BC, Canada
RealBlackStuff wrote:
No, they don't go that far.
As mentioned above, any ThinkPad from T43 onward has Computrace in an EEPROM on the motherboard.
From T400/T500 onward there are also settings in the BIOS available.
When activated, the EEPROM installs the phone-home crap on the HD/SSD somewhere inside the Operating System.
So it's irrelevant whether you use MBR or GPT.
Wiping the HD/SSD gets rid of the installed crap, but as soon as you install ANY fresh OS, the EEPROM also starts afresh, UNLESS you permanently disabled that pest!


Hey RBS,

I was actually curious, does CompuTrace work on OS/2 under HPFS & JFS since IBM supported OS/2 on T43s?


Top
   
PostPosted: Wed Mar 22, 2017 1:51 pm 
Offline
Admin
Admin

Joined: Mon Sep 18, 2006 5:17 am
Posts: 17101
Location: Mt. Cobb, PA USA
Last time I played with OS/2 (Warp 3) was last century, around 1996 or so.
That was donkeys years before the T43 first came out.
You'd need to first find a way to activate Computrace in that T43.
Then stick a drive with OS/2 in it and see what happens.
That's all I can say.
Methinks it's relatively safe to assume that it won't install, but you won't know till you try it!


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 10 posts ] 

All times are UTC-05:00


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Limited