Take a look at our
ThinkPads.com HOME PAGE
For those who might want to contribute to the blog, start here: Editors Alley Topic
Then contact Bill with a Private Message

Serious Computrace Warning!

Performance, hardware, software, general buying and gaming discussion..
Post Reply
Message
Author
RealBlackStuff
Admin
Admin
Posts: 18706
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA
Contact:

Serious Computrace Warning!

#1 Post by RealBlackStuff » Mon Sep 12, 2016 5:28 pm

Today I was absolutely stumped by seeing a warning in a T61 BIOS that Computrace was active!
I just put a new T61 mobo from TuuS in a T60 chassis, to create my Frankie #74 (I kid you not!).
During installation last week of this new mobo with nVidia NVS140M chip from 2010 I had no problems.
When I used the HDM to put in TYPE, S/N and UUID I had no problems either.
When I put in Middleton's BIOS I had no problems either.
Everything was hunky-dory, UNTIL I put in one of my test-HDs with W7-Pro.
Checking the functionality of the new Frankie went without a hitch and I had a test-run of almost 24 hours.
Still no problems.
Checked it again the next day to start charging the battery, still no problem.
However, I hadn't gone into the BIOS again, since I had no need for checking/changing anything there, yet.
On Friday last week I finished my testing, which was still all OK as far as I knew.

Then today (Monday morning) I was ready to pack up this T601FL and ship it out to its new owner.
To make sure, I had removed the HD, battery and AC were in, just wanted to check the BIOS settings before shipping.
All alarm bells went ringing when I went into the BIOS and saw this Computrace warning:

Image
If above picture/link fails, see instead: http://www.kundracomputers.co.uk/laptop ... utrace.jpg

In the T61 BIOS there are no settings for Computrace, so what had happened?
After a lot of investigation I found this:
The HD I used for testing this Frankie came from a T400 I have.
That T400 has Anti-Theft settings in BIOS, including Computrace (not available in T61).
Upon checking that T400, I found that Computrace was ENabled, but NOT activated.
Apparently that is enough to install the rpcnet*.* files in Windows or Linux!
These files make a call to http://www.absolute.com at every fresh computer start.
But here is the crunch!
When I installed this T400 HD as a test-HD in my new T601 Frankie, it created havoc in the T601 innards and put in an activated Computrace in the BIOS! WTF? :evil:

Luckily I know how to kill Computrace (a.k.a. LoJack), so I got rid of it in no time.
But herewith you are WARNED TO NOT EVER put in a HD/SSD from a Computrace-activated laptop in any other machine!
Lovely day for a Guinness! (The Real Black Stuff)

Check out The Boardroom for Parts, Mods and Other Services.

Cigarguy
ThinkPadder
ThinkPadder
Posts: 1514
Joined: Thu Aug 09, 2012 3:08 pm
Location: Calgary, Alberta, Canada

Re: Serious Computrace Warning!

#2 Post by Cigarguy » Mon Sep 12, 2016 9:10 pm

Interesting indeed RBS. Thanks for sharing.

Digitalhorizons
Freshman Member
Posts: 56
Joined: Mon Mar 26, 2012 4:51 am
Location: Chesapeake, VA

Re: Serious Computrace Warning!

#3 Post by Digitalhorizons » Fri Jan 13, 2017 6:07 am

This software gets more insane the more I read about it, so not only can computrace inject code from the bios into the OS, the OS from a computrace computer can alter the bios of another laptop it runs on and rewrite the bios? I thought computrace needed a dedicated chip on the board for it to actually work??

ajkula66
SuperUserGeorge
SuperUserGeorge
Posts: 16066
Joined: Sun Feb 25, 2007 11:28 am
Location: Brodheadsville, Pennsylvania, USA

Re: Serious Computrace Warning!

#4 Post by ajkula66 » Fri Jan 13, 2017 7:13 am

Digitalhorizons wrote: I thought computrace needed a dedicated chip on the board for it to actually work??
The "hooks" for it are present on T43 and later ThinkPads. So yes, this stuff has been around for well over a decade.
...Knowledge is a deadly friend when no one sets the rules...(King Crimson)

Cheers,

George (your grouchy retired FlexView farmer)

AARP club members:A31p, T43pSF

Abused daily: T61p

PMs requesting personal tech support will be ignored.

RealBlackStuff
Admin
Admin
Posts: 18706
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA
Contact:

Re: Serious Computrace Warning!

#5 Post by RealBlackStuff » Tue Jan 31, 2017 5:55 am

If you get hit: Make sure to also clean up this junk:

Code: Select all

Indicators of Computrace Agent Activity

1.    One of the following processes is running:
     1.   rpcnet.exe
     2.   rpcnetp.exe
     3.   32-bit svchost.exe running on 64-bit system (can’t serve as complete indicator)

2.    One of the following files exist on the hard drive:
     1.   %WINDIR%\System32\rpcnet.exe
     2.   %WINDIR%\System32\rpcnetp.exe
     3.   %WINDIR%\System32\wceprv.dll
     4.   %WINDIR%\System32\identprv.dll
     5.   %WINDIR%\System32\Upgrd.exe
     6.   %WINDIR%\System32\autochk.exe.bak (for FAT)
     7.   %WINDIR%\System32\autochk.exe:bak (for NTFS)

    Note: on a 64-bit OS the above files can be found in: %WINDIR%\SysWOW64\

3.    The system resolves one of the following domain names using DNS:
     1.   search.namequery.com
     2.   search.us.namequery.com
     3.   search64.namequery.com
     4.   bh.namequery.com
     5.   namequery.nettrace.co.za
     6.   search2.namequery.com
     7.   m229.absolute.com or any m*.absolute.com

4.    The system connects to the following IP: 209.53.113.223

5.    One of the following registry keys exist:
     1.   HKLM\System\CurrentControlSet\Services\rpcnet
     2.   HKLM\System\CurrentControlSet\Services\rpcnetp
     

Temetka
Senior ThinkPadder
Senior ThinkPadder
Posts: 2790
Joined: Fri Sep 30, 2005 3:27 am
Location: Glendora, CA

Re: Serious Computrace Warning!

#6 Post by Temetka » Mon Mar 20, 2017 9:28 pm

Might I suggest that if you want to re-use a computrace HDD the following:

1. Wipe it with Dban
2. Wipe it with Linux
3. Wipe it with Dban again
4. Reload the OS and see if computrace it still there. If so I can only advise to either use the HDD as a non-OS drive (i.e. - external drive in a carrier), or use it as a linux drive.

This is of course assuming that CompuTrace doesn't write or save anything into the HDD controllers and pre-inject it's "crap" onto a system. If that's the case, then if it were me, I would physically destroy the drive. It's simply not to be trusted at that point.
New:
Thinkpad T430s 8GB DDR3, 1600x900, 128GB + 250GB SSD's, etc.
Old:
E6520, Precision M4400, D630, Latitude E6520
ThinkPad Tablet 16GB 1838-22U
IBM Thinkpad X61T, T61, T43, X41T, T60, T41P, T42, T410, X301

bit_twiddler
Junior Member
Junior Member
Posts: 438
Joined: Wed May 16, 2012 3:36 pm
Location: Salinas, CA

Re: Serious Computrace Warning!

#7 Post by bit_twiddler » Mon Mar 20, 2017 10:34 pm

Computrace probably injected something into the boot sector, or something loaded by the boot sector.
You didn't mention whether it was GPT or MBR, but it probably does something sneaky at boot,
either way.
Daily Drivers: W520 i7-2760QM | W520 i7-2860QM | T420 FHD IPS i7-2640m | W701
Others: W510 | 701C (on its shrine)
Non-TP: Dell m7510
Currently Experimenting With: T420s

RealBlackStuff
Admin
Admin
Posts: 18706
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA
Contact:

Re: Serious Computrace Warning!

#8 Post by RealBlackStuff » Tue Mar 21, 2017 3:58 am

No, they don't go that far.
As mentioned above, any ThinkPad from T43 onward has Computrace in an EEPROM on the motherboard.
From T400/T500 onward there are also settings in the BIOS available.
When activated, the EEPROM installs the phone-home crap on the HD/SSD somewhere inside the Operating System.
So it's irrelevant whether you use MBR or GPT.
Wiping the HD/SSD gets rid of the installed crap, but as soon as you install ANY fresh OS, the EEPROM also starts afresh, UNLESS you permanently disabled that pest!

micrex22
Junior Member
Junior Member
Posts: 363
Joined: Fri Jan 02, 2015 12:22 am
Location: Vancouver, BC, Canada

Re: Serious Computrace Warning!

#9 Post by micrex22 » Wed Mar 22, 2017 12:23 pm

RealBlackStuff wrote:No, they don't go that far.
As mentioned above, any ThinkPad from T43 onward has Computrace in an EEPROM on the motherboard.
From T400/T500 onward there are also settings in the BIOS available.
When activated, the EEPROM installs the phone-home crap on the HD/SSD somewhere inside the Operating System.
So it's irrelevant whether you use MBR or GPT.
Wiping the HD/SSD gets rid of the installed crap, but as soon as you install ANY fresh OS, the EEPROM also starts afresh, UNLESS you permanently disabled that pest!
Hey RBS,

I was actually curious, does CompuTrace work on OS/2 under HPFS & JFS since IBM supported OS/2 on T43s?

RealBlackStuff
Admin
Admin
Posts: 18706
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA
Contact:

Re: Serious Computrace Warning!

#10 Post by RealBlackStuff » Wed Mar 22, 2017 1:51 pm

Last time I played with OS/2 (Warp 3) was last century, around 1996 or so.
That was donkeys years before the T43 first came out.
You'd need to first find a way to activate Computrace in that T43.
Then stick a drive with OS/2 in it and see what happens.
That's all I can say.
Methinks it's relatively safe to assume that it won't install, but you won't know till you try it!

Saucey
Senior Member
Senior Member
Posts: 862
Joined: Tue Nov 06, 2012 9:22 pm
Location: San Diego, California
Contact:

Re: Serious Computrace Warning!

#11 Post by Saucey » Sat Mar 25, 2017 12:11 am

Crazy to hear, I never would of expected a hard drive to trigger another laptop!
Coffee, ThinkPads & Nikon Fan.

Current: PixelBook, Y50-70, T430
Collected: A31p, T43p, 2521
Past: W700ds, X1C3, 701C

trac
Posts: 3
Joined: Sat Mar 31, 2018 12:46 am
Location: Athens, Greece

Re: Serious Computrace Warning!

#12 Post by trac » Mon Apr 02, 2018 10:47 am

Hi guys

See what I found in several sources ( including Wikipedia) :

This maybe explain your case.

"HPA is also used by various theft recovery and monitoring service vendors. For example, the laptop security firm Computrace use the HPA to load software that reports to their servers whenever the machine is booted on a network. HPA is useful to them because even when a stolen laptop has its hard drive formatted the HPA remains untouched."

The host protected area (HPA) is an area of a hard drive or solid-state drive that is not normally visible to an operating system.

So if the drive is wiped or even secure erased this sh!t stays until you remove HPA from your HDD/SDD ( where computrace is located on the hdd ).

So you need to check if HPA is enabled or disabled , here is the command ( you can use parted magic) :

hdparm -N /dev/sdX
( wher X is your HDD letter) , output is :

/dev/sdc:
max sectors = 586070255/586072368, HPA is enabled

You can then disable HPA :

hdparm -N p586072368 /dev/sdc

(permanently (!) set max visible number of sectors, see example above)

Then you need to secure erase / wipe the SDD/HDD - and you will WIPE all the space (there will be no more HPA , and these sectors will be available for wipe /usage )

And hdd will be free from computrace and you can put in other system.

Also if there is no HPA , probably computrace will be not able to install in your OS. But this need to be checked I can't confirm now.

Be carefull with hdparm!

Cheers,

tecmes
Posts: 15
Joined: Wed Sep 06, 2017 3:16 pm
Location: Montreal, Canada

Re: Serious Computrace Warning!

#13 Post by tecmes » Tue Apr 10, 2018 3:17 pm

I'm having a possibly similar situation, but with odd results so far.

TP #1 is a X61s from eBay, a "company surplus" which came with original HD, fresh Ubuntu, and had the CT BIOS pop-up.

I never connected it to the web, then replaced its 80G HD with a SDD on which I installed Win7 (without reformat), still without connection. At this point, oddly, the CT pop-up has disappeared.

I then installed the 80G HD with Ubuntu on TP#2, one of my other X61s, and repartitionned/installed Win7, still without connecting to the net. The pop-up does NOT appear at this point (and no suspect processes I can see).

So why is the CT not activating on #1? And on #2?

If it's because I did not connect, that's odd. Indeed, eventhough CT is pretty useless without a connection, why would CT not activate itself as soon as possible, internet or no internet ? Afterall, it is still lurking in the BIOS, and I did a regular repartition, nothing fancy.

(Btw, what about "trac"'s suggestion above?)
Typer: X61s/X61T. Drawer: X31. First crush: X20. Nostalgia: SXGA+ 770 (one busted power card too many)
Gripe: why nobody makes recessed laptop power jacks?

RealBlackStuff
Admin
Admin
Posts: 18706
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA
Contact:

Re: Serious Computrace Warning!

#14 Post by RealBlackStuff » Tue Apr 10, 2018 3:41 pm

Check your drives for the files as mentioned above, where it says: Make sure to also clean up this junk:
And CT does NO CHECKING if you do NOT go online.

tecmes
Posts: 15
Joined: Wed Sep 06, 2017 3:16 pm
Location: Montreal, Canada

Re: Serious Computrace Warning!

#15 Post by tecmes » Wed Apr 11, 2018 4:18 pm

I'm sorry, but I still don't get it fully.

1- To make the online check, CT first needs to install the files on the HD and run.
2- To do so, it needs to be active in the BIOS to start with.
3- But the CT code is present in all vaguely recent TPs's BIOS, even if "dormant".
Therefore some TP have an inactive CT in BIOS, some have an active CT.

But in what condition does the pop-up appears?
A) If there's an active CT?
B) If there's an active CT AND it has phoned home and reported it should go live?

...but case B is odd because it's already live, inasmuch as it has already messed up with my HD and OS files to do the check!

That's important. Because the pop-up does not appear on my TP right now.
- If it's A, then it means it somehow went inactive. Pray the Black Gods. The matte ones.
- If it's B, then, before I connect it to the net, it might be time to try and preemptively prevent it from activating, but how?

(Knowing that, right now, I found some, but not all files: no process [though they don't last?], but the files rpcnetp in Win32, wcepriv and identprv in WOW64, and no reg keys.)
Typer: X61s/X61T. Drawer: X31. First crush: X20. Nostalgia: SXGA+ 770 (one busted power card too many)
Gripe: why nobody makes recessed laptop power jacks?

dr_st
Senior ThinkPadder
Senior ThinkPadder
Posts: 7197
Joined: Sat Oct 29, 2005 6:20 am

Re: Serious Computrace Warning!

#16 Post by dr_st » Thu Apr 12, 2018 3:00 am

It's possible you may never get it fully, because it's possible that the behavior described here originally by RBS was, due to some bug in Computrace, or some configuration corner case. Since Computrace is dubious proprietary software, with a long history of "accidental" activations, I am not certain anyone can know the expected behavior in all corner cases.

Does the X61s have a BIOS setting to "Permanently disable" Computrace? I forgot in which generation it was first introduced.
Current: Thinkpad 25 (20K7), Yoga 14 (20FY), X220 4291-4BG, T410 2537-R46, T60 2007-QPG, T42 2373-F7G
Collectibles: T430s (IPS FHD + Classic Keyboard), X32 (IPS Screen)
Retired: X61 7673-V2V, T60 1952-F76, A31p w/ Ultrabay Numpad

RealBlackStuff
Admin
Admin
Posts: 18706
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA
Contact:

Re: Serious Computrace Warning!

#17 Post by RealBlackStuff » Thu Apr 12, 2018 4:17 am

Once there is active CT on your machine, the pop-up will show EVERY time you go into BIOS.
Unless somehow activated, T43/R52/X41/T60/T61/R60/R61/X60/X61 do not show any CT signs in BIOS.
Even when activated, there is no way in those machines to change CT, other than calling Absolute (if they still react to such old machines), or removing CT, or replacing the motherboard with a CT-free one, or selling/dumping it.

CT BIOS-settings only started with T400/T500 series.

n2ri
Freshman Member
Posts: 112
Joined: Wed Sep 30, 2015 3:10 am
Location: st louis, mo usa

Re: Serious Computrace Warning!

#18 Post by n2ri » Fri Apr 13, 2018 3:35 am

my T61 I had strange issues with in other post, has CT Bios settings all set to inactive but I am going to permanently disable it after reading these weird issues.

RealBlackStuff
Admin
Admin
Posts: 18706
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA
Contact:

Re: Serious Computrace Warning!

#19 Post by RealBlackStuff » Fri Apr 13, 2018 5:08 am

How are you going to change CT settings in a T61?
I just told you: DOES NOT EXIST.

n2ri
Freshman Member
Posts: 112
Joined: Wed Sep 30, 2015 3:10 am
Location: st louis, mo usa

Re: Serious Computrace Warning!

#20 Post by n2ri » Fri Apr 13, 2018 2:44 pm

yeah lol so I found I was mixed up with one of my W500. Great news though after switching from SATA to the other HDD type I finally got my old HDD to boot with the new (to me) T61 and that is what I am on now after over 4 months YAY! this group Rocks! one question I cant get my TP monitor to turn off when docked with my larger monitor like my W500 running Win7 64bit is that how Win XP 32bit/T61 is supposed to work? seems ubuntu boots fine in either Sata o the other type. and win wanted to run check disk before rebooting. I also have fingerprint reader active just FYI for anyone following.

ggiglio
Posts: 38
Joined: Fri Sep 24, 2010 12:35 pm
Location: roma, italy

Re: Serious Computrace Warning!

#21 Post by ggiglio » Sat Apr 14, 2018 12:03 pm

I'm not a tech guy, so there's still something I can't figure out:
if computrace operates WITHIN the OS (e.g. windows) why a good firewall is NOT able to intercept the "phone home" application while it is attempting to connect.
Can someone shed a light on me ?

RealBlackStuff
Admin
Admin
Posts: 18706
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA
Contact:

Re: Serious Computrace Warning!

#22 Post by RealBlackStuff » Sat Apr 14, 2018 2:29 pm

https://serverfault.com/questions/15429 ... ng-traffic
But if that would work, why has nobody ever mentioned that about CT?

n2ri
Freshman Member
Posts: 112
Joined: Wed Sep 30, 2015 3:10 am
Location: st louis, mo usa

Re: Serious Computrace Warning!

#23 Post by n2ri » Sat Apr 14, 2018 3:13 pm

maybe parental rights settings could prevent sending to adult sites or known addresses you dont trust if setup manualy. but do you even know the address its sending to? to input in the untrusted site list. its like trying to block auto-update apps that dont even need browser to transmit on an available internet connection or phone line. also there are only a handful of anti-virus/firewalls that may have this kind of ability and most are NOT freeware. I saved the top 15 free brands and only 3 were worthy of all their hipe and they limit features until you buy full version. also the top 5 paid only support Windows 10 or current supported other brands of OS. e.g. I use Comodo and only allow updating of virus data, NO app upgrades as those will be for Win 10 which screws up older versions of Windows which happened to me last year and took a month to get fixed and back graded for Win7 64bit.
Last edited by n2ri on Sat Apr 14, 2018 3:26 pm, edited 1 time in total.

ggiglio
Posts: 38
Joined: Fri Sep 24, 2010 12:35 pm
Location: roma, italy

Re: Serious Computrace Warning!

#24 Post by ggiglio » Sat Apr 14, 2018 3:20 pm

I only made the question because my firewall (business class one) specifically prompts if a program wants to establish an outbound connection with a another machine (e.g. search for updates) and asks "what do you want me to do?".
So the point is:
can we trust a software firewall or CT has the ability to get a super-admin level ?

jaspen-meyer
Senior Member
Senior Member
Posts: 800
Joined: Wed May 19, 2010 11:21 pm
Location: Pardubice, Czech Republic
Contact:

Re: Serious Computrace Warning!

#25 Post by jaspen-meyer » Sun Apr 15, 2018 2:08 am

A firewall on the computrace-infected machine is useless. Low-level spyware, like CT, does not need the OS to communicate over the internet.

A firewall placed between the infectred machine and the internet could stop CT's communication, incomming and outgoing, but you would need to know what you're looking for.
T420 i7 3612QM seabios; T420 i7 3630QM; T400 Q9100 seabios; T61 P9600; T60 libreboot; x62; x60s libreboot, led; x24 xiphmont led

Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “Thinkpad - General HARDWARE/SOFTWARE questions”

Who is online

Users browsing this forum: Annecy and 7 guests