Serious Computrace Warning!

Performance, hardware, software, general buying and gaming discussion..
Post Reply
Message
Author
RealBlackStuff
Admin
Admin
Posts: 17373
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA USA
Contact:

Serious Computrace Warning!

#1 Post by RealBlackStuff » Mon Sep 12, 2016 5:28 pm

Today I was absolutely stumped by seeing a warning in a T61 BIOS that Computrace was active!
I just put a new T61 mobo from TuuS in a T60 chassis, to create my Frankie #74 (I kid you not!).
During installation last week of this new mobo with nVidia NVS140M chip from 2010 I had no problems.
When I used the HDM to put in TYPE, S/N and UUID I had no problems either.
When I put in Middleton's BIOS I had no problems either.
Everything was hunky-dory, UNTIL I put in one of my test-HDs with W7-Pro.
Checking the functionality of the new Frankie went without a hitch and I had a test-run of almost 24 hours.
Still no problems.
Checked it again the next day to start charging the battery, still no problem.
However, I hadn't gone into the BIOS again, since I had no need for checking/changing anything there, yet.
On Friday last week I finished my testing, which was still all OK as far as I knew.

Then today (Monday morning) I was ready to pack up this T601FL and ship it out to its new owner.
To make sure, I had removed the HD, battery and AC were in, just wanted to check the BIOS settings before shipping.
All alarm bells went ringing when I went into the BIOS and saw this Computrace warning:
http://www.kundracomputers.co.uk/laptop ... utrace.jpg

In the T61 BIOS there are no settings for Computrace, so what had happened?
After a lot of investigation I found this:
The HD I used for testing this Frankie came from a T400 I have.
That T400 has Anti-Theft settings in BIOS, including Computrace (not available in T61).
Upon checking that T400, I found that Computrace was ENabled, but NOT activated.
Apparently that is enough to install the rpcnet*.* files in Windows or Linux!
These files make a call to http://www.absolute.com at every fresh computer start.
But here is the crunch!
When I installed this T400 HD as a test-HD in my new T601 Frankie, it created havoc in the T601 innards and put in an activated Computrace in the BIOS! WTF? :evil:

Luckily I know how to kill Computrace (a.k.a. LoJack), so I got rid of it in no time.
But herewith you are WARNED TO NOT EVER put in a HD/SSD from a Computrace-activated laptop in any other machine!
Lovely day for a Guinness! (The Real Black Stuff)

Check out The Boardroom for Parts, Mods and Other Services.

Cigarguy
ThinkPadder
ThinkPadder
Posts: 1431
Joined: Thu Aug 09, 2012 3:08 pm
Location: Calgary, Alberta, Canada

Re: Serious Computrace Warning!

#2 Post by Cigarguy » Mon Sep 12, 2016 9:10 pm

Interesting indeed RBS. Thanks for sharing.

Digitalhorizons
Freshman Member
Posts: 56
Joined: Mon Mar 26, 2012 4:51 am
Location: Chesapeake, VA

Re: Serious Computrace Warning!

#3 Post by Digitalhorizons » Fri Jan 13, 2017 6:07 am

This software gets more insane the more I read about it, so not only can computrace inject code from the bios into the OS, the OS from a computrace computer can alter the bios of another laptop it runs on and rewrite the bios? I thought computrace needed a dedicated chip on the board for it to actually work??

ajkula66
SuperUserGeorge
SuperUserGeorge
Posts: 15680
Joined: Sun Feb 25, 2007 11:28 am
Location: Brodheadsville, Pennsylvania

Re: Serious Computrace Warning!

#4 Post by ajkula66 » Fri Jan 13, 2017 7:13 am

Digitalhorizons wrote: I thought computrace needed a dedicated chip on the board for it to actually work??
The "hooks" for it are present on T43 and later ThinkPads. So yes, this stuff has been around for well over a decade.
...Knowledge is a deadly friend when no one sets the rules...(King Crimson)

Cheers,

George (your grouchy retired FlexView farmer)

AARP club members:A31p, T43pSF

Abused daily: R61

PMs requesting personal tech support will be ignored.

RealBlackStuff
Admin
Admin
Posts: 17373
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA USA
Contact:

Re: Serious Computrace Warning!

#5 Post by RealBlackStuff » Tue Jan 31, 2017 5:55 am

If you get hit: Make sure to also clean up this junk:

Code: Select all

Indicators of Computrace Agent Activity

1.    One of the following processes is running:
     1.   rpcnet.exe
     2.   rpcnetp.exe
     3.   32-bit svchost.exe running on 64-bit system (can’t serve as complete indicator)

2.    One of the following files exist on the hard drive:
     1.   %WINDIR%\System32\rpcnet.exe
     2.   %WINDIR%\System32\rpcnetp.exe
     3.   %WINDIR%\System32\wceprv.dll
     4.   %WINDIR%\System32\identprv.dll
     5.   %WINDIR%\System32\Upgrd.exe
     6.   %WINDIR%\System32\autochk.exe.bak (for FAT)
     7.   %WINDIR%\System32\autochk.exe:bak (for NTFS)

    Note: on a 64-bit OS the above files can be found in: %WINDIR%\SysWOW64\

3.    The system resolves one of the following domain names using DNS:
     1.   search.namequery.com
     2.   search.us.namequery.com
     3.   search64.namequery.com
     4.   bh.namequery.com
     5.   namequery.nettrace.co.za
     6.   search2.namequery.com
     7.   m229.absolute.com or any m*.absolute.com

4.    The system connects to the following IP: 209.53.113.223

5.    One of the following registry keys exist:
     1.   HKLM\System\CurrentControlSet\Services\rpcnet
     2.   HKLM\System\CurrentControlSet\Services\rpcnetp
     

Temetka
Senior ThinkPadder
Senior ThinkPadder
Posts: 2790
Joined: Fri Sep 30, 2005 3:27 am
Location: Glendora, CA

Re: Serious Computrace Warning!

#6 Post by Temetka » Mon Mar 20, 2017 9:28 pm

Might I suggest that if you want to re-use a computrace HDD the following:

1. Wipe it with Dban
2. Wipe it with Linux
3. Wipe it with Dban again
4. Reload the OS and see if computrace it still there. If so I can only advise to either use the HDD as a non-OS drive (i.e. - external drive in a carrier), or use it as a linux drive.

This is of course assuming that CompuTrace doesn't write or save anything into the HDD controllers and pre-inject it's "crap" onto a system. If that's the case, then if it were me, I would physically destroy the drive. It's simply not to be trusted at that point.
New:
Thinkpad T430s 8GB DDR3, 1600x900, 128GB + 250GB SSD's, etc.
Old:
E6520, Precision M4400, D630, Latitude E6520
ThinkPad Tablet 16GB 1838-22U
IBM Thinkpad X61T, T61, T43, X41T, T60, T41P, T42, T410, X301

bit_twiddler
Junior Member
Junior Member
Posts: 422
Joined: Wed May 16, 2012 3:36 pm
Location: Salinas, CA

Re: Serious Computrace Warning!

#7 Post by bit_twiddler » Mon Mar 20, 2017 10:34 pm

Computrace probably injected something into the boot sector, or something loaded by the boot sector.
You didn't mention whether it was GPT or MBR, but it probably does something sneaky at boot,
either way.
Daily Drivers: W520 i7-2860QM | T420 FHD IPS i7-2640m | W701
Others: W510 | T400 | W500 WUXGA | 701C (on its shrine) | R61 14W (in the boneyard)
Non-TP: Dell T7500 (workstation), Dell m7510
Currently Experimenting With: T420s

RealBlackStuff
Admin
Admin
Posts: 17373
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA USA
Contact:

Re: Serious Computrace Warning!

#8 Post by RealBlackStuff » Tue Mar 21, 2017 3:58 am

No, they don't go that far.
As mentioned above, any ThinkPad from T43 onward has Computrace in an EEPROM on the motherboard.
From T400/T500 onward there are also settings in the BIOS available.
When activated, the EEPROM installs the phone-home crap on the HD/SSD somewhere inside the Operating System.
So it's irrelevant whether you use MBR or GPT.
Wiping the HD/SSD gets rid of the installed crap, but as soon as you install ANY fresh OS, the EEPROM also starts afresh, UNLESS you permanently disabled that pest!

micrex22
Junior Member
Junior Member
Posts: 317
Joined: Fri Jan 02, 2015 12:22 am
Location: Vancouver, BC, Canada

Re: Serious Computrace Warning!

#9 Post by micrex22 » Wed Mar 22, 2017 12:23 pm

RealBlackStuff wrote:No, they don't go that far.
As mentioned above, any ThinkPad from T43 onward has Computrace in an EEPROM on the motherboard.
From T400/T500 onward there are also settings in the BIOS available.
When activated, the EEPROM installs the phone-home crap on the HD/SSD somewhere inside the Operating System.
So it's irrelevant whether you use MBR or GPT.
Wiping the HD/SSD gets rid of the installed crap, but as soon as you install ANY fresh OS, the EEPROM also starts afresh, UNLESS you permanently disabled that pest!
Hey RBS,

I was actually curious, does CompuTrace work on OS/2 under HPFS & JFS since IBM supported OS/2 on T43s?

RealBlackStuff
Admin
Admin
Posts: 17373
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA USA
Contact:

Re: Serious Computrace Warning!

#10 Post by RealBlackStuff » Wed Mar 22, 2017 1:51 pm

Last time I played with OS/2 (Warp 3) was last century, around 1996 or so.
That was donkeys years before the T43 first came out.
You'd need to first find a way to activate Computrace in that T43.
Then stick a drive with OS/2 in it and see what happens.
That's all I can say.
Methinks it's relatively safe to assume that it won't install, but you won't know till you try it!

Saucey
Senior Member
Senior Member
Posts: 829
Joined: Tue Nov 06, 2012 9:22 pm
Location: San Diego, California
Contact:

Re: Serious Computrace Warning!

#11 Post by Saucey » Sat Mar 25, 2017 12:11 am

Crazy to hear, I never would of expected a hard drive to trigger another laptop!
Incompitent(sp?) Electronic Recycler: caffeine addicted, techno blasting, ThinkPad hoarder.

Current: T430s, T431s, Pixel, MC207LL/A
Still around: X61T, A31p, T43p
Past: W700ds, X1C3, 701C, T60p

Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “Thinkpad - General HARDWARE/SOFTWARE questions”

Who is online

Users browsing this forum: No registered users and 7 guests