Serious Computrace Warning!

[br1anstorm]

I have revisited this thread in search of guidance and answers on getting rid of Computrace.... but I haven't found quite what I'm looking for, so I hope someone might be able to offer advice.

My understanding, and my concern, arises from a couple of previous posts including the original one by @RealBlackStuff. In simple terms, is it possible for Computrace to be introduced - or activated - on a computer simply by the installation of a new hard drive (HDD or SSD) or even - as @Eugor 's post at #29 implies - by connecting a thumb drive?

It seems that a number of manufacturers - not just Lenovo, but also HP, Dell and perhaps others - incorporate the Computrace program or some sort of key to it in their hardware (the motherboard, EEPROM, BIOS or wherever). But as I understand it, this remains "dormant" or disabled until somehow it is activated.

Hence we had the situation in the OP, where a T61 computer was apparently clean with no Computrace elements in its hardware. But when a different hard drive, with an OS (Win7) on it, was put into it for a test, that hard drive apparently installed (or activated) Computrace on the clean computer simply because the T400 computer from which the hard drive had come, had Computrace enabled, but not activated, on it. In other words it acted just like a virus!

That has obviously got @Eugor worried that by plugging a thumb drive with a Linux OS into a T61 computer which had the Computrace nastiness already in its hardware, that thumb drive may be infected too.

The post #12 by @trac explains that Computrace (or some elements of it) are located and hidden in an invisible part of the hard drive (the Host Protected Area, HPA) which cannot be cleaned or erased except by using a sequence of

Code: Select all

hdparm

commands which are obviously very powerful and have to be managed carefully.

So.... what's my problem?

I have a second-hand Thinkpad 430s. It undoubtedly has the Computrace option built into its hardware, since this seems to be standard for that model. When I got the laptop, it had a 120GB SSD installed, with Win10. It worked. I had no reason to look into the BIOS. So I didn't know whether Computrace was enabled/activated at that stage. But the laptop was supposed to have been delivered with a 240GB SSD. So I complained to the suppliers (a reseller of corporate machines) and they sent me a 240GB SSD, with Win10, as a replacement.

It was when I installed that replacement 240GB SSD that I had to go into the BIOS because it would not boot (turned out that a UEFI v Legacy BIOS setting needed to be changed). And that was when I saw the warning that Computrace was there, enabled, and activated.

Having found the guidance on this forum, I phoned the Computrace firm, Absolute Software, and asked for it to be disabled/removed. A day or two later, it had been deactivated and I have now permanently disabled it. So that's fine.....

BUT..... what do I do about the 120GB SSD that was originally supplied and fitted into this laptop? Does it have the Computrace "infection" in its HPA? If I insert this SSD - with Win10 still on it - into another [clean] computer, will it enable and/or activate Computrace on that computer?

How - exactly - do I scan or examine that 120GB SSD to find out whether it is carrying Computrace or any part of it? I would quite like to keep the Win10 OS on it rather than clean and "nuke" it either with DBAN or by using those

Code: Select all

hdparm

commands. If I have to, I will do so, and just use the SSD for data storage. But before doing anything with it, can anyone expand on the process for scanning and cleaning it? Does it have to be looked at in a computer running a Live session under a Linux OS, or in a computer booted up using Hirens Boot CD or something similar? At the moment I don't even have a caddy to put this suspect 120GB drive into in order to connect it to any other machine; and I don't want to do it in any way which exposes another computer to potential risk of infection/activation by Computrace.

[RealBlackStuff]

Lessons to be learned:
- ALWAYS check the BIOS for passwords or Computrace before you buy! (or ask seller)
- NEVER use any OS or software that comes with a used computer!

W10 can (still) be downloaded for free.
Since your BIOS is now permanently CT-disabled, put that 120GB SSD in your T430s, together with a CD/DVD with Hiren's Boot or DBAN, etc.
Wipe it thoroughly, then create/format a partition on it of no more than ~80% (leave the rest for overprovisioning).
Use that disk now as you please.

[br1anstorm]

More questions about cleaning up an SSD to get rid of Comuputrace....

As part of my gearing up for the "nuclear option" of wiping my 120GB SSD, I thought I would take a look at exactly what was currently on it (since Win10 Pro is installed on the drive). In particular, I was curious about the Host Protected Access (HPA) part of the drive where according to the post #12 from @trac, some of Computrace resides.

So I fired up Hiren's Boot CD and had a look using PartedMagic. This is what I found:

- in both the Windows/System32 and the Windows/SysWOW64 folders, I found several of the Computrace "junk" files listed in post #5, including rpcnet.exe and rpcnetp.exe, and wceprv.dll and autochk.exe.

- I then tried the hdparm command suggested by @trac to see about the HPA. And the output revealed "HPA is disabled".... which was encouraging.

My questions now are obvious (and may be dumb!). As HPA is disabled, does that mean Computrace cannot be activated if this SSD is connected to another computer? Is it enough simply to delete the "junk" files in the System32 and SysWOW64 folders, and the Registry keys, in order to make the SSD safe? Or [and I suspect I know the answer that's likely to come!] is it still necessary to wipe and erase the entire disk (twice?) in order to make it totally safe and clean again? Does it matter whether I use PartedMagic or DBAN to do so, since both are on the Hirens CD and I have not previously used either of them to do a wipe/erase.

I only ask because I'd quite like to keep the Win10 Pro that is on the disk (even though I know I could download another copy). But at the same time I want to be certain that the SSD won't somehow reintroduce that pesky Computrace program if I put it into another machine.

[RealBlackStuff]

Wipe and format.
No IFs or BUTs.

[br1anstorm]

Wipe and format.
No IFs or BUTs.

Had to smile when I saw that response. Exactly what I expected! Yes sir, I will do as instructed......

[kfzhu1229]

Well I gotta say I feel quite glad that a Dell laptop with computrace and BIOS password enabled that I got has the hard drive already removed or else I would've been on this trap!
(Albeit, the HDD removal on this is very surprising - someone literally opened up the Intel SSD and ripped out the circuit board from within, leaving just the Aluminium bottom plate!)

It seems that a number of manufacturers - not just Lenovo, but also HP, Dell and perhaps others - incorporate the Computrace program or some sort of key to it in their hardware (the motherboard, EEPROM, BIOS or wherever). But as I understand it, this remains "dormant" or disabled until somehow it is activated.

Well, after my digging on Baidu (which doesn't give af about keeping procedures for these sort of things), I found out on Dell laptops that computrace is stored at the same place as the Service tag. Using the Service tag removal tool deactivates the Computrace. This is on a different area of the BIOS chip than your BIOS program, but both are on the SuperIO chip so it's not feasible to replace anyway.
I wonder if you can find the tool to wipe out the type number and Serial number on a ThinkPad motherboard it would also wipe Computrace status.

[RealBlackStuff]

Type and S/N can be changed with the HMD program, but has no influence whatsoever on Computrace.
Up till and incl. xx30 Series CT 'activation' was stored in an EEPROM (which also has the SVP), while since T60/X60 the BIOS itself has the CT On/Off settings.

[LazLong]

Just want to post a "Thank you!" to everyone on this thread. I bought a used X270 with Computrace enabled. With the guidance from this thread I was able to get it disabled easily and quickly. The Computrace rep was inexperienced and seemed to be reading from a script. Armed with the info in this thread I was able to coax her into doing what was necessary, and I made sure to get reference number for our interaction. I didn't get around to installing Windows onto my new acquisition for a couple of days, but when I did, Computrace was disabled after my first reboot, so in less than an hour.


Thanks folks!

[n2ri]

seems this is where MS got their start for Win 10 and all its trogan spyware