IT Support Solutions

Home and Business

Server and Networking Solutions

Business Continuity / Disaster Recovery

Free Call Out & Evaluation of Problems

Feel free to Call For Advice
Same Day Repair

Malware and Virus Removal

Slow PC or Laptop?

Wifi Issues sorted - Business and Home

Smart TV, Smart Box, YouView

Monday, October 23, 2017
We have 143 guests online

Latest News

PDF Print

Computrace is a feature that is embedded within some BIOS firmware and distributed by some laptop/pc manufacturers.

With the code sitting in BIOS, it is difficult to remove and can re-establish itself at reboot time.

It is designed to help companies trace stolen equipment, and communicates with the 'Absolute Softwares' servers when activated.

This is all very well if everything were black and white in the IT world, but we know it never is and malware has the ability to exploit this feature which in turn can capture data, send GPS location (If fitted) and probably much more.

 

Mid 2014 EE also introduced this to some of their Android builds, again with a purpose of disabling the phone if stolen etc.

You would see the App running in the background if you are affected by this update. and the Process cannot just be stopped (as it re starts itself automatically)

With this process running on your phone, it makes a very good backdoor for full access to the information on your phone and has the ability to switch on your camera if malware is written to take advantage of this.

If more customers contact EE if they are concerned about this, they may do something about it, as again, nobody actually requested this, it was pushed out as an auto update.

 

 

See below on how to remove or disable from a machine running windows:-

 

How to remove Computrace Lojack

I bought two new Gateway PC's a few weeks ago. Typically I first uninstall all the bloatware/trialware right away. Then I shut down all unecessary services and remove loads of entries in the registry that are starting unwanted programs. When I was done with all of this, one process remained in task manager that I didn't recognize. rpcnet.exe. Now I know that there is a service called Remote Procedure Call so I looked in the services. It listed Remote Procedure Call as "C:\WINDOWS\system32\svchost -k rpcss" and also Remote Procedure Call (rpcnet.exe) by computrace. Figuring this was more bloatware so I disabled it and rebooted. It was back! I started thinking it was a virus/trojan/spyware. I downloaded hijackthis which let me shut it off. Reboot. It's back! Found the files rpcnet.exe, rpcnetp.exe rpcnet.dll rpcnetp.dll and deleted them and rebooted. It's back! Those files are back too! Now it really looks like a virus. So I google computrace and found out it is some program used to track stolen computers. Strange! I didn't order that on my computer. So I set out to remove it. Many google hits indicated it lived in the mbr so I did a series of fdisk's and fdisk /mbr and reinstalls of Windows XP. Rpcnet.exe came back running every time. Some Google hits also indicate that it may live in the bios. I save a copy of my bios to disk and look at it with cbrom. I got cbrom from http://www.biosmods.com/download.php I had to try several different versions till I found one that worked with my computer/bios.

So I ran...
cbrom32_149 gtgn105.bin /D - (cbrom crashed but still showed all the file names.)

Then I look at all files with hex editor, specifically for something that would indicate computrace.

Found optromg.rom listed at OEM2 CODE. Hex editor showed the string "computrace".

ran cbrom32_149 gtgn105.bin /oem2 release

checked with cbrom32_149 gtgn105.bin /D

Yep, optromg.rom is gone.

So upload new bios....

Reboot. kill rpcnet.exe

delete rpcnet.exe
delete rpcnetp.exe
delete rpcnet.dll
delete rpcnetp.dll

disable service rpcnet.exe

done

Rpcnet.exe is no longer running as a process! Yeah!