CompuTrace/”LoJack” for laptops: rcpnetp.exe, rpcnetp.dll, autochk.exe

So there’s this “security” software built into the BIOS of many laptops called CompuTrace.  It is sorta like “LoJack” for laptops.  If your laptop is ever stolen, CompuTrace can “phone home” to notify a server where your laptop is.  It is written by a company called Absolute Software and then provided to laptop manufacturers so they can include it in the BIOSes they supply for their laptops.  If you have one of these laptops, then you have this software in your BIOS and there is no way for you to remove it.
CompuTrace is at least partially a rootkit.  Absolute designed it that way intentionally so that a thief cannot remove the software by formatting the disk or reflashing the BIOS.  The problem is that rootkits can cause all kinds of other horrible problems for you, the user.
The CompuTrace rootkit in your BIOS will write the following files (and possibly others) to your Windows filesystem:
c:\windows\system32\rpcnetp.exe
c:\windows\system32\rpcnetp.dll
The rootkit will also hijack the AUTOCHK.EXE process that normally runs during Windows boot, and instead run its own code.
One issue this rootkit may cause: chkdsk may not run during boot like it is supposed to.
Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

11 Responses to CompuTrace/”LoJack” for laptops: rcpnetp.exe, rpcnetp.dll, autochk.exe

  1. Ashley says:

    Hi Keith – In order for Computrace to work, a user has to purchase a license, download software to the hard drive and activate it. It does not do anything unless it’s been activated. And once it is activated, it runs seemlessly in the background without effecting normal operations. The firmware of an activated machine checks if the software is still on the machine so that a stolen laptop can be recovered. And it does not install malicious code, unlike rootkits.

  2. Keith says:

    Sorry Ashley, but I know that’s not true because the laptop I experienced this on was brand new, shipped straight from HP, and never had any Computrace/LoJack software installed/activated on it. And yet all the symptoms/problems I’ve described above exist on this laptop. It’s an HP Compaq 6910p, in case you’re wondering. And by the way, anything that hijacks a legitimate Windows binary file (AUTOCHK.EXE) to bootstrap its own code IS by definition malicious. Absolute Software should be ashamed of itself for building its entire business model on top of a gross hack.

  3. Unknown says:

    It CAN and WAS activated without consent on my Toshiba Satellite A205. It’s listed on the website as being in the bios of this model, but the first thing I did when I got it was re-install windows. I’ve examined old hard drives i used with this computer and there was no sign of Computrace…however when I installed Windows 7, x64 to a fresh HD this week windows explorer started crashing. I traced the crash to rpcnetp.exe, which was "phoning home" to 209.53.113.223 (an absolute.com IP registering in Canada) with internet explorer and sending about 150k of encrypted data as HTTP posts. Why it didn’t manifest on earlier OS installs I don’t know, but it has definitely turned on now. I can’t get rid of it, there is no BIOS setting, so I’ve resorted to a trick somebody posted to put their agremove.exe component into the Startup folder which interrupts its activation routine. I have never opted in to computrace and I’m offended that my private information is being sent to them without consent. They aren’t even a US based company, does this mean 60% of today’s laptops are potentially sending sensitive information out of the country without permission!?

  4. coz says:

    Sounds like something Sony would do. Well you had to know something like this was coming. I’m sure there will be more.

  5. Tim B says:

    We’re battling Toshiba/Absolute over this at the moment. Toshiba suggested I reinstall Windows using their media (and how would that help?), and Absolute initially just said something along the lines of “it’s there for your own good”.
    We still have malicious software replacing Windows system files because neither company wants to help remove their malware.

  6. Pingback: Absolute Computrace Revisited | Securelist

  7. Wonderful blog! I found it while browsing on Yahoo News.
    Do you have any suggestions on how to get listed in Yahoo News?

    I’ve been trying for a while but I never seem to
    get there! Cheers

  8. dude says:

    cant you just block outbound traffic to the 209.53.x.x network?

    • c0d3h4x0r says:

      Sounds like you’re totally missing the point. Phoning home isn’t the concern (or it wasn’t mine, anyway) — it’s important Windows system binaries getting secretly swapped out for ones provided by the rootkit.

  9. Against Rootkits says:

    I have this problem as well, I sell refurbished dell laptops and it seems every laptop suddenly had computrace bios enabled when it WAS NOT enabled in the 1st place.
    Here is the solution
    open notepad
    paste this in the notepad and save as rmct.cmd
    @echo off
    Title Remove-Computrace-Rootkit

    net stop rpcnet
    sc delete rpcnet

    net stop rpcnetp
    sc delete rpcnetp

    cd “C:\Windows\SysWOW64”
    if exist rpcnet.dll del “C:\Windows\SysWOW64\rpcnet.dll”
    if exist rpcnetp.dll del “C:\Windows\SysWOW64\rpcnetp.dll”
    if exist rpcnetp.exe del “C:\Windows\SysWOW64\rpcnetp.exe”
    if exist rpcnet.exe del “C:\Windows\SysWOW64\rpcnet.exe”

    cd “C:\Windows\System32”
    if exist rpcnet.dll del “C:\Windows\System32\rpcnet.dll”
    if exist rpcnetp.dll del “C:\Windows\System32\rpcnetp.dll”
    if exist rpcnetp.exe del “C:\Windows\System32\rpcnetp.exe”
    if exist rpcnet.exe del “C:\Windows\System32\rpcnet.exe”
    exit

    after creating rmct.cmd open the task scheduler, on the right click create task
    choose “at startup”
    choose user “System”
    choose rmct.cmd (point it to wherever you chose to store that file
    choose save and then reboot
    Bingo..no more rcpnet or rcpnetp service and all the files are gone too.

    • Shekhar Saini says:

      “paste this in the notepad and save as rmct.cmd”
      what to paste and if i disable computrace from bhid can it still be traced ???

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s