How to remove Computrace Lojack

I bought two new Gateway PC's a few weeks ago. Typically I first uninstall all the bloatware/trialware right away. Then I shut down all unecessary services and remove loads of entries in the registry that are starting unwanted programs. When I was done with all of this, one process remained in task manager that I didn't recognize. rpcnet.exe. Now I know that there is a service called Remote Procedure Call so I looked in the services. It listed Remote Procedure Call as "C:\WINDOWS\system32\svchost -k rpcss" and also Remote Procedure Call (rpcnet.exe) by computrace. Figuring this was more bloatware so I disabled it and rebooted. It was back! I started thinking it was a virus/trojan/spyware. I downloaded hijackthis which let me shut it off. Reboot. It's back! Found the files rpcnet.exe, rpcnetp.exe rpcnet.dll rpcnetp.dll and deleted them and rebooted. It's back! Those files are back too! Now it really looks like a virus. So I google computrace and found out it is some program used to track stolen computers. Strange! I didn't order that on my computer. So I set out to remove it. Many google hits indicated it lived in the mbr so I did a series of fdisk's and fdisk /mbr and reinstalls of Windows XP. Rpcnet.exe came back running every time. Some Google hits also indicate that it may live in the bios. I save a copy of my bios to disk and look at it with cbrom. I got cbrom from http://www.biosmods.com/download.php I had to try several different versions till I found one that worked with my computer/bios.

So I ran...
cbrom32_149 gtgn105.bin /D - (cbrom crashed but still showed all the file names.)

Then I look at all files with hex editor, specifically for something that would indicate computrace.

Found optromg.rom listed at OEM2 CODE. Hex editor showed the string "computrace".

ran cbrom32_149 gtgn105.bin /oem2 release

checked with cbrom32_149 gtgn105.bin /D

Yep, optromg.rom is gone.

So upload new bios....

Reboot. kill rpcnet.exe

delete rpcnet.exe
delete rpcnetp.exe
delete rpcnet.dll
delete rpcnetp.dll

disable service rpcnet.exe

done

Rpcnet.exe is no longer running as a process! Yeah!

(BTW - This procedure has risks that include making your computer non-functional)

UPDATE! I posted optromg.rom in case anyone wants to look at it with a hex editor or try to disassemble it.

AttachmentSize
OPTROMG.ROM24 KB

Comments

Right you are. It's like

Right you are.
It's like your car dealer being able to shut down the engine of your car if the latest payment didn't get through. Or maybe just lock the steering wheel, sending you straight to hell at the next bend.

I suggest that from now on all these crippled laptops should have "remote repo enabled" stickers on them, to be placed next to all the other warnings (intel inside, genuine vista etc)

We bought a laptop at a

We bought a laptop at a garage sale... how to we make sure its not stolen. If lo jack is attached the last thing I want is the police showing up at my door! Who wants anything like that. I know that I can not replace the hard drive. I believe the computer is wireless caple. I am not talented to know anything about all the programing you guys are talking about. The computer is a Tobisha Satelite... Windows vista... any suggestions?

computrace is installed on

computrace is installed on the bios not on the hard drive I f you are smart enough you should know this. You can change your hard drive a hundred times but computrace is still going to be there.The only way to uninstall it is to uninstall the bios completely and reinstall a new one

Just don't connect to the

Just don't connect to the internet with it till you know if lojack is installed or not.

There's nothing illegal

There's nothing illegal about removing software from a laptop which you own.

if you own it, call absolute

if you own it, call absolute and have them take it off.

There is very easy way to

There is very easy way to disable computrace lojack:
download the dst-cd and boot your laptops with it. then change or remove the service tag and voila the bios configure password (which I think you are talking about) is gone. reboot and see for the bios settings are free to change. remember you should put in your correct service tag again to avoid warranty problems.

here you find the dst-cd iso:

http://www.download.centre4service.com/software1.html

password: smellyalater

I've deleted the service tag

I've deleted the service tag and entered a new one, but the option to disable Computrace is still grayed out. Any ideas?

the link is not working. do

the link is not working. do you still have that iso file?

Link doesnt work!

Link doesnt work!

Hello, It appears this link

Hello,

It appears this link no longer works. Does anyone have any idea as to how to get the file (dst iso)?

Worked perfect. Thank you.

Worked perfect. Thank you.

What can I say. I unplugged

What can I say. I unplugged the bios battery expecting a bios free of all information. Now the dam thing won't reboot. What can be done to get it to register / boot.

Good job. Removing a lojack

Good job. Removing a lojack bios pretty much hoses the PC.

remove service tag?

remove service tag?

Hi all, thank you so much

Hi all, thank you so much for the info, it works for phoenix bios, get phoenix BIOS editor and WinHex, open the bios file with phoenix bios editor, go to C: program files\phoenix bios editor\temp (this is where the bios is decompressed by phoenix bios editor), use Winhex to remove computrace (optromg.rom), save the moded bios and use it to flash the PC bios, worked great, it seems that optromg.rom creates or writes to rpcnetp.exe & rpcnetp.dll when the system boots then loads the rpcnet process. this is a quick over view of how I did it, please don't ask where to get these programs, if you don't know then you should not play with your bios as you may damage your PC beyond your ability to repair it.
what man makes man can undo
Branbo

would these programs work

would these programs work for a dell d630.. its runing bios ver a02 now. btw it came with a13, i flashed it to a10,a04,a02 and computrace is still on and active and cant be deactivated....

    what bios editor would i use for dell's bios?

apperantly computrace embeds itself in a bios sector that the rest doesnt use when flashed.

so far i deleted all 4 of those files in system32 fldr... but after restart only 2 came back, just rpcnetp.exe and the dll.
what i did was boot to safe mode (hold f8@startup) and changed the security properties of those 2 files to not be used by any user by checking all the deny checkboxes. so as long as u dont delete these files, they wont run. if you do delete them, after you restart the computrace in bios will recreate the same file again and those permission settings will be lost, allowing it to work again.
also jus to be safe, restart and check for rpcnetp.exe in task manager. if youre really worried disable/stop the service in msconfig and services console.

but i still want to know how to remove this computrace from the dell bios. someone please help. also if it was locked on from the get go, does that mean its truly active? i used this via tethering it to my phone to get online and im wondering if the police are gonna be knocking at my door. unless the prev owner didnt report it ever and its still active... who knows. please help.

Hi there! I'm also trying

Hi there!

I'm also trying to get rid of the computrace trojan. I have a Lenovo 3000 C200
laptop, and I've opened the bios (DL00206A.WPH) with Phoenix Bios Editor.

I get all this files at c:\program files\phoenix bios editor\temp:

MODULE NAME C I B START END SIZE LINK1 LINK2
------------ - -- - -------- -------- ----- -------- --------
BB.MOD I 0 0 FFFF8000 FFFFFFFF 08000
ROMEXEC0.MOD X 0 0 FFFE95B7 FFFEFFEF 06A39 FFFE8A4A
DISPLAY0.MOD D 0 0 FFFE8A4A FFFE95B6 00B6D FFFE85FF
DECOMPC0.MOD G 0 0 FFFE85FF FFFE8A49 0044B FFFE6744
ACPI0.MOD A 0 0 FFFE6744 FFFE85FE 01EBB FFFE66CB
ACPI1.MOD A 1 0 FFFE66CB FFFE6743 00079 FFFE6651
ACPI2.MOD A 2 0 FFFE6651 FFFE66CA 0007A FFFE65E2
ACPI3.MOD A 3 0 FFFE65E2 FFFE6650 0006F FFFE658F
ACPI4.MOD A 4 0 FFFE658F FFFE65E1 00053 FFFE653D
ACPI5.MOD A 5 0 FFFE653D FFFE658E 00052 FFFE64F3
ACPI6.MOD A 6 0 FFFE64F3 FFFE653C 0004A FFFE5985
LOGO1.MOD L 1 0 FFFE5985 FFFE64F2 00B6E FFFE5942
MOD_2A00.MOD * 0 0 FFFE5942 FFFE5984 00043 FFFE4EA0
BIOSCOD0.MOD B 0 0 FFFE4EA0 FFFE5941 00AA2 FFFE0005 FFF987A6
" . . . FFF987A6 FFF9D852 050AD
ROMEXEC1.MOD X 1 0 FFFE0005 FFFE4E9F 04E9B FFFDC0C3
STRINGS0.MOD S 0 0 FFFDC0C3 FFFDFFFF 03F3D FFFCC2A8
OPROM0.MOD R 0 0 FFFCC2A8 FFFDC0C2 0FE1B FFFC2EAD
OPROM1.MOD R 1 0 FFFC2EAD FFFCC2A7 093FB FFFBCF1C
OPROM2.MOD R 2 0 FFFBCF1C FFFC2EAC 05F91 FFFB9008
SETUP0.MOD E 0 0 FFFB9008 FFFBCF1B 03F14 FFFB56EF
TEMPLAT0.MOD T 0 0 FFFB56EF FFFB9007 03919 FFFAFD34
MISER0.MOD M 0 0 FFFAFD34 FFFB56EE 059BB FFFA8E85
MOD_5100.MOD Q 0 0 FFFA8E85 FFFAFD33 06EAF FFFA4B21
MOD_4800.MOD H 0 0 FFFA4B21 FFFA8E84 04364 FFFA2162
LOGO0.MOD L 0 0 FFFA2162 FFFA4B20 029BF FFF9D853
MOD_4B00.MOD K 0 0 FFF9D853 FFFA2161 0490F FFF90000
BIOSCOD1.MOD B 1 0 FFF90000 FFF987A5 087A6 FFF75E01 FFF7D510
" . . . FFF7D510 FFF7FFFF 02AF0
BIOSCOD2.MOD B 2 0 FFF75E01 FFF7D50F 0770F FFF73D84
BIOSCOD3.MOD B 3 0 FFF73D84 FFF75E00 0207D FFF72942
BIOSCOD4.MOD B 4 0 FFF72942 FFF73D83 01442 FFF70964
BIOSCOD5.MOD B 5 0 FFF70964 FFF72941 01FDE FFF67D4A
BIOSCOD6.MOD B 6 0 FFF67D4A FFF70963 08C1A FFF20000
UPDATE0.MOD C 0 0 FFF20000 FFF2F81A 0F81B FFFFFFF0
-------------------------------------------------------------

There is no optromg.rom, and I've searched inside all the files without
finding any reference to computrace or rpcnetp. I don't know what
are the next steps to follow, Any idea?

Thanks,
The Bald Avenger.

I'd guess it's in one of the

I'd guess it's in one of the OPROMn.MOD files. You may want to download optromg.rom and try to match it or some of it contents with one of the files that you have in your bios. If you find it, tell us which file it is.

First of all, sorry about

First of all, sorry about the long time to answer,
and please excuse my poor english.

Next, I made a mistake, I was looking in a different
rom, not at mine. Mine is DL01108A.WPH, and this time
te computrace file IS there.
It is MOD_5A00.ROM, and it starts
"Uª/ëCompuTrace V80.854°#éeT ]PCIR4"

Now I'm not too sure on how to proceed. I'm working
with Phoenix BIOS Editor Pro, V2.2.0.1.

When I open the bios at the editor, it throws 5
warnings saying: "An unsupported module class '*' was
found at offset XXXXX, do you want to continue"? I
say yes to all, and then the bios is opened. The
computrace rom "MOD_5A00.ROM is located under
"Other Module" folder, but when I select it the
buttons "add" "remove" and "change" becomes
gray and unselectable. I don't know how to
remove the rom, and next how to compile the
bios again. I also don't know if the warnings
I see when opening the bios mean that te editor
cannot load the modules and therefore it won't
be able to compile them later.

I would appreciate any help, thanks.

P.S. Here is the Phoenix Bios Editor and my bios,
and also the computrace rom, it is not identical
to yours, so you may want to add it to the blog.

http://rapidshare.com/files/135261605/Phoenix.Bios.Editor.and.lenovo.bios.rar.html

Greetings from Spain,
The Bald Avenger

Hi there! I'm also trying to

Hi there! I'm also trying to remove the computrace trojan from my Lenovo 3000 C200 bios,
but I cannot go very far.

I open the bios (DL00206A.WPH) with Phoenix Bios Editor and I get all this files at
C:\program files\phoenix bios editor\temp:

MODULE NAME C I B START END SIZE LINK1 LINK2
------------ - -- - -------- -------- ----- -------- --------
BB.MOD I 0 0 FFFF8000 FFFFFFFF 08000
ROMEXEC0.MOD X 0 0 FFFE95B7 FFFEFFEF 06A39 FFFE8A4A
DISPLAY0.MOD D 0 0 FFFE8A4A FFFE95B6 00B6D FFFE85FF
DECOMPC0.MOD G 0 0 FFFE85FF FFFE8A49 0044B FFFE6744
ACPI0.MOD A 0 0 FFFE6744 FFFE85FE 01EBB FFFE66CB
ACPI1.MOD A 1 0 FFFE66CB FFFE6743 00079 FFFE6651
ACPI2.MOD A 2 0 FFFE6651 FFFE66CA 0007A FFFE65E2
ACPI3.MOD A 3 0 FFFE65E2 FFFE6650 0006F FFFE658F
ACPI4.MOD A 4 0 FFFE658F FFFE65E1 00053 FFFE653D
ACPI5.MOD A 5 0 FFFE653D FFFE658E 00052 FFFE64F3
ACPI6.MOD A 6 0 FFFE64F3 FFFE653C 0004A FFFE5985
LOGO1.MOD L 1 0 FFFE5985 FFFE64F2 00B6E FFFE5942
MOD_2A00.MOD * 0 0 FFFE5942 FFFE5984 00043 FFFE4EA0
BIOSCOD0.MOD B 0 0 FFFE4EA0 FFFE5941 00AA2 FFFE0005 FFF987A6
" . . . FFF987A6 FFF9D852 050AD
ROMEXEC1.MOD X 1 0 FFFE0005 FFFE4E9F 04E9B FFFDC0C3
STRINGS0.MOD S 0 0 FFFDC0C3 FFFDFFFF 03F3D FFFCC2A8
OPROM0.MOD R 0 0 FFFCC2A8 FFFDC0C2 0FE1B FFFC2EAD
OPROM1.MOD R 1 0 FFFC2EAD FFFCC2A7 093FB FFFBCF1C
OPROM2.MOD R 2 0 FFFBCF1C FFFC2EAC 05F91 FFFB9008
SETUP0.MOD E 0 0 FFFB9008 FFFBCF1B 03F14 FFFB56EF
TEMPLAT0.MOD T 0 0 FFFB56EF FFFB9007 03919 FFFAFD34
MISER0.MOD M 0 0 FFFAFD34 FFFB56EE 059BB FFFA8E85
MOD_5100.MOD Q 0 0 FFFA8E85 FFFAFD33 06EAF FFFA4B21
MOD_4800.MOD H 0 0 FFFA4B21 FFFA8E84 04364 FFFA2162
LOGO0.MOD L 0 0 FFFA2162 FFFA4B20 029BF FFF9D853
MOD_4B00.MOD K 0 0 FFF9D853 FFFA2161 0490F FFF90000
BIOSCOD1.MOD B 1 0 FFF90000 FFF987A5 087A6 FFF75E01 FFF7D510
" . . . FFF7D510 FFF7FFFF 02AF0
BIOSCOD2.MOD B 2 0 FFF75E01 FFF7D50F 0770F FFF73D84
BIOSCOD3.MOD B 3 0 FFF73D84 FFF75E00 0207D FFF72942
BIOSCOD4.MOD B 4 0 FFF72942 FFF73D83 01442 FFF70964
BIOSCOD5.MOD B 5 0 FFF70964 FFF72941 01FDE FFF67D4A
BIOSCOD6.MOD B 6 0 FFF67D4A FFF70963 08C1A FFF20000
UPDATE0.MOD C 0 0 FFF20000 FFF2F81A 0F81B FFFFFFF0

But I don't know what step follows... I cannot find what file contains the
computrace trojan, and no idea about how to remove it. Could you give
me a little help to do this, please?

Thanks in advance.

ok, i've got a dell latitude

ok, i've got a dell latitude with the same problem. I love hacking... so let's do it. Anyone know where to start with a latitude? To rid me of this program.

hi, i got a latitude d531,

hi, i got a latitude d531, tell me the tips to hack it. i feedback you.

Lojack is reloaded from the

Lojack is reloaded from the BIOS. Unless you want to hack your BIOS, it can't be removed. However, it can be easily deactivated.
You can, obviously, load BSD or Linux : ) and make this problem go away, since the program can't execute.

However, will assume you want to keep your WinXP running. There are 4 files associated with Lojack: rpcnet.exe, rpcnet.dll, rpcnetp.exe and rpcnetp.dll. All are located in the \windows\system32 folder. If you delete the files, they will be recreated with the next boot from the BIOS. However, you replace each with a 0 byte file (right click --> New --> text document) and make it read-only. (Can also use any current Linux Live CD) BIOS sees the files exist and it can't replace as windows won't allow it to overwrite a read-only file. If you have admin rights on the box, would also stop the services, as you can generate error messages when Windows tries to start the 0 byte files on boot.

Works like a charm!

lame security that really only works if the user doesn't know it is installed.

Seems to have worked!

Seems to have worked! Process is no longer running.

Did this today and worked

Did this today and worked perfectly. Had to "end process" in task manager before i could copy over the files but has worked like a charm.

Sorry but I'm not a computer

Sorry but I'm not a computer expert but what does "so I ran cbrom32_149 gtgn105.bin /D" So I am assuming that cbrom32_149 is the exe to view your BIOS but what is "gtgn105.bin"? I have a Lenovo Laptop, how do I find out what kind of BIOS I have? I was running the EXE of the C: drive then openning it through CMD. Do I need to boot on Command Prompt then run it? Please HELP! Thanks!

gtgn105.bin is the bios

gtgn105.bin is the bios file. Either download a copy from your current bios or download an updated copy from your vendors website. To download from your bios you need a utility that is probably available from your vendor.

Never tried that but it is a

Never tried that but it is a good idea. I was happier hacking it out of the bios but for those of you having trouble this might be a good alternative.

If you're unable to modify

If you're unable to modify your BIOS any easy way to thwart the process from running is to right click on the files below that you find on your system and deny "Read & Execute" permissions to the System account and the service will no longer be able to start because of lack of permissions. Event viewer will show errors that the service couldn't start because access was denied.

rpcnet.exe
rpcnetp.exe
rpcnet.dll
rpcnetp.dll

every time i have tried to

every time i have tried to make rpcnet.exe as read only when i restart my system it is not read only and rpcnet is still running in the task manager....this really ticks me off they put this on my computer without my choice during the purchase process

Can changing these (.exe &

Can changing these (.exe & .dll) files work on a laptop that has windows vista home premium edition?

This seams to have done the

This seams to have done the trick. I basically searched the C drive for rpc* right clicked on each of the four files, selected property and set each one as read only. Then I powered off the laptop and powered back on. I do see the error for the Sevice in event viewer under system and also noticed in event viewer under security that there is a failure for the user "NT Athority\Network service" Category= Policy Change related to IPSec Services. which I believe to be a part of the background process.

Also I do not see the rpc process in task manager.

I do have two Q.
1. Does anyone know what the application RPCNETP.exe-xxxxxxx.PF is? (x = a mix of 8 numbers and letters) It's located in c:\windows\prefetch
This file cannot be set as Read only, access is denied.
2. Where can I get a key board connector for a Dell inspiron 1520 laptop? Keyboard to motherboard.

DST - resets computrace to

DST - resets computrace to default - lets you choose to enable(re-enable) deactivate or disable.
- next the service tag is set to blank. and you can make it whatever you want
thats all...
takes under 5 min

First look for processes

First look for processes that are running that you don't know what they are. Second, look at outgoing packets with minimal processes running with something like wireshark. You'll be able to see it calling home.

i dont understand... most

i dont understand...
most articles say its undetectable.
I am sure you got it in your pc
any idea what HP might use and
does all HP's have this?

whats the best way if i have this on my
pc too? Of course i check out services
and it says something like RPCss and
RPClocator...
same thing with a different name?

They don't say it's

They don't say it's undetectable. They says it's "un-removable" I prove them wrong here. Read my article and see if your hp shows the same signs.

So, here's a question. Does

So, here's a question. Does it even matter if you're going to run with Linux on the laptop anyway?

I have never tried it but my

I have never tried it but my guess is that there is not any code in the bios that will execute on a linux system.

Is possible this service was

Is possible this service was included in the bundle that you purcahsed? Since computrace can recovers your laptop when its stolen, why would you want to turn it off? Their website says it is requiring almost no bandwidth or cpu to run.

Brian

Sure it was included

Sure it was included but...

1. I didn't ask for it.
2. I didn't like it.
3. It only works if you pay them for a subscription.

Just replace the hard drive

Just replace the hard drive

The bios will just copy

The bios will just copy rpcnet.exe right back to the new drive.

Can you recommend a good

Can you recommend a good program to verify the integrity of the BIOS after its been modified?

Nope... You are on your own

Nope... You are on your own with that. I just took my chances!

Just a point and a

Just a point and a question:

Why did you delete rpcnet along with rpcnetp? On my computer, rpcnet can be disabled in the services, and does not start up if you tell it not to.

However, rpcnetp is a different story and will not go away or stop when you tell it to. Two different things. Had no problems with rpcnet, only rpcnetp.

By the way, you can also delete it in the registry at Local Machine--->Services--->COntrolSet001--->Services.

rpcnet.exe is a computrace

rpcnet.exe is a computrace program and it should be removed along with rpcnetp.exe. If you have lojack installed you can see rpcnet.exe running in task manager.

No, Cbrom does not work with

No, Cbrom does not work with Phoenix BIOS.

Here's something I found in

Here's something I found in just minutes with Google...

http://www.biosrepair.com/biosfiles/Phoenix%20BIOS%20Editor.rar

I don't have a phoenix bios to try it on though.

That is a junk file from a

That is a junk file from a junk site.

I found a copy of Phoenix BIOS editor Pro but when I tried to use it to open my .ROM it gave me the error "Wrong BCPSYS version!"

I have no idea what that means.