Computrace Rootkit: What to do if you are locked

-

 Ok, so there this client of mine who brought me a laptop to fix it. According to him, he was a call center agent and his company issued a laptop to him, and he got fired, he refused to give the laptop back to the company, thinking it is his to keep because he was fired and he maybe thinking it is unfair to him.

So the IT of their company locked the Laptop, and whatever they do, the lock keeps bugging him. He reformatted the drive and installed a new operating system but to no avail.

Computrace

What is computrace?
Computrace is a security software, an Anti-theft software developed by absolute software as part of the MCLA's Laptop Initiative. It is a software built into laptop's BIOS that were purchased and in the event of lost, the organization's IT can track the stolen laptop, lock it up, delete sensitive information, or, it can be ordered to brick itself (totally unusable). It is a very persistent rootkit that reformatting the drive, flashing the BIOS won't get the lock go away and everytime the device is connected to the internet, it will send a query to the server, and do whatever command the server instruct it to do so (according to the device administrator's will).

What to do when locked out?

If you own the laptop, and you are locked out, you can call the Computrace technical support to help you unlock it, and disable the Computrace software from their server. Just make sure to have obtain a support ticket from the technical representative you talked to, otherwise, you might need to call them back again. That will stop your laptop from calling your home phone or your office phone (whatever) every time you open your laptop.

What if, you purchased a secondhand laptop from the surplus store with the Computrace enabled? Well, that's where the big problem starts.

Computrace works when you open your device, it will send a query to the computrace server, and wait for the server's reply. When the server replied OK, then it will not lock you up, other wise, you maybe locked out, all your data will be deleted, or worse, your laptop will be totally won't work forever depending on the command set sent from the server.

The only way to stop Computrace from locking you out (that is if it is enabled and you do not have access to technical support, like you don't originally own the laptop) is to prevent the device send and receive data from the any of the Computrace Server.

Luckily, there is one solution. Follow the steps below:
  1. Reformat your computer and reinstall your operating system offline. Do not connect to the internet.
  2. Open the registry editor and locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager. Backup the BootExecute key value (autocheck autochk * by default) before deleting it to stop Computrace from being launched upon system startup.
  3. If the rpcnet.exe, rpcnetp.exe, rpcnet.dll, and rpcnetp.dll files exist in the System32 directory in the Windows system, terminate the related processes and delete these files. Remember not to restart the system at this time.
  4. Create the above four files with empty contents in the System32 directory. Perform the following steps for each file: Right-click the file and select Properties to open the Properties page. Then click the Security tab and set Permissions for each user or group (including SYSTEM) to Deny Full control.
  5. If you want to retain factory BIOS settings and related Windows files and configurations, you need to edit the “hosts” file in the C:\Windows\System32\drivers\etc directory to deny access from certain domain names by adding the following information and saving it:
    • 0.0.1 search.namequery.com
    • 0.0.1 search.namequery.com
    • 0.0.1 search2.namequery.com
    • 0.0.1 search64.namequery.com
    • 0.0.1 search.us.namequery.com
    • 0.0.1 bh.namequery.com
    • 0.0.1 namequery.nettrace.co.za
    • 0.0.1 m229.absolute.com
At the same time, configure the firewall to block access from rpcnet.exe and rpcnetp.exe

If you think this page is helpful, please help by clicking any of the ads in this page. Thank you very much

Comments

Post a Comment

Popular posts from this blog

6000+ Midi KaraOke File Free Download (Links Updated 02-21-21)

-
6000+ Midi KaraOke File Free Download (LINK UPDATED 02-21-2001) Midi KaraOke files are synthesized music (midi) with Lyrics applied to so that one can sing his/her favorite songs using his/her Laptop. Midi KaraOke files has the file extension .kar, and is playable on various Midi KaraOke Players freely available, VanBasco Karaoke player to be the most popular. There are various sites who offers free downloads of these MIDI Karaoke Files but their collections are very limited (they offer only several hundreds of KaraOke Files). This compilation of Midi KaraOke files has more than 6000 KaraOke Songs, offered for free download. You can download all these KaraOke songs for free, however, to minimize our hosting cost, we decided to upload these to a free file hosting, and to monetize some downloads to help us cover our hosting expenses, please click on the download link, wait for five (5) seconds then click on SKIP ADS on the top right of the screen. Because of the file size lim
Read more

Photos taken at Pinahiw Viewpoint, Landingan Viewpoint, and Quirino Experiment Services

-
Image
February 27, 2021, we woke up early and prepared for a long journey to Landingan Viewpoint at Nagtipunan Quirino via Pinahiw Viewpoint at Aglipay Quirino. 12 of us rode our motorcycles and drive from Barangay Cabugao, Aglipay Quirino to Pinahiw View Point, Aglipay Quirino via Eden, Cabarroguis Quirino. It was past 10 AM when we reach the peak of Pinahiw Viewpoint, where you can feel the very cold weather of the foggy peak of the mountain. About 11AM, we rode again to Nagtipunan Quirino, where the spectacular Landingan Viewpoint is situated. Photos taken were uploaded for our colleagues to download.  Images were resized to fit the screen, but the un-edited raw jpeg images can be viewed and downloaded by right-clicking the resized images and select "open in new tab". NOTE: The photos below are captured by me (Rodrigo Lugod). If you are not in the photo and you want to use any photo uploaded here for whatever purpose, Please contact me first via email (mangiskoalbuaryo@gmail.
Read more

#Office365 2019 New Scam by Ex-Robotos Malware - cracked by IK Zeus

-
Image
 Around 1:45PM June 19, 2021 (+8gmt), I was contacted by one of my web development clients. He's in shock that they can't access their MLM Website, and get redirected to 404 Page. I asked him the CPanel account login, and promptly opened the CPanel, only to find out, the Member's Area directory was gone, and there this new folder named "Journal" was created few hours ago. Journal folder containes some php files named after the missing files I created before, and some text files. When I open the files for editing (to view its content) through File Manager, I was presented with javascript codes (which I didn't examined). Voicemail Scmpage 2019 by Ex-Robotos In the top most part of each php files were found commented the phrase "Office365 2019 New Scam by Ex-Robotos - cracked by IK Zeus" Readme.txt inside the Journal folder Upon examining the Journal folder, I realized that it is a Office365 2019 Phishing Script. How did that script put in there? I don&
Read more