Spyware embedded in MBR on ALL Gateway P-series laptop

Not that this is necessarily a bad thing, but LoJack (by Absolute Software) is confirmed to be stealth installed on every Gateway P-Series laptop (just got off the phone with corporate support).

The problem is, you aren't given an account. So basically, every time your computer connects to the internet you are sending an IP address and location code to Absolute Software on behalf of Gateway's corporate account.

Tinfoil hat time, I know, but I really didn't like the thought of being tracked on my laptop - so I had to call Absolute Software's corporate support, give them my serial number, then they confirmed that I was the owner of the laptop and later tonight they will assist me in removing the files online.

Why is this such an issue? You can't get rid of it by yourself. It's embedded in the Master Boot Record, so even a repartition or format cannot clean it.

If you don't believe me, go to C:\Windows\System32 and look for rpcnet.exe, rpcnet.dll and then right click on them to view properties. It should say "Remote Procedure Call (RPCNET) Locator" and be licensed under Absolute Software.

It will also be running in the background on your PC. It will also be set to start the service on startup (confirm via MSCONFIG).

It's kinda scary. Absolute Software said most of the big vendors stealth install LoJack on new laptops (and even some desktops)...

Anyway, their support number is 1-888-999-9857 if you want to get it uninstalled.


Still like my P6831FX though

 

i was not aware of this and I did a complete reformat and repartitioning of my hard drive after I purchased it and I found both of those files on my computer that you mentioned.That is unbelievable now couldnt we get the lojack service activated if we wanted to. I probably would not be interested in using it myself but I was just curious.Also what else have they embedded on our machines.

Wow

 

I asked the support dude whether I could activate an account or get account information to use this, figuring hey - at least if it gets stolen I could use this - but he kinda just ignored it and told me to uninstall LoJack when I got home.

I almost wonder if this is unlicensed and breaking some terms of use or something...

 

Well, just make sure that you scan for viruses like this.

 

Shouldn't fixmbr be able to take care of this?

Gateway's failure to mention their Lojack preinstall is double plus ungood.

 

It may work, but as I was doing some research around the 'Net, people had mentioned messing with LoJack could force a Harddrive wipe...so I don't want to take chances

 

Damn, this article says it's embedded in your freaking BIOS!

http://www.freakyacres.com/remove_computrace_lojack

 

Thanks for the information. I'm wondering if embedded software is affecting performance of the machine. If so, is it easy to remove? I'm thinking of calling them up also but don't have a lot of time to wait on hold with corporate offices.

 

I didn't have to wait on hold very long, and they're open until 6PST so it shouldn't be too bad to call em - otherwise there's no real way to clean it off without apparently messing with your BIOS rom and MBR :-0

 

Wow. That's impressive. I guess the only safe way to fix this is to run Linux .

 

wow why would they do that, i dont really get it lol.

 

Hackintosh?

 

I dunno, maybe they're tracking us for nefarious purposes!

I don't want anyone knowing I play Crysis on the john!

 

Yeah, just got off phone with Techsupport. Didn't wait at all. Thing is they told me to e-mail them with my serial number in order to facilitate an uninstall of the software. Hopefully they get back to me. I'll let you guys know how it turns out.

 

Looking at that website post, it looks like Absolute Software communicates with the rpcnet.exe running and uninstalls it from their end.

That's just crazy though that such a thing would be embedded so freaking deep in the laptop. This is just as bad as finding an RFID chip in your car or something...yikes.

another disturbing one:

Yikes

 

Lojack is on there just like Netzero and others that hope you will buy their products, should be an icon on your desktop to purchase it. It's not spyware, they can't track you unless you download more ware and send them the serial #, then they communicate back and forth with your computer to make sure it works properly. then if your laptop is stolen, call them and the next time the computer accesses the internet they can get a location and recover it. A lot of companies us it, and it works well, I've used it and recommend it, and no it won't slow your game of Crysis. Man some of you guys are so paranoid. There isn't any GPS tracking like the car version. If you need something to worry about here you go http://forums.vr-zone.com/showthread.php?t=249016

 

Strangely, I never even knew this was on my Laptop until I installed a fresh copy of Windows.

Unfortunately, contrary to what you mentioned - the tech had reported that my computer was sending in reports EVEN THOUGH I never purchased the software/license or whatever. He even mentioned the name of the CO that I connect to. Besides that, my router is reporting traffic from rpcnet.exe...

Sooo, they ARE collecting your IP and location information - even without you buying the service. And, unfortunately, there was never any Uninstall option - regardless, it's hard coded into your BIOS to re-spawn on boot.

 

..and you could try blocking with a firewall like ZoneAlarm to lock down all outgoing ports. I'm not worried, no bank accounts on mine or any state secrets.

 

I highly doubt that, sure after you gave him your serial# and connected to your machine he could id you and you would have traffic, and your second post acts like the tech was trying to be deceptive, I think your just trying to stir people up.

 

Hey that's an interesting article.I was not aware of digital viruses.I guess we can not trust nearly anyone or any company anymore.

 

Well, I don't really have any motivation to stir people up.

After I gave the tech my Serial number, he informed me that my machine "has been" reporting to them (indicating more than just once). I don't really see what I have to gain from lying about that, but if you want to think I'm just deceiving people...so be it.

Looking forward to getting this crud cleaned off now that work is done.

 

woah woah everyone slow down.

So the spark notes:
Gateway installed LoJack onto the bios and didn't tell anyone.

Every time we connect to the internet, we be being tracked by our EVERY move.

Call tech support to get in uninstalled.

 

Hi!
I just noticed this thread...
1) exactly what is LoJack ? Is there anyway we could check what did LoJack send about us? If I checked right, LoJack helps the police to find stolen cars or laptops...than why are you worried? If I understand right, it was NOT designed to SEND personal information (account names, pin codes, etc), since with this they would break the law. Since this is on OUR laptop, anyway WE could use it? Personally I would be happy to know if my laptop is stolen I can find it easely. In short isn't it ONLY for to locate where is a laptop?

2) A forum member (crpngdth2001) already succeeded to edit the BIOS and get the NVidia BIOS out from it...wouldn't be possible to just edit the BIOS again and CUT OUT LoJack from it? Hope crpngdth2001 will check this thread

3) this software works in the U.S. only or it's global? Because I'm not in the U.S. nor Canada

Btw, if I understand right, if the software is integrated in the BIOS, than calling Gateway is not 100% good enough, because they WONT UNISTALL the software, they only delete you from their account. "Like my grandmom use to say, if you wan't to pull out a weed, pull it roots too." Waiting for ideas how to get it out completely from the BIOS.

 

Well Drevan, all I can answer is your first question. I'll let the other guys tackle the tough stuff. Lojack is a program that you install on your computer so that if someone steals your computer, they'll have a chance of tracking it down if they connect to the internet again. They basically track your S/N over the net everytime you sign on. However, we arent' signed up for this service so even if we did get our laptop stolen, I doubt Lojack would be nice enough to track it down for us for free.

I called techsupport yesterday and sent them an email, but they haven't gotten back to me. I'll probably call them again on Monday if I don't hear anything. I just want this crap off my computer.

 

Saw that this Gateway laptop below was being presented on HSN last night when channnel surfing, not an FX version. Today went to HSN to check the specs and found a reference to LoJack "LoJack for Laptops BIOS Hardware Persistence Agent (subscription required to activate)" under Pre-Installed Software, not a big secret there, but not mentioned at Gateway web site that I've found so far. I do think they should at least inform customers. I am gathering from the comments so far that it doesn't show in Start Up unless activated??? Cant' check my own since haven't received my laptop yet.

Gateway 17" Dual Core, 2GB RAM, 250GB HDD Laptop with MS Home Office Item: 316-541

If I were still traveling like I used to, I might very well activate this product. Thank you for bringing this to my attention.

 

Actually, I think even dell has something like this installed in the bios, but I don't see what the big deal is, just turn it off. Go into the bios, make sure whatever you don't want on is turned off, go into your services and shut down anything you don't want running in the background (that rpc locator) then go into config and stop it from starting automatically. If you don't see it running in the task manager's list of processes, you should be fine.

 

This is relatively easy to break with the windows hosts file... all you need to do as add the line:

127.0.0.1 search.namequery.com

And you are 100% invisible. Its really sad that they made it this easy... but there it is. I think they need to use the pxe boot rom as part of their communications method, because it would be 100x harder to crack.

 

That's a fine method bob, but one would have to be sure that they're only using that domain. If they had another one that they communicate with, that would be left unprotected/ unblocked. If someone could find every domain associated with them, that would help, and then also just make sure it's not running in the background processes, just in case. Anyway, I would much rather stop it at the source than try to just find out each and every communication route it's using and stop them individually.

And about that boot rom, that's going to suck when we see that more often, when more companies (i.e. maybe even advertising companies) load their software and ads in the bios and post, and integrate into the boot rom of computers :/

 

The thing is the program uses the domain name in case their ip address changes. If you disassemble the bios rom and the exe/dll files, you will find the host name in there, and nothing else. I did an ethereal packet sniff on my laptop's ethernet for a good 2 hours, and when it finally did call home, it did a dns request before sending the data, not a direct tcpip session. Blocking the host name is more than sufficient.

After editing the files and sniffing packets, there wasnt a peep out of the laptop (same conditions as before). I considered the possibility that if it couldnt establish a connection that it would try a different ip address or host, but it did not.

 

Good to know, thanks.

 

Found the module in the BIOS, the Lojack code is in the MOD_4A00.ROM within the BIOS. Trying to determine if the module has any other useful functionality before I replace it with a padded empty file and recompile the BIOS.

 

Hey, crpngdth2001, since you are taking a look in there already, do you have any guess as to what token(s) I need to change to enable VT(Intel Virtualization) I have a T8100 cpu in my laptop but it seems it is disabled in the bios. I used symcmos to grab the current tokens/values in my bios currently. See attached.

Btw, this is for a P-6831FX

 

Well, it seems like that is all that is in the module. Attached is a patched BIOS with the Lojack module replaced with a padded file to the original length.

I suggest someone with a USB Floppy that can do the 'Crisis Recovery' try this first, as it is untested. I am not going to try it until I get a USB floppy.

You will have to flash the BIOS, reboot PC, kill rpcnet.exe, delete rpcnet.exe, rpcnetp.exe, rpcnet.dll, and rpcnetp.dll. Disable rpcnet.exe service. Reboot.

One you reboot, the files should still be gone and the processes disabled.

REMEMBER, UNTESTED, TRY AT YOUR OWN RISK!!!!!

http://rapidshare.com/files/100316617/P6831FX_NOLOJACK.ROM

 

Aside from this lojack tracking where our laptops go, does it track anything else such as what we do with our computers, what sites we visit, what files we download, etc? If it doesn't have the capability to monitor our daily usage, I don't think this is too important unless you're some undercover agent for an organization...which wouldn't require a gaming laptop.

 

any1 tried this yet? does it work ?

 

well some people are kinda paranoid.. so I guess its for them..

 

In that case, it doesn't seem to be much of an issue then. As long as activity inside the laptop is not being monitored there really is no reason to worry.

 

U mean as long as the goverment doesn't come after all your porn and video torrent downloads, you are fine

Frag

 

Yeap, which the government will not know through the lojack spyware. If they're suspecting you, you're probably using every last bit of your bandwidth uploading and downloading 24/7. In any case, I'd say this lojack thing is just a false alarm. It exists but it doesn't pose the threat that others believe.

 

When I did a review on this product for NotebookReview, I was given access to all their tracking records available for my laptop. Some of which they would only share with law enforcement if absolutely needed.

There is no such information...all of it pertains ONLY to location and hardware info about your PC (like serial number and model number that is in most BIOS).

GW probably uses it mostly as a theft deterrent. They cannot be easily ripped off by customers if this is installed, and if a customer reports it stolen then there might be a chance to get it back.

 

Oh no, there is a van that says Gateway on the side, its been parked outside my house for a week.

 

why does anybody care its against your 4th amendment rights to use anything against you in court like its basically obtained illegally. Ever heard of the exclusionary rule?

o wait i see a gateway truck in front of my house got to RUN..

 

Yush, there's no worries, in fact I'd keep it in my comp just in case it does get stolen.

 

lol i got busted for torrenting once, by my internet provider Quest. i'm worried if the same thing will happen to me on this one.

 

LOL...waht happened then? did they report you or anything?

 

Internet service provider actually logs what you download. As far as what I gathered from the first 4 pages, this lojack thing only tracks where your computer physically is.

 

dammit...i guess thats it for my fav p*rn site.LOL .

 

Well I don't know the isp called Quest, might be a smaller company, or maybe a big one in another area of the world. But the isp I use is sbcyahoo which is quite big and I doubt they have so much free time to be checking out who is torrenting. And besides, not ALL torrents are illegal. Heck, Blizzard's patch download is through torrenting of sorts.

 

your bios file is the wrong size, so it cant be flashed right.
needs to be 1024 and not 1048

 

yes well that might be fine for you but i was planning to murder someone while playing Age of Conan on my laptop later. so i guess i'll have to postpone it till i can get Lojack off my computer.

btw and more importantly is there away to bypass or disable or stop your isp logging your internet activity, because that's a real privacy concern and i would rather put an end to it straight away.