Most likely it is either based on AMI or Award system, so one of thier generic uefi tools should work in theory.
Gutting news The HP 6200 Pro SFF is a business grade desktop, and I suspect it had the Computrace Service installed. If you have a read its integrated into their BIOS and Firmware updates, which explains why its always reappearing. Even if I could remove and clean all the memory available to the BIOS, the fresh flash would install it again. Infinite loop? Now what confuses me is the fact that its redirecting the browser to web page with the dodgy American phone number owned by Time Warner Communications. So I am at a loss.
Computrace sounds like it is the one. Ultimately though, its still something running as a service, the flash puts a fresh copy into your bios chip, you install windows, fine, you install updates fine (somewhere around now the exploit is exploited, probably using the computrace service, or A.N.Other service running that is similar to lojack/computrace), you reboot the machine, you get white screened. Before the reboot, and thus before the white screen, you should be able to remove the registry key that is making the service start. either from msconfig or from regedit, as, it's obviously a service that is started on startup, I'm guessing its "delayed" start up, ie. will not start until all other services have started, and it is then that it removes your ability to use the machine - which is effectively what computrace/lojack does. HP have put computrace on their machines, and this appears to be an exploit that exploits that, so really HP need to find some way of sorting this out as otherwise it will potentially brick loads and loads of machines. Have you contacted HP at all? I will look into computrace some more and see if I can find anything more out. My laptop is HP, probook 6460b, so enterprise class, it has computrace services running out of the box... I havent a 6200 to hand as I am still in budapest, but I will be back in my office at the end of the week. I think if you can find a way to stop computrace from running in windows, irrelevent of the bios, you will be all good. I will continue to look further EDIT: I appear to be wrong, those above are all valid windows things and not to do with computrace, apparently, computrace's is rcpnet.exe, which I can't seem to find anywhere on my laptop.
Could the infection have logged the MAC address of this machine to some dodgy server somewhere, so as soon as it goes online it gets dicked by the exploit.
From a quick search, the phone number is actually owned by Quest Diagnostics - a clinical labs service - based in Clarence, New York. They have also have a UK division, in Heston, Middlesex. Is it possible that your in-laws bought the computer second-hand, e.g. through the bay, amd that this company was the original owner? If so, they may be able to advise on removing the tracer. http://www.questdiagnostics.com/uk/contact_us.html
Indeed I believe the machine was purchased via the bay, which has got me worried if this thing is "hot" The only thing I can say is that the In-laws have the original box and supporting Disc's and paperwork, so if it was "hot" then its straight out the shipping container "hot". However I am going to continue to believe there is a exploit in place taking advantage of the computrace system because of the other reports across the internet. One thing I can point out is the fact that this machine has never been behind a dedicated firewall, which I have been considering whilst I try to resolve the problem.
Nasty. Whats worse is that likely in a about two weeks most of the AV companies will have a solution provided on there definitions that will require anyone else to just click "scan now" and remove it in a matter of minutes while you have spent days re-inventing the wheel to get rid of the bugger.
Not dead, just been looking around and if anything hoping AV might have updated.. Anyway this is definitely related to computrace integration to the Bios files HP release. Earlier I stumbled upon a registry hack to disable the lojack.. However after 30min the hack was bypassed somehow, I did notice the rpcnet.exe running as a process within Task manager, but was curious to leave it running just to see if it hard any affect. Answer is a resounding YES. White screen returned upon reboot. So I've turned my attention to studying the strings within the Bios file available here . After studying the Hex strings, I have come across some weird strings.. Frankly I am confused and worried at the amount of ROOT access here... excuse me whilst I fetch my tin foil... still scrolling the strings looking for computrace or a like, but I suspect it's in the other file which is firmware.
was going to post in here to see if you had had any luck. the hack is the same one I have seen to replace all the files with blanks - its quite impressive that it has still managed to white screen you. I'm still really sorry you are having to endure this It's possible to rewrite the bios without the rpcnet.exe strings, as I have seen it about that that is possible, but I do not know where to start with bios re-engineering else I would give it a shot. If you want any help with anything and think another head would be usefull shoot me a pm
I can ensure you if this ever gets resolved you'll be PM'd asap. Still scrolling the strings, there be many!
Renaming alone will not work with the service running: Computrace can be stopped: Do the following: 1) START>SETTINGS>CONTROL PANEL> ADMINISTRATIVE TOOLS> SERVICES> find RPC ( Remote Procedure Call ) NET and/or Service. Right click and Properties, set to Automatic and stop the service. 2) C:\WINDOWS\SYSTEM 32\ Find these 4 files RPCNET.dll + RPCNETP.DLL + RPCNET.EXE + RPCNETP.EXE ( Do the following to each file ) 3) Delete each file. DO NOT REBOOT. Open WORD PAD. Type and "Save As" ( without quotes ). Name the file as the one it will replace above. Do this for all 4 files. Once they are all replaced with the "VOID" (bogus file ) Right click on each file and change the attribute to READ ONLY > APPLY > OK. To check and make sure it has worked, reboot your machine. Go to Services and check your RPC process and see if it has re started. If it restarted then you did something wrong with the above files, retry and reboot and recheck. Remember, if you delete one or all the files without stopping the service the files WILL come back automatically. Also you will not be able to delete RPCNET.exe if the service IS started. It must be done in the order above. Should at least allow you to use it until you can do something like this: Bios removal HERE
Feck, I missed the kill process step. FAIL! EDIT: Not wanting to jinx myself here but so far 'you know what' hasn't happened.... just saying.. DOUBLE EDIT: White screen is back, Despite the lojack issues i still think this an exploit of the lojack functions
Will do, but I think it might also be in the Firmware. I've killed the rpcnet problem, but now I am wondering if it was ever the problem... I need to get my m0n0wall in place, (was having DHCP arguments) first time using a dedicated firewall and made a mistake of putting the box after my router both with DHCP in place. So I assume there was a clash. I shall simply bypass the router for a few hours rather than mess around. Curious can m0n0wall log incoming IP's?
remember after this it is still resident (although hidden) on the HDD & in the registry once it has been activated. So a full wipe would be needed from your white screen state. then re killing it before it activates ie white screens. Yeah more than one DHCP=pain/fail..... It should be able to log both in & out, if i remember correctly....
A full wipe was done, Process as follows So unless someone ran in whilst I was making a cup of coffee and installed said virus, I am out of luck. Also if they did run in I am officially sh*ting a brick as its only me and my partner who live here and she was with me in the kitchen making drinks.
Sorry to hear that, But if you like I have a way that may make you feel better. Step 1 remove all components from the MB. Step 2 Replace MB and put all components back on, get computer up and running with no white screen. 3. Pack up MB and send it to me here in the U.S., when package is received I will go to the gun range with a video camera. Attach MB to carriage that holds target and proceed to blow the hell out of the MB while catching it on camera. Now i know this doesn't help your problem but figured it would make you feel better.
Indeed that would make me feel better, however its not an ATX standard board its an ******* child HP special BTX, which isn't easy to find, nor cheap. I would love to replace the BIOS chip but that's SMD so not an easy task.
And if you don't want to post it abroad and give someone else the satisfaction of blasting it just join the NCRA and use it to sight a nice 7.62mm rifle. Seriously though, this box can't be worth the time you've spent on it now surely? I mean, even if you only charged £15/hour the "cost" of investigating this must be running into the high hundreds now. Time for a new one maybe? Shame it's a different model as I have an HP 8100 Elite SFF motherboard here on my desk... Respect though.
