{
	"id": "d4bb5953-e032-41e9-9770-2bcd64a80b44",
	"created_at": "2026-04-06T00:19:58.746616Z",
	"updated_at": "2026-04-10T13:11:42.187657Z",
	"deleted_at": null,
	"sha1_hash": "8825c513b61c91d66b972a031f12a67f759a4f69",
	"title": "Thoughts on Absolute Computrace",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 675025,
	"plain_text": "Thoughts on Absolute Computrace\r\nArchived: 2026-04-05 20:45:58 UTC\r\nIntroduction\r\nBinaries \u0026 BIOS information \u0026 characteristics\r\nHow to determine if you have Absolute Computrace installed\r\nHow to remove or uninstall Absolute Computrace\r\nAbsolute Computrace FAQ\r\nIntroduction\r\nNot too long ago my friend and colleague from Sweden, Jimmy, contacted me in regards to a strange issue. In the\r\nfirewall, he saw tons of outgoing connections to a certain server:\r\nEach second outgoing connection to search.namequery.com\r\nA quick Google search revealed this was actually part of Absolute's Computrace tool - aka Absolute Persistence.\r\nDoesn't ring a bell? Try Lojack. From their website:\r\nWhy would this be an issue? First of all, there has been some excellent research by Anibal Sacco and Alfredo\r\nOrtega here: Deactivate the Rootkit, in which they describe attacks on BIOS anti-theft technologies, which\r\nAbsolute also offers. An excerpt from their paper:\r\nIn order to be an effective system, the anti-theft agent must be stealthy, must have complete control of\r\nthe system, and most importantly, must be highly persistent because wiping of the whole system most\r\noften occurs in the case of theft.\r\nhttps://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html\r\nPage 1 of 7\n\nThis activity is also consistent with rootkit behavior, the only difference being that rootkits are generally\r\nmalicious, while anti-theft technologies act as a form of protection against thieves.\r\nSecondly, there has been research from Kaspersky as well on the subject, read their blog post here: Absolute\r\nComputrace Revisited\r\nI advise you to read their post, as it provides excellent information as well. I'm not going to repeat their research\r\nhere, as it's pretty extended. What you should remember however:\r\nWhile Absolute Software is a legitimate company and information about Computrace product is\r\navailable on the company's official website, the owner of the system claimed he had never installed\r\nAbsolute Computrace and didn't even know the software was present on his computer. It could be\r\nassumed that the software was pre-installed by an OEM manufacturer or reseller company, but\r\naccording to an Absolute Software whitepaper this should be done by users or their IT service. Unless\r\nyou have a private IT service or your PC vendor took care of you, someone else has full access and\r\ncontrol over your computer.\r\nBack to our post. After booting the machine and pressing F1 to access the BIOS settings, we are presented with\r\nthe following screen:\r\nLenovo ThinkPad (BIOS version: J9ET58WW)\r\nThis was the initial state of Computrace in the BIOS. The setting was Enabled and the state indicated Not\r\nActivated. This suggests Computrace is not active on the machine... Wrong!\r\nThe Item Specific Help reads:\r\nEnables or disables the UEFI interface to activate Computrace module. Computrace is an optional monitoring\r\nservice from Absolute Software.\r\n[Enabled] Enables the Computrace activation.\r\nhttps://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html\r\nPage 2 of 7\n\n[Disabled] Disables the Computrace activation.\r\n[Permanently Disabled] Permanently disables the Computrace activation.\r\nThe machine was freshly bought and the user never ordered, installed or even heard of Computrace software. In\r\nthis case, the reseller didn't install it either. This leaves the option the manufacterer or a possible previous owner\r\n[or someone else] installed Computrace.\r\n... When we want to permanently disable Computrace:\r\nComputrace module activation warning\r\nHere comes the fun part: even after permanently disabling the Computrace module, the software was still active\r\nand running; contacting the server (search.namequery.com) like crazy.\r\nI decided to contact Absolute Software in order to get an answer as to why this behaviour was occurring. Since\r\nneither of us are customers, I used the form here to contact them.\r\nAfter two days I got a reply from their customer service. In reply as to why permanently disabling didn't seem to\r\nwork:\r\nIt is also worth noting that many used or refurbished devices may have motherboards with a\r\nComputrace BIOS module that was activated by the previous owner.  In these cases, my\r\nrecommendation would be the following:\r\n1.       Obtain and install any missing or outdated HECI\\Intel Management\\IMEI drivers from the\r\nmanufacturer.  Once these drivers are in place, any potential Absolute software installed on the\r\ncomputer will correctly communicate with the BIOS and it should automatically deactivate itself over\r\nthe course of a few days.\r\n2.       Contact the manufacturer and request a motherboard replacement.  Activated motherboards\r\nshould not be re-sold by manufacturers or retailers if the necessary de-activation steps are not taken\r\nhttps://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html\r\nPage 3 of 7\n\nfirst.\r\nReason for seeing numerous outgoing connections to their server is probably due to their module wanting to\r\nreceive instructions from the server that the original license should no longer be active, or to download new\r\nbinaries.\r\nBinaries \u0026 BIOS information \u0026 characteristics\r\nThere's already a good list available by Kaspersky which I'm not going to repeat here. You can find that list on this\r\nlink.\r\nHowever, the following points are worth noting:\r\nTwo new binaries (different hashes) have been identified:\r\nad73c636bb2ead416dfa541a74aea016 (wceprv.dll)\r\n4011590af6f13a42a869ae57d6174f4f (rpcnetp.exe)\r\nSeveral files are packed with UPX\r\nThe wceprv.dll module has a Digital Signature which is issued to\r\nAbsolute Software Corp. Serial Number: 35:ba:ec:87:59:d7:84:62:c3:d2:b7:ff:d4:c4:6e:51\r\nMachines will have an altered Master Boot Record (MBR); this is because Computrace parses the MBR\r\nand partition table - it writes some data into the sectors before the primary partition. According to the\r\npatent (US 20060272020 A1):\r\nIn another embodiment, the CLM is stored in a substitute Master Boot Record (MBR), or a combination of\r\nthe foregoing.\r\nCLM or Computrace Loader Module is one of Computrace's main modules. (besides the Adaptive Installer\r\nModule (AIM) and the Communications Driver Agent (CDA) - see the patent for reference)\r\nHow to determine if you have Absolute Computrace installed\r\nFirst things first: check in the BIOS if there's a mention of Absolute Computrace somewhere:\r\n(re)boot your machine and access the BIOS with one of the Function keys on your keyboard. \r\nTypically, this is F2, but may differ. See here for a complete list:\r\nBIOS Setup Utility Access Keys for Popular Computer Systems\r\nSecondly, see if any of the files mentioned in Kasperky's blog post are running or exist on the file system. For the\r\nfull list see here, but keep in mind the two new additional hashes added above.\r\nNote that new hashes may pop-up as well.\r\nThirdly, network activity as mentioned in above blog post.\r\n(but mainly to search.namequery.com or 209.53.113.223)\r\nHow to remove or uninstall Absolute Computrace\r\nhttps://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html\r\nPage 4 of 7\n\nI won't provide any specific information on how to remove or uninstall Computrace, as its main purpose is still -\r\nand I quote:\r\n[...] to perform preemptive and reactive security measures to safeguard a missing, lost, or stolen device\r\nand the data it contains. With Computrace Mobile you can determine the location of the device and\r\nwhether or not it’s on the move. You can also freeze it to prevent unauthorized access and send a\r\nmessage to the user to validate the status of the device. If the device contains important information,\r\nyou can remotely retrieve files or delete them immediately. And you can generate an audit log of the\r\ndata that’s been removed so you can prove compliance with corporate and government regulations.\r\nHowever, should you have bought (what you believe is) a new machine and it is apparent Computrace is active,\r\ndownload the latest drivers fit for your system:\r\nDownload BIOS drivers  Also find information on How to Update Your Computer's BIOS.\r\nWhen correctly executed and the option for Computrace in the BIOS is set to Permanently Disabled, it should\r\ncorrectly disable itself - taken into account the original license has expired or the original owner deactivated\r\nit, if existent.\r\nAnother option would be to request a motherboard replacement for your machine, as suggested above.\r\nAdditionally you may reinstall the Operating System afterwards.\r\nAbsolute Computrace FAQ\r\nIs Computrace malicious?\r\nNo.\r\nWhich devices does Computrace support and may be installed on?\r\nSo yes, it's possible Computrace is installed on any other of your (mobile) devices. If you're looking for pointers,\r\nonce again look for outbound connections to *.namequery.com or *.absolute.com.\r\nWhich firmware or BIOS brands does Computrace support and may be installed on?\r\nAcer\r\nApple\r\nASUS\r\nDaten\r\nDELL\r\nFujitsu\r\nGammaTech\r\nGeneral Dynamics Itronix\r\nGetac\r\nHP\r\nLenovo\r\nMicrosoft\r\nMotion\r\nhttps://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html\r\nPage 5 of 7\n\nNEC\r\nPanasonic\r\nSamsung\r\nSony\r\nToshiba\r\nWinmate\r\nXplore Technologies\r\nHow recent was the Computrace agent variant you found?\r\nI added this question as to compare it with Kaspersky's binary- which was compiled in June 2012\r\nThis variant of the Computrace agent was compiled in May 2012 (assuming it's not altered)\r\nAnother version of Computrace was found. Note that this is possibly due to small updates of the loader or agent\r\nmodule.\r\nWill flashing the BIOS remove Computrace?\r\nNo, as it resides in a non-flashable portion of the BIOS.\r\nWill downloading the latest BIOS drivers for my machine remove Computrace?\r\nSee \"How to remove or uninstall Absolute Computrace\".\r\nI'd like to see more information about my BIOS/EFI/coreboot/firmware/optionROM.\r\nYou can use the excellent tool flashrom. If you are using anything but Windows, Anibal and Alfredo have also\r\nwritten a Python program to to dump the BIOS firmware and search for a CompuTrace Option\r\nROM: dumpComputrace.py (Note: you'll need to apt-get flashRom/dmiDecode/UPX)\r\nWhat if I'm a customer of Computrace and have doubts or want more information? \r\nBest thing to do is call them directly: +00 1 877 337 0337 (US number), choose option #1. The general number in\r\nEurope is: +44 118 902 2005 and for Asia: +65 6595 4594\r\nMore information on how to contact them as existing customer can be found here:\r\nAbsolute Software Support\r\nhttps://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html\r\nPage 6 of 7\n\nWhat if I'm not a customer of Computrace and have doubts or want more information?\r\nYou can still use the numbers above if you like, or you can use the Absolute Software Contact Form.\r\nWhat if I suspect I bought a stolen machine which has Computrace installed?\r\nContact Absolute Software (see above)! They will set up a case together with you and law enforcement.\r\nIs there similar software out there like Computrace?\r\nYes, but it is not exactly the same as Computrace. An example is Prey. Another example is Intel's Anti-Theft\r\nTechnology - which apparently will cease to exist in January 2015. Source:\r\nIntel Anti-Theft Service FAQ\r\nNowadays, most Antivirus vendors also offer some form of anti-theft. For more information, refer to the\r\ncorresponding websites of the vendors.\r\nWhy did you decide to write this blog post?\r\nTo provide even more additional \u0026 useful information, as well as out of sheer interest.\r\nDo you have any additional information to share? \r\nYes, see right below in the Resources section.\r\nResources\r\nAbsolute Software - Perspective on Kaspersky Report \u0026 FAQ\r\nAbsolute Software - Persistent servicing agent  (Patent US20060272020 A1)\r\nCorelabs - Deactivate the rootkit (PDF)\r\nKaspersky - Absolute Computrace Revisited\r\nKaspersky - Absolute Computrace: Frequently Asked Questions\r\nAcknowledgements\r\nI'd like to thank, in no particular order:\r\nAnibal Sacco and Alfredo Ortega for their initial research.\r\nAlfredo Ortega for a refreshing chat and answering some additional doubts I had.\r\nVitaliy Kamlyuk and Sergey Belov for their additional/follow-up research.\r\nAbsolute Software's service desk/support specialists for their service \u0026 answering any questions I had.\r\nThank\r\nyou\r\nfor reading.\r\nSource: https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html\r\nhttps://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html"
	],
	"report_names": [
		"thoughts-on-absolute-computrace.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434798,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8825c513b61c91d66b972a031f12a67f759a4f69.pdf",
		"text": "https://archive.orkl.eu/8825c513b61c91d66b972a031f12a67f759a4f69.txt",
		"img": "https://archive.orkl.eu/8825c513b61c91d66b972a031f12a67f759a4f69.jpg"
	}
}