Iexplore.exe and rpcnetp.exe connection? Or why does iexplore.exe process start?

By The_Lorax
Feb 8, 2008
  1. I am making ZA ask me if IE7 tries to access the internet.
    Because of that, I know that 80% of the time when I startup my computer, I will soon after get a prompt from ZA asking me to allow/deny Internet Explorer to access the internet.
    Problem is that I never started IE. The process starts by itself on startup and then tries to access the net? Why? Has anybody else had this problem?

    Another thing i noticed is that there is a process called rpcnetp.exe which is a computrace process that is impossible to delete as it is stored and recreates itself from the BIOS. Dont ask me why it is doing this, because I never ordered computrace for my laptop, but i might have enabled something by accident while adjusting settings in the BIOS and now it thinks it is supposed to start but its not. i have done a lot of research on it, and have come to realize that only editing and flashing with a modified BIOS will solve it. But I am not brave enough to attempt that at this point.

    Rpcnetp.exe also starts on startup about 80% of the time. I noticed that the other times when it doesnt start, iexplore.exe also doesnt start.
    So I wonder if the rpcnetp process is using the iexplore process somehow. Or trying to. I always deny access and I delete the processes in the task manager. After that I am fine, they dont restart themselves until the next bootup.

    Any ideas, or experience with this?
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    rpcnetp.exe Infected: not-a-virus:Dialer.Win32.Rpcnet.a
    rpcnetp.exe Infected: not-a-virus:Dialer.Win32.Rpcnet.b

    You have a malware infection. I suggest you begin the cleaning process here:

    Follow the directions for the scans and posting the logs in the Security Forum.
  3. The_Lorax

    The_Lorax TS Rookie Topic Starter

    Hi Bobbye,

    No I dont believe it is malware, it seems to be a computrace process which recreates itself from the BIOS.

    I have already removed the .exe files from system32 folder as well as the registry entries... and they come back. I've rewritten the MBR and also still comes back.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Wow! Where did those green faces with teeth come from? I didn't put them in!

    Please understand, I can only work with the information you give. You have decided that "a process called rpcnetp.exe which is a computrace process". I found one reference to this with the comment "rpcnetp.exe << Seems to be an anti theft file for Laptops. May contain a dialer to report theft and may be marked as dialer by Anti-Virus programs, etc."

    Please note: "seems to be", not "is" and it is classified as a 'dialer'. IF you weren't aware of this program on your system and it can function as a 'dialer', then it is malware.

    You may act accordingly.

    Edit for comment: you can find more about the rpcnetp.exe process here:

    NOTE: You began this thread because you are noticing frequent attempt to access the internet, nio made by yourself. I would ask- 'if this is suppose to be a 'tracing' process in the event the computer is stolen, "why" does it run so frequently and "why" is it making attempts to access the internet'?

    rpcnetp.exe and rpcnetp.dll are a part of Absolute Software's Lojack for Laptops (computer recovery software). For more information, visit (formerly known as CompuTrace)
  5. The_Lorax

    The_Lorax TS Rookie Topic Starter


    Thanks for the link!

    (By the way, the green smilies came from the combination of colon and capital D, if you made a space between, it wouldnt show as a smilie.)
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. I would still question why this process is making frequent trips to the internet.
  7. The_Lorax

    The_Lorax TS Rookie Topic Starter

    Its not exactly frequent trips, its just on startup, the poster who I quoted from says the iexplore service is accessing "". I havent yet checked that but I will because...

    ...I tried the above procedure and deleted every instance of rpcnet and rpcnetp found in the registry, then rebooted and deleted the exe and dll files.
    After two more boots, the rpcnetp process was back, the rpcnetp files were back and the rpcnetp registry entries had been recreated. No rpcnet, just rpcnetp, still - rpcnetp is the process that is causing iexplore to want to connect to the net on startup.

    So now I am sure it lives in the BIOS, and recreates itself from the BIOS.
    I've downloaded TcpView, so on next reboot, I will try to see if its trying to connect to
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You can read more on this laptop retrieval program here:

    "{QUOTE-> these programs are widely used by college bookstores that loan out laptops...........larger companies may employ such programs as well......but to purchase one of these laptop retrival program imo is a complete waste of money. Do they work.....yes, just a a trojan or virus will can be removed just as a trojan or virus can be removed.... <-QUOTE}"

    "Another thing I am quite concerned about here is that if companies such as these can create software which can survive an fdisk, format and partition table rewrite then fully reinitialise afterwards, whats stopping trojan and malware authors from doing the same thing with a virus?"

    What you decide to do with it is up to you.

    No spelling corrections are made in quoted material.
  9. The_Lorax

    The_Lorax TS Rookie Topic Starter

    No I dont think that argument is valid or relevant.
    If this was a program which I purchased and installed, then yes.

    But this is something that was weaved into the BIOS which came with my laptop.

    Unless a hacker can get you to install his modified BIOS, they cannot create viruses that are this persistant.

    As I understand it, this is only a recent development (incorporating Computrace into the BIOS used by computer companies such as Dell, Compaq, etc.).

    I think its pretty obvious how it works, I dont understand why the posters in that thread are confused.
    The companies that make programs like Computrace and Ztrace partner with companies that make computers like Dell, Compaq, HP, and these companies enlist companies that make BIOS apps like Phoenix and Award to make BIOSes that include the Tracing "virus" (among other things). Then when you install the program, it uses the module in the BIOS.
  10. The_Lorax

    The_Lorax TS Rookie Topic Starter

    The solution to remove it would then be to learn how to modify your BIOS.
    And then flash the modded BIOS.

    That link I posted above:

    is the only instance I have found after 2 months of searching where someone had successfully removed rpcnetp.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I am not at all confused about the program. However I an confused why you even asked the question and why you continue to refuse help that is offered.

    You have a program on your computer who's sole purpose, as I understand it, it to find the computer if someone steals it. But you note constant or frequent or intermittent attempts to access the internet.

    So I ask-'what is it contacting the internet for'? Could it be to see if someone is looking for the computer?
  12. The_Lorax

    The_Lorax TS Rookie Topic Starter

    Bobbye: you are confused.

    Its not a exactly a program, its a BIOS module which creates (and recreates) the rpcnetp registry entries, which in turn create the rpcnetp executable and .dll in system32 folder which starts the rpcnetp process on startup. The rpcnetp process initiates the iexplore process, using it to "call home" to Absolute Software. It does not do it intermittantly or randomly, it does it once on every bootup. This is part of the the company's way of tracking the laptop. However, as I understand it, the full program (Computrace) can use that "call home" process to do other things as well, but I dont have the Computrace program, only the module in the BIOS which was put there to use with the Computrace program....if I had ordered it.

    As I said, it is not intermittant, it is once every bootup usually (occasionally the process doesnt start). The URL that it contacts is mentioned in my other post. Its a call home signal to Absolute.

    I hope I've been able to explain this to you and answer your question.

    You will have to ask Absolute about their overall scheme to protect laptops, I assume that they have the laptop "call home" every time it starts up to track certain details about where it is calling home from. If a person reports their laptop stolen...and the laptop sends a call home signal AFTER its stolen, I'm sure they use that to track the laptop.
  13. SoftmasterG

    SoftmasterG TS Rookie

    You won't be able to effectively delete rpcnetp.exe but you can keep it from running.

    Right click on rpcnetp.exe and rpcnetp.dll and deny "read & execute" permissions to the system account for these two modules. If all goes well, you'll see messages in event viewer indicating that the process couldn't start with an "access denied" error.
  14. philbr41

    philbr41 TS Rookie

    if Computrace or Lojack is activated in the bios it cannot be turned off. You don't want a tracing program that thieves can inactivate. It warns the user of this when you activate it in the bios. Even if the laptop is shipped with Computrace it is turned off by default.
    The rpcnetp.exe program is calling "home" to Lojack when you boot the computer each time. This is the way that Lojack keeps track of the location (IP address) of the computer in case it is stolen. This also requires that the computrace or lojack program is activated on their website.
    Did you buy the laptop used? Someone deliberately activated both.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I read a controversial conversation on a web site a couple of years ago. The 'controversy' was: should Computrace and/or Lojack be allowed to contact the internet WITHOUT a request to activate it.

    This meant to me that is should only be the company running Lojack "looking" (read 'Activate') for a specific computer for theft rather than Lojack calling out to the internet continually.

    Or should this be allowed:
    There is a 'discussion' here:
    How to remove Computrace Lojack:

    Some users have viewed Lojack as 'spyware' because they didn't load it, they didn't request it and because it was installed on the system without the consent or knowledge. This appears to be why it is included in the databases of some spyware/adware programs.

    If it were me, I'd use a firewall to deny server privilege to the internet.

    From Majorgeeks:
    All firewalls have the ability to decide to allow or deny a program to have access. Once you set this and tell it to always do the same thing, it will not ask you about it again unless the program you are giving access to changes due to an update. Then the firewall will ask again.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...