Iexplore.exe and rpcnetp.exe connection? Or why does iexplore.exe process start?

Status
Not open for further replies.
T

The_Lorax

Posts: 10   +0
I am making ZA ask me if IE7 tries to access the internet.
Because of that, I know that 80% of the time when I startup my computer, I will soon after get a prompt from ZA asking me to allow/deny Internet Explorer to access the internet.
Problem is that I never started IE. The process starts by itself on startup and then tries to access the net? Why? Has anybody else had this problem?

Another thing i noticed is that there is a process called rpcnetp.exe which is a computrace process that is impossible to delete as it is stored and recreates itself from the BIOS. Dont ask me why it is doing this, because I never ordered computrace for my laptop, but i might have enabled something by accident while adjusting settings in the BIOS and now it thinks it is supposed to start but its not. i have done a lot of research on it, and have come to realize that only editing and flashing with a modified BIOS will solve it. But I am not brave enough to attempt that at this point.

Rpcnetp.exe also starts on startup about 80% of the time. I noticed that the other times when it doesnt start, iexplore.exe also doesnt start.
So I wonder if the rpcnetp process is using the iexplore process somehow. Or trying to. I always deny access and I delete the processes in the task manager. After that I am fine, they dont restart themselves until the next bootup.

Any ideas, or experience with this?
 
Wow! Where did those green faces with teeth come from? I didn't put them in!

Please understand, I can only work with the information you give. You have decided that "a process called rpcnetp.exe which is a computrace process". I found one reference to this with the comment "rpcnetp.exe << Seems to be an anti theft file for Laptops. May contain a dialer to report theft and may be marked as dialer by Anti-Virus programs, etc."

Please note: "seems to be", not "is" and it is classified as a 'dialer'. IF you weren't aware of this program on your system and it can function as a 'dialer', then it is malware.

You may act accordingly.

Edit for comment: you can find more about the rpcnetp.exe process here:
https://www.techspot.com/vb/topic68882.html

NOTE: You began this thread because you are noticing frequent attempt to access the internet, nio made by yourself. I would ask- 'if this is suppose to be a 'tracing' process in the event the computer is stolen, "why" does it run so frequently and "why" is it making attempts to access the internet'?

rpcnetp.exe and rpcnetp.dll are a part of Absolute Software's Lojack for Laptops (computer recovery software). For more information, visit www.lojackforlaptops.com (formerly known as CompuTrace)
 
Bobbye,

To remove "rpcnet" (Absolute Software), in regedit, find all instances of "rpcnet" (not the LEGITIMATE "rpcss") & delete all those keys. If a key cannot be deleted, right-click & select the "permission" of "everyone" to "full control" & try again. REBOOT.

After the reboot, all "rpcnet*" files in the \windows\system32 folder can finally be either renamed or removed.

To make sure, use "TCPView" (www.sysinternals.com) to observe if an instance of "IExplorer" is connecting to "search.namequery.com" after the computer is turned on & connected to internet. If not, congrats !
Click to expand...


Thanks for the link!

(By the way, the green smilies came from the combination of colon and capital D, if you made a space between, it wouldnt show as a smilie.)
 
You're welcome. I would still question why this process is making frequent trips to the internet.
 
Its not exactly frequent trips, its just on startup, the poster who I quoted from says the iexplore service is accessing "search.namequery.com". I havent yet checked that but I will because...

...I tried the above procedure and deleted every instance of rpcnet and rpcnetp found in the registry, then rebooted and deleted the exe and dll files.
After two more boots, the rpcnetp process was back, the rpcnetp files were back and the rpcnetp registry entries had been recreated. No rpcnet, just rpcnetp, still - rpcnetp is the process that is causing iexplore to want to connect to the net on startup.

So now I am sure it lives in the BIOS, and recreates itself from the BIOS.
I've downloaded TcpView, so on next reboot, I will try to see if its trying to connect to search.namequery.com.
 
You can read more on this laptop retrieval program here:

"{QUOTE-> these programs are widely used by college bookstores that loan out laptops...........larger companies may employ such programs as well......but to purchase one of these laptop retrival program imo is a complete waste of money. Do they work.....yes, just a a trojan or virus will work.....an can be removed just as a trojan or virus can be removed.... <-QUOTE}"

"Another thing I am quite concerned about here is that if companies such as these can create software which can survive an fdisk, format and partition table rewrite then fully reinitialise afterwards, whats stopping trojan and malware authors from doing the same thing with a virus?"

http://www.wilderssecurity.com/archive/index.php/t-100229.html

What you decide to do with it is up to you.

No spelling corrections are made in quoted material.
 
these programs are widely used by college bookstores that loan out laptops...........larger companies may employ such programs as well......but to purchase one of these laptop retrival program imo is a complete waste of money. Do they work.....yes, just a a trojan or virus will work.....an can be removed just as a trojan or virus can be removed....
Click to expand...

No I dont think that argument is valid or relevant.
If this was a program which I purchased and installed, then yes.

But this is something that was weaved into the BIOS which came with my laptop.

Another thing I am quite concerned about here is that if companies such as these can create software which can survive an fdisk, format and partition table rewrite then fully reinitialise afterwards, whats stopping trojan and malware authors from doing the same thing with a virus?
Click to expand...

Unless a hacker can get you to install his modified BIOS, they cannot create viruses that are this persistant.

As I understand it, this is only a recent development (incorporating Computrace into the BIOS used by computer companies such as Dell, Compaq, etc.).

I think its pretty obvious how it works, I dont understand why the posters in that thread are confused.
The companies that make programs like Computrace and Ztrace partner with companies that make computers like Dell, Compaq, HP, and these companies enlist companies that make BIOS apps like Phoenix and Award to make BIOSes that include the Tracing "virus" (among other things). Then when you install the program, it uses the module in the BIOS.
 
I am not at all confused about the program. However I an confused why you even asked the question and why you continue to refuse help that is offered.

You have a program on your computer who's sole purpose, as I understand it, it to find the computer if someone steals it. But you note constant or frequent or intermittent attempts to access the internet.

So I ask-'what is it contacting the internet for'? Could it be to see if someone is looking for the computer?
 
Bobbye: you are confused.


You have a program on your computer...
Click to expand...

Its not a exactly a program, its a BIOS module which creates (and recreates) the rpcnetp registry entries, which in turn create the rpcnetp executable and .dll in system32 folder which starts the rpcnetp process on startup. The rpcnetp process initiates the iexplore process, using it to "call home" to Absolute Software. It does not do it intermittantly or randomly, it does it once on every bootup. This is part of the the company's way of tracking the laptop. However, as I understand it, the full program (Computrace) can use that "call home" process to do other things as well, but I dont have the Computrace program, only the module in the BIOS which was put there to use with the Computrace program....if I had ordered it.


But you note constant or frequent or intermittent attempts to access the internet
Click to expand...

As I said, it is not intermittant, it is once every bootup usually (occasionally the process doesnt start). The URL that it contacts is mentioned in my other post. Its a call home signal to Absolute.


So I ask-'what is it contacting the internet for'?
Click to expand...

I hope I've been able to explain this to you and answer your question.


Could it be to see if someone is looking for the computer?
Click to expand...

You will have to ask Absolute about their overall scheme to protect laptops, I assume that they have the laptop "call home" every time it starts up to track certain details about where it is calling home from. If a person reports their laptop stolen...and the laptop sends a call home signal AFTER its stolen, I'm sure they use that to track the laptop.
 
You won't be able to effectively delete rpcnetp.exe but you can keep it from running.

Right click on rpcnetp.exe and rpcnetp.dll and deny "read & execute" permissions to the system account for these two modules. If all goes well, you'll see messages in event viewer indicating that the process couldn't start with an "access denied" error.
 
if Computrace or Lojack is activated in the bios it cannot be turned off. You don't want a tracing program that thieves can inactivate. It warns the user of this when you activate it in the bios. Even if the laptop is shipped with Computrace it is turned off by default.
The rpcnetp.exe program is calling "home" to Lojack when you boot the computer each time. This is the way that Lojack keeps track of the location (IP address) of the computer in case it is stolen. This also requires that the computrace or lojack program is activated on their website.
Did you buy the laptop used? Someone deliberately activated both.
 
I read a controversial conversation on a web site a couple of years ago. The 'controversy' was: should Computrace and/or Lojack be allowed to contact the internet WITHOUT a request to activate it.

This meant to me that is should only be the company running Lojack "looking" (read 'Activate') for a specific computer for theft rather than Lojack calling out to the internet continually.

Or should this be allowed:
The rpcnetp.exe program is calling "home" to Lojack when you boot the computer each time.
Click to expand...

There is a 'discussion' here:
How to remove Computrace Lojack:
http://www.freakyacres.com/remove_computrace_lojack

Some users have viewed Lojack as 'spyware' because they didn't load it, they didn't request it and because it was installed on the system without the consent or knowledge. This appears to be why it is included in the databases of some spyware/adware programs.

If it were me, I'd use a firewall to deny server privilege to the internet.

From Majorgeeks:
All firewalls have the ability to decide to allow or deny a program to have access. Once you set this and tell it to always do the same thing, it will not ask you about it again unless the program you are giving access to changes due to an update. Then the firewall will ask again.
 
Status
Not open for further replies.

Similar threads

Shawn Knight
FPS and your eyes: Some people can process visual information faster than others
Replies
22
Views
262
RudyBob
RudyBob
E
Intel unveils 14A process node and custom chip-deal with Microsoft worth $15 billion
Replies
5
Views
185
Mr Majestyk
M
Daniel Sims
How to play PS1 Doom on PC (and why you might want to)
Replies
5
Views
74
amghwk
amghwk

Latest posts

Back