Limited Time!
Totally FREE Web Design!
Click here!

Parasite: IPInsight

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

IPInsight is a process (or, in one variant, IE Browser Helper Object) that monitors addresses entered into web forms, to try to make a database of physical locations of IP addresses.

IPInsight is distributed and controlled by DirectRevenue, the same company behind the Transponder and GrandStreet parasites.

Note: IPInsight is unrelated to the ‘IP InSight’ connection monitoring software by Visual Networks, included with some Internet Service Provider setup discs. This software is not considered a parasite and is not detected by the script at this site.

Variants

IPInsight/Sentry: installs a process Sentry.exe and datafile Sentry.ini in the Windows folder. Controlling server stubmon.ipinsight.net.

IPInsight/Stub: background loader for IPInsight and possibly other parasites from the same company. Lives in the Windows folder under the filenames Belt.exe or Susp.exe, though its internal name is SentryStub.exe. Is based on the same code as Sentry, but missing the form-spying functionality.

IPInsight/Alchem: as Sentry, but using the filenames alchem.exe and alchem.ini, with controlling server www.clickalchemy.com.

IPInsight/Ipinsigt: a reimplementation as an Internet Explorer BHO, provided by IPINSIGT.DLL in the Windows folder. This code is based on the Transponder parasite; there is even a leftover message from Transponder/VX2 in the code about the software opening pop-up ads (which it doesn’t).

Distribution

Bundled with Morpheus 2 and software from Blue Haven Media. Also installed by the FavoriteMan parasite.

What it does

Advertising

No.

Privacy violation

Yes. Any address information you enter into a form using Internet Explorer is leaked to the IPInsight’s servers, along with a unique ID. Their privacy policy claims any house number sent is ‘rounded’ so as not to pass a completely accurate address.

Security issues

Yes. Can silently download and execute arbitrary unsigned code from its controlling server, as an update feature.

Stability problems

No.

Removal

Some installations of IPInsight/Ipinsigt have an entry in Add/Remove Programs, which removes the software from the current setup adequately.

However it leaves a copy behind in the ‘last known good setup’ which may reappear if you boot using this option. Delete the file IPINSIGT.DLL from the LastGood folder in the Windows folder, and IPINSIGT.PNF and IPINSIGT.inf from the LastGood\INF folder. Finally you can remove IPInsigt from the hidden ‘inf’ folder in the Windows folder to clean up.

Spybot Search & Destroy can remove IPInsight.

Manual removal

Sentry variant

Open the registry (Start->Run->regedit) and open the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘Sentry’ entry. Reboot Windows and delete Sentry.exe and Sentry.ini in the Windows folder.

Stub variant

Open the registry (Start->Run->regedit) and open the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘Belt’ or ‘Susp’ entry. Reboot Windows and delete the .exe and .ini files of the same name from the Windows folder.

Alchem variant

Open the registry (Start->Run->regedit) and open the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘Alchem’ entry. Reboot Windows and delete Alchem.exe and Alchem.ini in the Windows folder.

Ipinsigt variant

Open a DOS command prompt window (Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "..\IPINSIGT.DLL"

Reboot Windows and delete IPINSIGT.DLL in the Windows folder. You can also delete the registry key HKEY_LOCAL_MACHINE\Software\IPInsight to clean up if you wish. Then see the LastGood removal instructions above.

Links

IPInsight official site.