IE Parasite: IpInsight

[tyger_claw]

Hey All,

Recently I got infected (if you can call it that) by a parasite .dll from a spyware company called ipinsight.com. This "infection" monitors your browser activitiy, sends information to a server, silently installs updates and files as well as add links to your browser and icons to your desktop.

Using a spyware buster (I used SpySweeper *freeware* from TuCows.com) but because it's a .dll file (ipinsigt.dll) it is loaded into windows and cannot be removed by a cleaner.

I removed it manually with information I found from doxdesk.com

For those infection by this or other kinds of stubborn spyware, read below:

*Also note: IpInsight cost me lots of money this month! My usual monthly upload count is near 1gig, this month surpassed 3gigs! Because of that I have to pay an extra 2gigs of web usage! Mother ****er!

Description
IPInsight is a process or IE Browser Helper Object that monitors addresses entered into web forms, ostensibly to try to make a database of physical locations of IP addresses.

Variants
IPInsight/Sentry: installs a process Sentry.exe and datafile Sentry.ini in the Windows folder. This variant cannot be detected by the script at this site.

IPInsight/Ipinsigt: a reimplementation of the original Sentry as a BHO, provided by IPINSIGT.DLL in the Windows folder. This code is based on the Transponder parasite from Mindset Interactive; there is even a leftover message from Transponder/VX2 in the code about the software opening pop-up ads, which it doesn't!

IPInsight also make connection monitoring software that is included in some ISP's installation discs. This is not the same software as the 'IPInsight' parasite and is not detected by the script at this site.

Distribution
Bundled with Morpheus 2 and software from Blue Haven Media.

What it does
Advertising
No.

Privacy violation
Yes. Any address information you enter into a form using Internet Explorer is leaked to the IPInsight's servers, along with a unique ID. Their privacy policy claims any house number sent is 'rounded' so as not to pass a completely accurate address.

Security issues
Yes. Can silently download and install updates.

Stability problems
No.

Removal
IPInsight/Ipinsigt should have an entry in Add/Remove Programs, which removes the software from the current setup adequately.

However it leaves a copy behind in the 'last known good setup' which may reappear if you boot using this option. Delete the file IPINSIGT.DLL from the LastGood folder in the Windows folder, and IPINSIGT.PNF and IPINSIGT.inf from the LastGood\INF folder. Finally you can remove IPInsigt from the hidden 'inf' folder in the Windows folder to clean up.

Spybot Search & Destroy can remove IPInsight.

Manual removal
Sentry variant: open the registry (Start->Run->regedit) and open the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'Sentry' entry. Reboot Windows and delete Sentry.exe and Sentry.ini in the Windows folder.

Ipinsigt variant: open a DOS command prompt window (Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "..\IPINSIGT.DLL"
Reboot Windows and delete IPINSIGT.DLL in the Windows folder. You can also delete the registry key HKEY_LOCAL_MACHINE\Software\IPInsight to clean up if you wish. Then see the LastGood removal instructions above.

[Madseel]

Hey tiger claw, cant you get some legal action against them cuz they were making you pay for things they made your computer do without your knowledge? I mean, wern't they kind of stealing from you? Im am just wondering.

[tyger_claw]

I have pondered upon that, but I haven't read their sites disclaimer and whatnot. However, I can pretty much garantee that they'll have some legal mombo jumbo about how it's legal because of xxx reason.

Part of what I got so far that makes it sound like legal corner cutting is this from above

Their privacy policy claims any house number sent is 'rounded' so as not to pass a completely accurate address.

So if they can use such a fuzzy explination for privacy protection, I'm sure they'll have something to protect themselves from the net usage (possibly something similar to the AOL hidden fees)

I will look into it.

I will try to obtain as much info as possible from my ISP about the traffic from my computer and see it's destination and whatnot.

*Added: Those Mother ****ers Read Below:

Increased stickiness by personalizing content for unregistered, uncookied users
from IpInsight.com

***Add2:

Been poking around at Ipinsight.com, and here's what I got:

Line Speed Test: On a periodic basis, the IPinsight Software communicates with the IPinsight server, which instructs the Software to request a small fixed-size web page. Once the web page is loaded the Software records the length of time between the request and the completed load. This is recorded in milliseconds. A report is sent back to the IPinsight server with the exact size (including HTTP headers) of the web page and the download time. This enables IPinsight to estimate Internet users’ connections speeds (e.g. dial-up, DSL, cable).

While the file size is said to be small, and the request to periodical, it's not a determined size or time table. Periodical to me is once-a-week. To them it could be every 5 minutes! Size wise, I'm thinking 5kb for an alphabet .html file. To them it could be a flash file being 3mb!

IP Address: Finally, when you install IPinsight's Software, it collects several bits of information about the configuration of your computer. This information includes information about the computer's hardware configuration, such as the amount of free space on your hard drive, and information about the computer's software configuration, such as the name and version of the operating system. This information is used to determine whether the IPinsight Software is compatible with your computer.

Why The **** would they need that kind of information? To make the files they transfer bigger to your computer?

Choice

IPinsight uses both opt-in and opt-out media. This means that before IPinsight collects any information at all, we first obtain your express consent. This includes your consent to this User Agreement.

From that time forward, you may opt-out of the IPinsight service and any further data dissemination at any time. Simply visit www.IPinsight.com and follow the posted instruction.

Voluntary Software and Right to Uninstall

You understand that our Software is a voluntary software program, and you may uninstall it at any time by using the Microsoft® Windows® add/remove programs function or following the instructions listed on our website, www.IPinsight.com.

BULLSHIT! I was never asked to install anything, nor do I have the option to remove it via add/remove programs..... So, they voluntarily installed this program on my computer *believing* that I would want to be a gineapig?

Limitation of Liability

IN NO EVENT WILL IPINSIGHT, ITS EMPLOYEES, DISTRIBUTORS, SUPPLIERS, MERCHANT PARTNERS, ADVERTISERS, DIRECTORS OR AGENTS (COLLECTIVELY "PROTECTED PARTIES") BE LIABLE FOR ANY INDIRECT DAMAGES OR OTHER RELIEF ARISING OUT OF YOUR USE OR INABILITY TO USE THE SOFTWARE OR SERVICES INCLUDING LOST PROFITS, LOST BUSINESS OR LOST OPPORTUNITY, OR ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING LEGAL FEES, ARISING OUT OF SUCH USE OR INABILITY TO USE THE SOFTWARE, SERVICE OR WEBSITE, EVEN IF A PROTECTED PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY. IN NO EVENT WILL PROTECTED PARTIES MAXIMUM CUMULATIVE LIABILITY UNDER THIS AGREEMENT EXCEED THE AVERAGE REVENUE RECEIVED BY IPINSIGHT PER USER PER MONTH AS CALCULATED BY IPINSIGHT MULTIPLIED BY THE NUMBER OF COMPLETE MONTHS YOU HAVE BEEN AN IPINSIGHT APPLICATION USER.

Because some states or jurisdictions do not allow the exclusion or the limitation of liability for consequential or incidental damages, in such states or jurisdictions, our liability shall be limited to the extent permitted by law.

No Liability for Protected Parties

The Protected Parties assume no liability hereunder for, and shall have no obligation to defend you or to pay costs, damages or attorneys' fees for, any claim based upon: (i) any method or process in which our Software may be used by you; (ii) any results of using our Software; (iii) any use of other than a current unaltered release of our Software; or (iv) the combination, operation or use of our Software with third party programs or data if such infringement would have been avoided by the combination, operation, or use of our Software with other programs or data.

Ahh, the bullshit we're not responsible line. Basically they say that the software is sold to websites that use their product to monitor their visitors. Any claims against the "third party people" won't affect them.

So, does that mean they ain't responsible? What do you guys think?

[HTRegz]

I'd take it as meaning they aren't responsible.. or in their eyes they aren't... I'd review your provinces laws on it. Then I'd fire them off a "nicely" worded email... and threaten to pursue action, even if legally you can't.. just to scare them a bit.... (If you are interested, shoot me a pm, I've argued in front of the Ontario Supreme Court a few times in mock trials and helped prepare a few cases and I'm dating a soon to be law clerk... I'd be more than glad to help you compose the email if it'll sink the bastards even a little).. I don't know if there's much else you can do... I suppose you could get really p*ssed and play packet monkey, but that's never a good idea.... I'm on sympatico and pay 7 bux/GB over my limit.. if i was paying even the 7 bux.. i know I'd be right p*ssed off...


BTW thanks for the heads up, I had never heard about this until now... I've checked my machines and I'll definately be checking my roommates come morning.