Thank you very much for your help on my Search Engine Hijacked
question. Your input helped me in trying a variety of solutions. I’m
not really sure which one finally did it but all the clean up should
help with other system-clogging messes as well.

I’ve closed the other question but I want to recognize that you
helped. Tell me what is your favorite preventative maintenance tool or
your most interesting recovery story.

Thanks again,

czh

---

Request for Question Clarification by aceresearcher-ga on 14 May 2003 03:14 PDT

Czh,

I've got a whopper for you on this one, but I need to have some
significant time to write it up. Thanks for your patience.

ace

---

Clarification of Question by czh-ga on 14 May 2003 10:16 PDT

Thanks Ace. No hurry. You already solved my problem.

czh

czh,

As I have been working with Java, I had the Java VM (Virtual Machine)
enabled on my computer. Every once in awhile, a little red Java coffee
cup icon would appear in the Windows Task bar in the lower right-hand
corner of my screen.

This puzzled me, so I started poking around. I right-clicked on one of
the coffee cups, and selected "Open Console". The console log
indicated that my computer had sent records to a mysterious
law-enforcement agent named the "Red Sheriff" -- despite the fact that
I have a firewall, and I hadn't given my computer permission to send
records to any Red Sheriff.

So I started Googling on "RedSheriff spyware", and I found this post
by Lauren Weinstein, Co-Founder of PFIR (People For Internet
Responsibility):

"I haven't seen any mention here regarding the insidious spread of the
"RedSheriff" server-side spyware system.  This is now apparently in
use by major sites and ISPs to send user Web browsing activity
information back to a third party without the knowledge of the user. 
This software reportedly exists as a Java applet and is loaded to
users by participating customers of the tracking system.  It has
seemingly been around for some time but is only now really appearing
on people's radar.

More info about this abomination from the company itself is at:
http://www.redsheriff.com .

A quick search on http://groups.google.com for 'redsheriff' will yield
significant information and help with setting up firewall blocking of
this 'service'."
http://www.interesting-people.org/archives/interesting-people/200303/msg00120.html


A post by "Brad" on the "Geocaching Australia> Software Solutions"
Forum offers further enlightenment:

"Red Sherriff Unmasked
-----------------------------------------------
This website will tell you a bit about what Red Sherriff is and what
it does.

www.cexx.org/sheriff.htm

It is server side spyware essentially, so you cant remove it from your
local PC and you cant stop it running (without disabling JAVA and
JAVASCRIPT) in your browser.

It has nothing to do with CacheMonkey, or the Java JRE or SDK you have
installed to run CacheMonkey. The only difference is that the Java
plugin will now display red sherriff messages so you know its there.
Im not sure why some systems display the message and others dont.

Everyone has probably had it run on their systems at one time or
another as one of the biggest users of Red Sherrif is ninemsn's site.
See paragraph 5 here
http://ninemsn.com.au/support/privacy.asp#5

I hope this clears up anyones worries about Red Sherrif and
CacheMonkey.

Brad."
http://pub66.ezboard.com/fcachingaustraliafrm26.showMessage?topicID=8.topic


Following the link to CEXX reveals:

"Unlike most conventional spyware, imrworldwide.com's Red Sheriff is
loaded as a Java applet embedded in a Web page you visit. Once loaded,
it sends information about your Internet usage (how long the page took
to load, how long you stayed, etc.) to the parent company, supposedly
bypassing firewalls, cookie blockers and the like. A number of
Internet Service Providers have begun including Red Sheriff on their
start pages, which are programmed to load every time the user logs on
to the Internet.
  
Currently, the Red Sheriff program is billed as a reporting tool to
measure how visitors use a Web site, kind of like an access_log reader
with some extra frills.

Previously, the Red Sheriff product page (cached) was more obscure
about what kind of information was collected, suggesting access to
surfing habits beyond the original Web site containing the Red Sheriff
applet, and bragging of its ability to get past personal firewalls and
cookie crunchers.
  
This applet, included with some ISP packages, causes severe slowdowns
on some systems as reported in Gibson Research's grc.spyware
newsgroup.

Solutions: 
The most obvious (if not user-friendly) solution is to disable Java in
your web browser. Proxomitron ( http://www.proxomitron.org ) users can
use this filter ( http://www.cexx.org/sheriff.cfg ) to eliminate the
Red Sheriff from their surfing. (Updated 11/17/02 to detect the latest
version of Sheriff.)

Known (former/current) users of Sheriff: 
www.ninemsn.com.au 
Bigpond/Telstra Internet Services 
Peakhour (http://www.peakhour.com.au/, http://www.peakhour.net.au/
http://www.peakhour.com/)
BBC.co.uk"
http://www.cexx.org/sheriff.htm

I am now using the Proxomitron, which I downloaded and patched with
the RedSheriff filters; however, I have discovered that some sites
which use the Java VM to implement spyware (such as Nex Slovenko) can
still get around the Proxomitron filters, even with Java permissions
on "High Safety", and the only sure way I have found to block it so
far is to "Disable" Java permissions. Of course, this can be a problem
when I want or need to use sites which require Java to at least be
enabled as far as "High Safety".

I am continuing to research this nasty new way to infringe on the
privacy of Internet Users, and I will let you know if and when I come
up with a better resolution.

There are a LOT of good things that have come from Australia -- like
Researcher robertskelton -- but RedSheriff is NOT one of them.

Thanks, czh, for offering me the opportunity to reveal to the Google
Answers Community just what these slimy b******s are doing.

RedSheriff now boasts over 600 "clients" for their spying services;
anyone looking for a list of companies to boycott can start with this
one:

"www.NineMSN.com.au 
Bigpond/Telstra Internet Services 
Peakhour
BBC.co.uk"
http://www.cexx.org/sheriff.htm

"USA
----
415 Inc 
DVD.com 
AudioRevolution.com
NHL Interactive CyberEnterprises (NHL ICE)
Forbes.com 

UK
--
Tate Gallery 
Sun Microsystems
News International Newspapers 
Find.co.uk 
Lycos UK 
Yorkshire Building Society 
TWIi 
Citizens Connection 
Standard Life
Scottish Enterprise 
Selfridges
Anderselite 
uSwitch
ABCe 

Japan 
-----
Recruit Ablic 
NGC's iimono.co.jp
Nikkei BP 
TV Asahi 
JOLF 

Italy 
-----
RAI 
Mediaset 
LYCOS
Il SOLE 24 ORE 

Australia 
---------
Media Man 
Commonwealth Bank
Victorian Tourism Online 
BT LookSmart 
HotHouse
Environment Australia 

New Zealand 
-----------
Deloitte Touche Tohmatsu 

Singapore 
---------
monster.com.sg 
ZUJI"

http://www.imrworldwide.com/1.2.0.htm


Search Strategy

RedSheriff spyware
://www.google.com/search?q=RedSheriff+spyware


Before Rating my Answer, if you have any questions about the
information I have posted above, please post a Request for
Clarification, and I will be glad to see what I can do for you.

Best wishes,

ace

Thanks, Ace, for your cautionary tale and the ample suggestions for
taking care of this menace.

czh