Zendmedia.com
On December 17, 2003, my IE browser was hijacked by http://ad1.zendmedia.com/ad-spy_hdc.php?id=start1 advertising a company known as Internet AntiSpy (internetantispy.com) urging me to buy their products, Internet AntiSpy and Drive Cleaner. I also received popups during the hijack advertising SpyWiper and SpyHunter.
Typing in http://www.zendmedia.com in the browser redirects you to http://default-homepage-network.com. Also, notice in the bottom left-hand corner of the screen shot that the page loaded but contained errors.
A Whois search produced the following results. I believe Global Innovations is the server they are using (while default-homepage-network.com is using the Excalibur-Internet server):
OrgName: Global Innovations, Inc.
OrgID: GLBI
Address: 4650 Wedgewood Blvd
Address: Suite 107
City: Frederick
StateProv: MD
PostalCode: 21703
Country: US
NetRange: 64.186.128.0 - 64.186.159.255
CIDR: 64.186.128.0/19
NetName: GLOBALI
NetHandle: NET-64-186-128-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.GLOBALI.NET
NameServer: NS2.GLOBALI.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-08-03
Updated: 2002-09-15
OrgAbuseHandle: GIAD-ARIN
OrgAbuseName: Global Innovations Abuse Department
OrgAbusePhone: +1-866-276-3638
OrgAbuseEmail:
abuse@globali.net
OrgNOCHandle: GIN1-ARIN
OrgNOCName: Global Innovations NOC
OrgNOCPhone: +1-866-276-3638
OrgNOCEmail:
noc@globali.net
OrgTechHandle: GIN1-ARIN
OrgTechName: Global Innovations NOC
OrgTechPhone: +1-866-276-3638
OrgTechEmail:
noc@globali.net
# ARIN WHOIS database, last updated 2003-12-17 19:15
# Enter ? for additional hints on searching ARIN's WHOIS
database.
Although this Whois search produced these results:
Whois info for, zendmedia.com:
Registrant:
Zend Media, Inc.
P.O. Box 192
Kiev, NA 01103
UA (Ukraine)
Domain name: ZENDMEDIA.COM
Administrative Contact:
Hostmaster, Zend hostmaster@zendmedia.com
P.O. Box 192
Kiev, NA 01103
UA
+380 44 496 04 59 Fax: +380 44 496 04
59
Technical Contact:
Hostmaster, Zend hostmaster@zendmedia.com
P.O. Box 192
Kiev, NA 01103
UA
+380 44 496 04 59 Fax: +380 44 496 04
59
Registrar of Record: TUCOWS, INC.
Record last updated on 19-Aug-2003.
Record expires on 15-Apr-2004.
Record Created on 15-Apr-2002.
Domain servers in listed order:
NS1.IAD1.NSSRV.COM 64.186.152.111
NS2.IAD1.NSSRV.COM
64.186.152.112
On December 19, 2003, default-homepage-network.com posted this on their website:
UPDATE: We are NOT associated with ZendMedia.com or InternetAntiSpy.com in any way, shape or form. As of December 19, 2003 ZendMedia redirects people who type in ZendMedia.com to THIS site to deflect blame for their activities. Further, after investigation, we have discovered that nearly all the public issues surrounding THIS site are actually a result of an orchestrated, calculated scheme by the people who run ZendMedia.com, designed specifically to deflect blame for their actions to THIS network, which strictly adheres to the terms of service herein. Further ZendMedia.com has apparently used technical means to alter Internet registration information to make it appear that we are associated with spamming operations, which is COMPLETELY UNTRUE! We do not have ANY ASSOCIATION with email marketing companies. Finally we have discovered that ZendMedia has gone so far as to hyjack computers and point them at certain sites that WE control, to further confuse consumers. This whole matter has been documented and will be forwarded to the appropriate authorities within two business days.
I will give them the benefit of the doubt for now. However, there are still questions left unanswered.
A.) Why is default-homepage-network so upset if indeed zendmedia does "specifically deflect blame for their actions" to default-homepage-network when zenmedia's browser hijacks are far less intrusive than default-homepage-network's own browser hijacks?
B.) I'm not sure what "technical means to alter Internet registration information to make it appear that we are associated with spamming operations" they're referring to. The only association between the two sites is the redirected home page of zendmedia.com to default-homepage-network.com.
C.) default-homepage-network specifically states in their missive "The ONLY setting that default-homepage-network.com configures is default homepage" (browser hijack), "If you have any complaints or concerns, we are more than happy to address them with you. One of our available representative's email address is listed in the instructions below." (what email address, there isn't one), "Default-homepage-network.com features content that may not be suitable for minors under the age of 18." (Then why throw it in our face when we didn't ask for it?), "Default-homepage-network.com prompts and changes consumers' browser behaviors to offer a free ad-supported software experience and a more targeted advertiser-to-consumer communication system." (Changing people's computer settings without their consent is hacking), "For example, default-homepage-network.com.com includes "flash" pages that will prompt a verisign alert box to install Macromedia flash player software into the end-user's browser and default-homepage-network.com utilizes several technical and business methods to change users' default homepage to one that default-homepage-network.com controls" (Again, hacking and unwanted downloads), "It will, however, use NON-DESTRUCTIVE vulnerability demonstrations to stress the importance that users' secure their computers from malicious hackers" (This is where your CD rom drive door is forced open and, actually, the only malicious hacker that has ever done that on my machine has been default-homepage-network and yes, it did run unsafe AxtiveX script), so going back to my original question, after all these admissions, why would default-homepage-network even care about being blamed for a few more browser hijacks?
D.) "We do not have ANY ASSOCIATION with email marketing companies." zendmedia advertises through browser hijacking, I have yet to find any evidence of them using spam email to advertise so why even mention this?
I have contacted Global Innovations with my concerns and will post any response from them here.
UPDATE: I received information from another person who was hijacked by zendmedia who informed me that he believed files he found on his computer named nCase were responsible, and that upon removal of the files, everything returned to normal. I searched on my computer and did locate a folder named nCase in the program folders and removed it.
UPDATE: During some recent information gathering, I visited the internetantispy.com site and it now states at the top of the page that it is powered by Buysmarter. Buysmarter is the same company listed as owning PopupGuard, my other browser hijacker. I have contacted them about this at support@buysmarter.com and am patiently awaiting their answer.
This website will be updated regularly with any new developments. Anyone wishing to contact me for inquiries or to relate their experiences may do so at nomorespyware@yahoo.com.