Zendmedia.com
On December 17, 2003, my IE browser was hijacked by http://ad1.zendmedia.com/ad-spy_hdc.php?id=start1 advertising a company known as Internet AntiSpy (internetantispy.com) urging me to buy their products, Internet AntiSpy and Drive Cleaner.
Typing in http://www.zendmedia.com in the browser redirects you to http://default-homepage-network.com. Also, notice in the bottom left-hand corner of the screen shot that the page loaded but contained errors.
A Whois search produced the following results. I believe Global Innovations is the server they are using (while default-homepage-network.com is using the Excalibur-Internet server):
OrgName: Global Innovations, Inc.
OrgID: GLBI
Address: 4650 Wedgewood Blvd
Address: Suite 107
City: Frederick
StateProv: MD
PostalCode: 21703
Country: US
NetRange: 64.186.128.0 - 64.186.159.255
CIDR: 64.186.128.0/19
NetName: GLOBALI
NetHandle: NET-64-186-128-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.GLOBALI.NET
NameServer: NS2.GLOBALI.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-08-03
Updated: 2002-09-15
OrgAbuseHandle: GIAD-ARIN
OrgAbuseName: Global Innovations Abuse Department
OrgAbusePhone: +1-866-276-3638
OrgAbuseEmail:
abuse@globali.net
OrgNOCHandle: GIN1-ARIN
OrgNOCName: Global Innovations NOC
OrgNOCPhone: +1-866-276-3638
OrgNOCEmail:
noc@globali.net
OrgTechHandle: GIN1-ARIN
OrgTechName: Global Innovations NOC
OrgTechPhone: +1-866-276-3638
OrgTechEmail:
noc@globali.net
# ARIN WHOIS database, last updated 2003-12-17 19:15
# Enter ? for additional hints on searching ARIN's WHOIS
database.
Although this Whois search produced these results:
Whois info for, zendmedia.com:
Registrant:
Zend Media, Inc.
P.O. Box 192
Kiev, NA 01103
UA (Ukraine)
Domain name: ZENDMEDIA.COM
Administrative Contact:
Hostmaster, Zend hostmaster@zendmedia.com
P.O. Box 192
Kiev, NA 01103
UA
+380 44 496 04 59 Fax: +380 44 496 04
59
Technical Contact:
Hostmaster, Zend hostmaster@zendmedia.com
P.O. Box 192
Kiev, NA 01103
UA
+380 44 496 04 59 Fax: +380 44 496 04
59
Registrar of Record: TUCOWS, INC.
Record last updated on 19-Aug-2003.
Record expires on 15-Apr-2004.
Record Created on 15-Apr-2002.
Domain servers in listed order:
NS1.IAD1.NSSRV.COM 64.186.152.111
NS2.IAD1.NSSRV.COM
64.186.152.112
On December 19, 2003, default-homepage-network.com posted this on their website:
UPDATE: We are NOT associated with ZendMedia.com or InternetAntiSpy.com in any way, shape or form. As of December 19, 2003 ZendMedia redirects people who type in ZendMedia.com to THIS site to deflect blame for their activities. Further, after investigation, we have discovered that nearly all the public issues surrounding THIS site are actually a result of an orchestrated, calculated scheme by the people who run ZendMedia.com, designed specifically to deflect blame for their actions to THIS network, which strictly adheres to the terms of service herein. Further ZendMedia.com has apparently used technical means to alter Internet registration information to make it appear that we are associated with spamming operations, which is COMPLETELY UNTRUE! We do not have ANY ASSOCIATION with email marketing companies. Finally we have discovered that ZendMedia has gone so far as to hyjack computers and point them at certain sites that WE control, to further confuse consumers. This whole matter has been documented and will be forwarded to the appropriate authorities within two business days.
I have contacted Global Innovations with my concerns and will post any response from them here. I was also able to contact ZendMedia directly at http://www.zendmedia.com/contact.html.
UPDATE: I received information from another person who was hijacked by zendmedia who informed me that he believed files he found on his computer named nCase were responsible, and that upon removal of the files, everything returned to normal. I searched on my computer and did locate a folder named nCase in the program folders and removed it.
UPDATE: During some recent information gathering, I visited the internetantispy.com site and it now states at the top of the page that it is powered by Buysmarter. Buysmarter is the same company listed as owning PopupGuard, my other browser hijacker. I have contacted them about this at support@buysmarter.com and am patiently awaiting their answer.
This website will be updated regularly with any new developments. Anyone wishing to contact me for inquiries or to relate their experiences may do so at nomorespyware@yahoo.com.