Yes, this does sound like a hijack of IE's normal behavior.

However, I don't see how it could happen unless your computer has some kind of parasiteware installed. Have you run AdAware or something similar recently?

'Yes' and 'Not a chance'. Note: I do NOT block pop-ups/overs.

I repeated it on every machine in the house and all do as described. Type in www[The big orange sign that sells home improvement goods and tools] followed by the word Opinion.com ( leaving out the . after www ) and you get re-directed to ezsearch site which throws tons of pop-ups offering everything from "Wanna be my home page" to ads. They come one, right after another up to around 10 attempts.

I run AdAware about fifty times a day perusing the Internet for sites to add to my directory and NOT blocking pop-ups allows me to ensure that a site throwing pop-ups doesn't qualify for inclusion.

Recall, this replicates with IE. I have not tried other browsers.

You are definitely correct about what IE's default behavior is.

On a clean install, an entry in the IE address bar that is not a website gives an MSN search results page. And sometimes in the past, that search has even taken you directly to the number one search result on MSN - sort of an "I'm Feeling Lucky" thing.

I just checked the MSN Search results directly, and this is not apparently what is happening in your case.

However, I believe various Toolbars can take over those address bar searches. So the possibility is there for some other programming to insert itself into IE's default behavior.

Still, I haven't been able to get the specific behavior you report, not even after disabling my blockers and other protection.

BHODemon shows just two:

AttributeValue
DLL PathC:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

and

AttributeValue
Descgoogletoolbar.dll, googletoolbar*.dll (* = number), googletoolbar_en_*.**-big.dll, Googletoolbar_en_*.*.**-deleon.dll. - Google toolbar

I did try Netscape 7.1 and it replicates there as well.

If not a BHO, what else could I try?

Maybe I'll reload Opera and Neoplanet just to see what happens.

Well, couldn't find Neoplanet on any of my CDs and it is no longer available for download.

Just leaving the '.' out after typing in the www and typing in the correct url doesn't seem to be something to strive for as far as re-directs go. Doesn't seem as though there would be that many forgetting the '.' to make it worthwhile.

But, both Opera and Firefox exibit the same behaviour, with respect to the domain in question.

Because the site is a huge multi-national Corporation, could that be the reason someone is trying to scrape traffic?

How does one determine what is going on?

The same behavior from Opera and Firefox - wow. Certainly a tell-tale sign that your computer is compromised.

Yes, being a multi-national company would be a reason that a certain domain is targeted and not others. But what is the mechanism that is being used is a tough question - worth answering if you feel that it may be affecting other functions as well as address bar search.

All I can suggest is running a variety of spyware applications - because each one may find instances that another misses.

I've run them all tedster. There is nothing wrong with my machine(s), including the one I've just reformatted, as in partitioning the HD, and loading the OS, all new software, and their respective updates.

<added

Both Opera and Firefox were installed fresh. Each installation was followed immediately by an attempt to replicate this event.

I imported no favs, or any other settings in both cases.

None are set as default browser.

In all cases, it re-directs to ezfinder.....

</added

This makes me wonder about your ISP!

Major Cable Company in SW US.

This re-direct does not work on my domain or some others I have tried.

Intersting http//wwwwebmasterworld.com/

Go ahead, try it.

That look like anyone you know?

[edited by: tedster at 8:48 pm (utc) on Feb. 1, 2005]
[edit reason] remove specifics [/edit]

Several friends ran into what sounds like the same pest on their computers just before last Christmas.

Do a SE query for "ezsearch spyware" and you will see tons of info including what to look for and what/how to remove.

I ran into 2 or 3 variants that needed slightly different removal techniques - but they all are gone now. Some went with Spybot S&D (surprised AdAware not catching it) and others went after manually deleting dlls and editing registry.

Of course you may have something newer and nastier. Hope not.

ezsearch spyware [google.com] as an exact phrase gives one result that, if you peck around the 404s takes you to the Giant MSN page that speaks all about MSs spyware. I used it for awhile and uninstalled it because it rarely produced anything.

So far, this morning, I downloaded ten different spyware detectors. Ran three of them and they've detected nothing.

Those I'm working with:

PestBlock
WinPatrol
SpywareGuard
Spy-AD Exterminator - currently in the 'run' mode.

HijackThis and bugoff are in the wings ready to go once the current application has finished.

PestBlock won't delete anything it finds without purchasing it. So, we didn't pay too much attention to that one.

Just to note: The page it re-directs TO is findit.

There is a findit.com, but the page is all together different looking than the one I get re-directed to.

Also, they both come up with vastly different Registrants and one is in Atlanta, US and the other is in Europe.

< added
...including the one I've just reformatted, as in partitioning the HD, and loading the OS, all new software, and their respective updates.

Tell me how this purported BHO can be in a machine such as I've described.

< /added

This evening, I went to a friends house whose machine is very new and hardly used.

They are NOT on the same ISP, yet, you guessed it. I was able to replicate this event.

Tomorrow I may go to the public library and see what's up there.

Nobody else want a piece of this thread?

After re-reading this thread, I realized I was not omitting the same "dot" that you were. I also had my IE configured not to search from the address bar.

Now I see the same behavior you report - and the domain is not owned according to Whois - so I am mystified by the behavior

OK - it gets weirder. I was playing with the IE search options in Tools > Internet Options > Advanced - and now I cannot get the behavior on any of the four choices. When I allow search I go to MSN and there are no search results.

Need more testing.

Laura just logged onto her MSN/WebTV account ( which is a dial-up account ) a few minutes ago and, as some of you might know is incapable of having any spyware or have any downloading capabilities, as well as being behind a major firewall.

Mind you, MSN/WebTV is total Microsoft and it replicates there as well. Including wwwwebmasterworld.com as stated before.

When she does my domain, it does not re-direct. Then again, mine is not as big as either WebmasterWorld or HD either.

Testing other sites, I found this premise does not function on sites that do not have the www present in the root url. Such to say, it only works with those sites whose url includes the www.

[techweb.com...]

'Typosquatters'

In addition to registering misspelled names, like drkop.com and charlesschwaab.com, these sites also generate traffic by registering names that begin with www. If a surfer forgets to type the period between www and wsj to get to the Wall Street Journal, they will end up at Whats4free.com. If they type in wwwmicrosoft.com, they'll end up at OTCstreet.com.

Anyone doubt that opportunists RULE?

Hey, that story is nearly five years old and we are still seeing it today as is evidenced in this thread. <Yikes!>

Yup, pretty funny, huh?

Ohh, I don't know. Maybe you could ask Brett how he feels having potential traffic scraped?

Well, I'm not too interested in those contained in the article I posted, which is four years old.

Prior to posting that article, I was talking about wwwwebmasterworld and a major US multi-national retail building supply and hardware chain store, that has a big orange sign and sometimes gets static from the local business who'd just as soon keep them out. I re-discovered this when entering their post-Christmas $5,000.00 give away contest and inadvertently forgot the "." after the www .

As the article confirms my deduction, that scope broadened to include all websites containing the www .

The big orange sign one goes to a site that, in name, is the same name as an engine, but is not that engine. That engine has the same dot com name. So, not only are they masquerading as 'that' website, they are also using the 'name' of the website as theirs, while the URL is numerical.

Same with the wwwwebmasterworld.com example. When you arrive at the site, it says glowingly says WebmasterWorld right there in front of you. Yet, the site is nothing more than a huge listing of, what must be affiliates. Further, the domain is registered to someone in Europe.

But the two cases are different. No one has registered the domain you reported on in the first message. But someone does own the wwwwebmasterworld.com domain.

So whatever is going on in this case you stumbled onto, it looks like a different traffic scraping mechanism to me.

IE6 has four choices for saearch from the address bar:

1. Display results and go to the most likely site
2. Do not search from the address bar
3. Just display the results in the main window
4. Just go to the most likely site

In my version of IE6, #4 is the default setting. But right now, I cannot get this behavior from any of the four settings, including the default. I saw it once this morning.

Just to be sure I dumped cache and cookies (I couldn't really imagine a traffic scraper placing a cookie so that they only scraped each user once - but what the heck.)

If you're really sure the domain isn't registered, perhaps you should contact Verisign global registry services [verisign-grs.com] and tell them about it (if it's a .com). I don't know if they have routines on this kind of situation, but it sounds a bit suspicious to say the least. Hopefully, you'd at least get some feedback on what is causing this.

If you get redirected in any browser and on any machine, then I suggest it's a name server issue, and that could be serious. Note that it may take a couple of days from a domain is registered until it shows up in the whois (but you probably know this already).

Ok, so, I called California and the answers I got were anything but encouraging.

First thing I did was to describe the situation and allow them to see what I see. They went where I went and saw what I saw.

I mentioned all the pertinent facts, as I know them to be with respect to ezsearch actually being a dot com, yet while you go to a site that "says" they are ezsearch they are in fact, NOT ezsearch.com, but a bogus site altogether.

I also left him check out wwwwebmasterworld.com. Again, he saw what I did, replete with all the affiliate crap.

Here is what he said...

Masking is a possibility.

Sub-domains are probably the reason the sites appear live in conjunction with masking.

There are no sanctions in place for scraping traffic in this fashion. <blank stare>

I guess it's confirmed then;
The .com part of the internet is a free haven for low-lives where they can do just about anything they want without having to worry about justice.

I'm sure glad I don't have any .com's, but use the national top level domain instead (.no). I would (hopefully) have a much better chance of any complaints regarding abuse.

I really think Verisign needs to do something about regulating such abuse. I can't believe they just ignore it.

Me too. It's not like I expected them to ask who I was and what my domain was so they could publicly credit me for this discovery the next time they attend an ICANN meeting. :)

But, I did expect at least an "Oh, Yeah?!?" or "Thank You for brining this to our attention."

It is going to take someone with a bit more expertise than I, to shut this nonsense down.

Here is a neat little trick you can try if you want to find out just how much traffic is being skimmed by this person.
I found this out by someone clicking on my link to them from their webstats. It depends on the person being overly curious but it might work.
Make a temporary link somewhere to this persons website and click on it a bunch. This will show up in their webstats as an inbound link (which they probably have very few of). If this person is curious enough they will click on the inbound link from within their stats.
When you go look at your own 404 logs there will be the URL of their stats page. Go and see how much traffic is actually being skimmed and probably a lot of other things too.