You seem to find odd many things that are actually quite normal. An 10.x.x.x address is very much a normal-looking one – it has everything that an IPv4 address should have (four dot-separated octets). It's just specifically assigned by RFC 1918 for LAN use, alongside 192.168.x.x.
Likewise, having /etc/resolv.conf overwritten is also normal – as part of the network connection process, wicd obtains your IP address and the network's recommended DNS servers from DHCP.
That said. Captive portals work in several ways:
Some intercept all DNS traffic and send you fake DNS replies pointing to the portal webserver. (This happens regardless of what DNS servers you're trying to use, so trying to ignore the DHCP-provided info is pointless.)
Other kinds intercept HTTP and HTTPS traffic directly, and reply to all requests with HTTP 302 redirects to the same portal.
Once you log in and/or click the "accept ToS" button, the portal website adjusts firewall rules on the router to remove the interception and let you browse as usual.
The resolv.conf search parameter is also obtained from DHCP, but it doesn't mean anything here. It just means "append this domain if none was given".
For example, if you connect to Example Corp's office network and try to access http://mail/ (with no domain name), then the system will try http://mail.example.com/ first, because your system has obtained search example.com from the office network.
This functionality is practically never used in public hotspots, but often the DHCP server will send whatever domain according to its own internal hostname, just because it's the default mode. So if you see search guest.example.com, that probably merely means the DHCP server was named dhcp-nyc42.guest.example.com or such.