Your generous donations help keep this site online! Click here to support cexx.org.
 
Foistware: New Net, Inc. (NewDotNet) DLL
 
On March 16, 2004, CounterExploitation received a threatening letter from New.net, Inc., demanding the removal of "much, if not all" of the information presented here. You can read the original certified letter here, and our response here. While we feel that all of the opinions which were expressed herein, including comments made in jest, constitute lawfully protected speech, we have revised this page to clarify our position and remove all traces of humor. Sorry for the boring but informative read. If you want to read other boring but informative things, you can read New.net's legal threat to ICANN (and ICANN's response), or the lawsuit New.net has filed against a well-known anti-spyware company.

General

New.net is one of many ventures spun off by Idealab!, a famous (or perhaps infamous) venture-capital incubator that has become a household name in certain circles. The company's primary product is "New.net domain names", which consist of Web site addresses ending with non-standard extensions such as .free, .xxx and .shop. Unfortunately, the "New.net names" are not acutally valid Internet domain names and do not exist outside of New.net's self-created namespace. A New.net name displayed to the user as "pie.shop" is actually "pie.shop.new.net"; the New.net software intercepts requests for New.net names and redirects them in the background so that the user continues to see
"pie.shop" displayed in the browser window [Screen shot] [Packet capture]. To avoid confusion between the Internet DNS and the services offered by New.Net, Inc., for the remainder of this document we will use the term domain name to refer to a valid Internet domain name resolved via the standard DNS root servers, and keyword to refer to a name that exists only within New.net, Inc.'s proprietary namespace. More information about this important distinction is presented below, under the section entitled "What's In A Name?".
 
Since New.net keywords are not part of the DNS, Internet users are unable to reach them unless they either install New.net's browser plugin, or subscribe to one of a limited number of Internet services that New.net has an arrangement with to resolve New.net keywords in addition to domain names. At the bottom of their homepage, New.net displays a number indicating the approximate number of PCs they believe to be able to access a site using a New.net keyword. However, we are not aware of any published statistic regarding the percentage of Internet users this number represents.

The New.net browser plugin:
The NewDotNet software is what we like to call Foistware: it's something that you probably didn't ask for, and never felt a need for, but it came along anyway with an unrelated program you downloaded. New.net accomplishes this by compensating the authors of unrelated third-party software, which has ranged from media players to peer-to-peer file sharing programs, for "bundling" the browser plugin with their program. At one time, New.Net advertised a 5 cent commission for each system the plugin was successfully installed on; however, we are unable to find current published figures for compensation. For its part, New.net has updated its policies to require "distribution partners" to now prominently disclose software bundling practices in the program's End-User License Agreement (EULA) and provide an "I agree" or similar checkbox or button. Historically, however, we have been made aware of complaints from numerous users asserting that they do not know what the New.net client does or how it got onto their systems.

The New.net software consists of a browser "plug-in" DLL (e.g. newdotnet?_??.dll, where ??? indicate a version number), which, in current versions, is placed in C:\Program Files\NewDotNet . Some older versions of the software installed themselves in the Windows directory (typically C:\WinNT\ for NT/2000/XP users, C:\Windows\ for everybody else). Once installed, the client runs silently at start-up (via Rundll32) by a Run key placed in the Windows registry. The software may be more accurately termed an OS plugin due to the way it integrates itself with the network configuration (Windows Sockets, or Winsock stack) so that all DNS queries are passed through the New.net DLL. If the DLL is removed without also rolling back the changes made to the Winsock stack, such as by simply deleting the file, the computer's Internet connection will be broken

The New.net software periodically checks for updates and installs them automatically. At the time of this writing (and for at least a year now), it transmits a GUID during the update check, but has not been known to transmit other information (it's not reading your grocery list).
 
The plugin's primary and historical purpose is to intercept requests for New.net names such as "pie.shop" before they get to a standard DNS resolver, and change the actual request to "pie.shop.new.net" so that the name can be resolved. However, at the time of this writing, the software now also redirects mistyped and otherwise non-existing domains (both legitimate DNS domains and New.net keywords) to a paid-placement search engine called "Quick!" (elevonsearch.com). [Screen shot]  This functionality is similar in many respects to the Verisign 'SiteFinder' service, which causes queries that would normally return a DNS error to instead return a search page advertising that the domain is available / for sale, among other things. The rollout of Verisign's SiteFinder sparked widespread outrage among Internet folk, particularly ISPs, and even prompted several lawsuits over concerns that the feature violated fundamental Internet standards (namely, that non-existant domains should report as non-existant).

Beginning in approximately September, 2002, the New.net software began including an advertising module that would spawn pop-up ads for the "Firstlook.com Search Portal" approximately once per day. This functionality was removed within about a month amidst user complaints (even longtime New.net supporters/sycophants were crying foul), but there's no guarantee against something like it (or completely different, as seen above) reappearing in the future.
 
In light of facts such as these,
we feel that New.net has demonstrated ability, and even willingness, to use its existing foot in the door to push other, potentially unwanted, software and  technologies. The preceding has been a statement of opinion.
 

Removal Procedure:
The NewDotNet software places a reference in Windows' Add/Remove Programs dialogue. It is recommended that you use this to remove the program, as explained in more detail in the New.Net FAQ.

DO NOT simply delete the DLL, as it tampers with the default Winsock settings and manual removal will cause you to lose Internet access.
 

The Add/Remove dialogue is available by clicking Start -> Settings -> Control Panel -> Add/Remove Programs. To remove the plug-in, select new.net from the list and click Add/Remove. Rebooting the computer will complete the removal.

The supplied Add/Remove option has been known to fail in some circumstances. If this happens, New.Net recommends that you e-mail New.Net support or phone them at (626) 229-7800. As the New.net software is being constantly updated, removal information on this Web site can easily become out-of-date.

I have written a small utility, LSP-Fix, that repairs corrupted Winsock stacks. This can be used to remove entries left behind by New.net and similar software, restoring access to machines that cannot connect to the Internet. You can download it here. Note however, that this is NOT an uninstaller of anything, it is only to fix connection problems.

 Additionally, New.net now offers an uninstaller from their Web site. Unfortunately, due to their prominent legal warning against linking to it, as well as New.net's demonstrated alacrity toward legal threats and lawsuits, we are unable to link you directly to it as this would put cexx.org in a legally actionable position. (We also could incur legal wrath for making any kind of wisecracks about this.) Scroll way down near the bottom of the linked page, and look for the download link with a name like uninstall#_##.exe.

Ed. note: After following any of the removal procedures, search for the DLL and verify that it has indeed been removed!


In addition, some versions appear to come with an additional file that appears under MSIE: the Tldctl2c Class. To remove this...
 

In Internet Explorer, click on Tools > Internet Options. Select the General tab. Click Settings > View Objects. In the Downloaded Program Files window, find Tldctl2c Class and delete it. Rebooting the computer will complete the removal.
According to New.Net, the file is an "ActiveX installer remnant" that is not needed and does not affect the plugin.
 
What's In A Name?
The Internet Domain Name System (DNS) standard was created in 1983 by Paul Mockapetris as a platform-agnostic method to replace numeric Internet Protocol (IP) addresses such as “216.239.37.99” with easier-to-remember text strings such as “www.google.com”. Now a fundamental Internet standard, this system stores domain resolution information on thirteen redundant “Root” servers across the globe, which in turn propagate their data to a larger number of lower-level servers.

In the "www.google.com" example above, google.com is the domain name owned by Google. The string ".com" at the end is called the extension or
top-level domain (TLD). The string "www" at the beginning is not part of the domain name--is refers to a specific machine with the name "www" within the Google hierarchy. This is called a subdomain. An owner of a top-level domain name such as google.com can, at no cost, create and use a nearly infinite number of subdomains, such as alice.google.com, bob.google.com, or even my.other.subdomain.is.at.google.com. using standard software.
 
A customer purchasing a New.net name, in the form of "pie.shop" and displayed in the user's browser window as "pie.shop", has actually bought a fourth-level subdomain, "pie.shop.new.net". When the user types "www.pie.shop" into a browser window, the New.net software intercepts the request and changes the query sent to the DNS server to "www.pie.shop.new.net". New.net has acknowledged and agrees that the names it sells are not valid Internet domain names. Although New.net places a disclaimer to this effect at the bottom of their home page, and presumably, makes the user click through an 'I Agree' at the time of purchase (the domain-purchasing features of the New.net web site were unavailable when we were testing),
we believe that the wording of such statements fails to adequately notify the customer that a significant percentage of Internet users will not be able to resolve the name. We in addition note that, despite New.net's own admissions that New.net names are not domain names, the New.net web site consistently uses the terms "domains" and "domain names" to refer to these fourth-level subdomains. This has been noted during a visit to the New.net web site on March 16, 2004.
 
In addition, we have received complaints from New.net customers asserting that they were not aware that New.net keywords were substantially different from domain names and that a large percentage of their customers would not be able to reach their sites using the New.net name. Upon finding out that customers can't reach them, many are justifiably angered and occasionally express their feelings on the New.net discussion forums located at http://new.chat.new.net. We have heard a number of reports of respondents having posts deleted or being banned from the forum after making negative statements about the company or its software.
 
(We don't know why anyone would buy a name many of their customers can't resolve, nor why it would cost more than a valid domain name usable by 100% of the Internet population, but we suppose that's their right. And yes, this is a statement of opinion.)

When Worlds Collide
Coordination of this naming system is now handled by the Internet Corporation for Assigned Names and Numbers (ICANN), an international non-profit corporation. One of the key goals of ICANN's operatorship is to ensure that the DNS maintans universal resolvability. This is a critical design feature of the DNS which ensures that a DNS "question" (domain resolution query) will have the same "answer" under all circumstances, e.g. regardless of who is doing the asking, or where they are located. For example, when you use your friend's computer, typing in a particular Web address will bring up the same site that it did on your computer, even if your friend accesses the Internet from a different ISP and uses a different operating system.

When additional, non-authoritative roots are thrown into the mix, however, this produces situations in which names are not universally resolvable. That is, at best, a site that exists on a machine that uses the non-authoritative namespace is not accessible on a machine that doesn't. At worst, accessing the same name on different machines could bring up completely different sites. Rather than the question having a single and well-established answer,
a proliferation of non-authoritative roots will cause this answer to depend on whichever non-authoritative registrar has been able to fight its way to the top of that particular computer's protocol chain.

The set consisting of all possible names under a particular naming system is called a namespace. The possible names under the DNS constitute one such namespace, as does the set of possible names under alternate systems such as "New.net names". The availability of the same name in multiple namespaces makes possible a condition known as a namespace collision, in which multiple parties simultaneously “own” the same name. The result of this condition is that the name would sometimes resolve to one site, and sometimes another, depending on the specific computer system or Internet Service Provider in use at the time. The situation would also promote disputes over the ownership of the name, and make it possible for one person's assigned name to direct Internet users to an unrelated site of unknown repute, or even a competitor. We feel that the New.net Web site fails to adequately inform potential customers of the very real possibility of namespace collisions, and the potential consequences of such collisions at such time that any top-level domain extension already allocated within the New.net proprietary namespace becomes part of the official DNS structure. CounterExploitation is informed and believes that New.net, Inc. has allocated names with top-level domain extensions, including, but not limited to, .law, .travel, .xxx and .kids, which “already overlap with applications to ICANN  for new TLD introductions”. (Source: Keeping the Internet a Reliable Global Public Resource: Response to New.net "Policy Paper", 2001).
 
On March 19, 2004, ICANN announced the applications for ten new top-level domains. One of them, .xxx, is already being assigned under the New.net namespace.
 
 
Known Compatability Issues
New.net affirms that the latest version of their software, together with the latest versions of the software listed below, have no problems, and has demanded removal of this entire section. However, the following well-documented compatibility issues are known to have existed between the New.Net software and the third-party products listed below. Some dead links have been removed.
 
We feel that factual historical information about companies and products is an important tool to help consumers make informed decisions and resolve problems. We also feel that it is unreasonable to assume that all users are running the most up-to-date version of each software program on their computers.
For these reasons, we have no intention of censoring factual historical information from the CounterExploitation web site.

Firewall Client Conflict with Third-Party Layered Service Providers Causes Connectivity Problems
Proxy Client Conflict with Third-Party Providers Causes Problems

Dungeon Siege: "Has Encountered a Problem and Needs to Close" Error Message When You Try to Connect by Using the ZoneMatch Server


More Information:
NewDotNet is loaded on startup using Rundll32.exe, a Windows component that allows DLLs (dynamically-linked function libraries) to be run as stand-alone applications. Registry Run key: rundll32 C:\WINDOWS\NEWDOT~1.DLL,NewDotNetStartUp

The NewDotNet DLL does not seem to be affected by disabling it in MSCONFIG, according to the reports I have received. To verify, disable it using MSCONFIG, load a Web browser and try to connect to Internet sites (everything should work as before). Now rename the DLL (restarting Windows if necessary), and try it again. If the DLL has been renamed or removed in any way other than using the New.Net uninstaller, you will no longer be able to access any web sites or email until it is either restored, or its Layered Service Provider entries are removed from the Windows registry (see next paragraph).

The New.Net plugin is installed as a Layered Service Provider (LSP) under Windows, which makes all requests pass through it. If such a program is removed, but its LSP entries remain, these requests have nowhere to go! Highly technical information on LSPs is available here. My LSP-Fix utility (repairs corrupted LSP stacks) is here.

Earthlink, @Home, Juno and NetZero are listed as ISPs that have an arrangement with New.net to resolve New.net keywords on the ISP's side. In addition, the following are known to have partnered with new.net and bundled the foistware with their products at some point:

Go!Zilla
BearShare
Mp3.com
iMesh
Babylon
Webshots
gDivx
BikiniDesk
RadLight / Subtitle Studio
RealNetworks (RealOne Player)
UK Software
Cydoor (LingoWare)
Grokster
KaZaA
Mindset Interactive (NetPalNow)

Some software bundling 3rd-party foistware will allow you to "opt out" of installation, but others will refuse to install the program you actually downloaded unless you consent to installation of the New.net software (and possibly other 3rd-party products).

Ed. Note: I would much rather prefer it if New.Net would stick to adding DNS server entries (DNS server search order) to resolve their domains instead of using a buggy plugin. This would eliminate numerous problems for users and helpdesks alike. New.Net does explain reasons for doing it this way, in case anyone is wondering:

You can remove the New.Net plugin entirely and still be able to access New.Net keywords, simply by adding ".new.net" to the end.
E.g.: A Web page http://www.example.shop becomes http://www.example.shop.new.net and jsmith@example.shop becomes jsmith@example.shop.new.net.

IMPORTANT: If you are experiencing problems with New.net foistware or its removal, please contact new.net for assistance, either by emailing their tech support or contacting by phone at (626) 229-7800 (beware--NOT a toll-free call). I'm not a technical support provider for New.Net or other purveyors of unnecessary software, and what is on this Web site is really about all the information I have. If you email me asking for help removing new.net, you will get back a message directing you to contact New.net support.
 

Links:
 
Automatic Winsock repair utility
 
Experimental Winsock-restore procedure

More detailed Winsock restore procedure - A reader shares an in-depth Winsock restoration procedure for Windows 98 and ME.

New.Net and SaveNow removal instructions available from Microsoft's Knowledge Base.

New.net Homepage

Spyware
HomeE-mailCopyrights and Disclaimers

All trademarks are hereby acknowledged as the property of their respective owners. For more fun, read our legal information.