Foistware: New Net,
Inc. (NewDotNet) DLL
March 16, 2004, CounterExploitation received a threatening letter from
New.net, Inc., demanding the removal of "much, if not all" of the
information presented here. You can read the original certified letter
here, and our response here. While we feel that all of the opinions
which were expressed herein, including comments made in jest, constitute
lawfully protected speech, we have revised this page to clarify our
position and remove all traces of humor. Sorry for the boring but
informative read. If you want to
read other boring but informative things, you can read New.net's
legal threat to ICANN (and ICANN's response), or the lawsuit New.net has filed against a well-known anti-spyware company.
New.net is one of many ventures spun off by Idealab!, a famous (or
perhaps infamous) venture-capital incubator that has become a household
circles. The company's primary product is "New.net domain names", which
consist of Web site addresses ending with non-standard extensions such
as .free, .xxx and .shop. Unfortunately, the "New.net names" are not acutally valid Internet domain names
and do not exist outside of New.net's self-created namespace. A New.net
name displayed to the user as "pie.shop" is actually
"pie.shop.new.net"; the New.net software intercepts requests for
New.net names and redirects them in the
background so that the user continues to see "pie.shop" displayed in the browser window [Screen shot] [Packet capture]. To
avoid confusion between the Internet DNS and the services offered by
New.Net, Inc., for the remainder of this document we will use the term domain name to refer to a valid Internet domain name resolved via the standard DNS root servers, and keyword
to refer to a name that exists only within New.net, Inc.'s proprietary
namespace. More information about this important distinction is
presented below, under the section entitled "What's In A Name?".
Since New.net keywords are not part of the DNS, Internet users are
unable to reach them unless they either install New.net's browser
plugin, or subscribe to one of a limited number of Internet services
that New.net has an arrangement with to resolve New.net keywords in
addition to domain names. At the bottom of their homepage, New.net
displays a number indicating the approximate number of PCs they believe
to be able to access a site using a New.net keyword. However, we are not aware
of any published statistic regarding the percentage of Internet users
this number represents.
The New.net browser plugin:
The NewDotNet software
is what we like to call Foistware: it's something that you probably
didn't ask for, and never felt a need for, but it came along anyway
with an unrelated program you downloaded. New.net accomplishes this by
compensating the authors of unrelated third-party software, which has ranged from media players to peer-to-peer file sharing programs, for "bundling" the browser plugin with their program. At one time, New.Net advertised a 5 cent commission for each system the plugin
was successfully installed on; however, we are unable to find current published figures for compensation. For
its part, New.net has updated its policies to require "distribution
partners" to now prominently disclose software bundling practices in
the program's End-User License Agreement (EULA) and provide an "I
agree" or similar checkbox or button. Historically, however, we have
been made aware of complaints from numerous users asserting that they
do not know what the New.net client does or how it got onto their
The New.net software
consists of a browser "plug-in" DLL (e.g. newdotnet?_??.dll, where ???
indicate a version number), which, in current versions, is placed in
C:\Program Files\NewDotNet . Some older versions of the software
installed themselves in the Windows directory (typically C:\WinNT\
for NT/2000/XP users, C:\Windows\ for everybody else). Once installed, the client runs silently
at start-up (via Rundll32)
by a Run key placed in the Windows registry.
The software may be more accurately termed an OS plugin due to the way
it integrates itself with the network configuration (Windows Sockets,
or Winsock stack) so that all DNS queries are passed through the
New.net DLL. If the DLL is removed without also rolling back the
changes made to the Winsock stack, such as by simply deleting the file,
the computer's Internet connection will be broken.
The New.net software
periodically checks for updates and installs them automatically. At the
time of this writing (and for at least a year now), it transmits a GUID during the update check, but has not been known to transmit other information (it's not reading your grocery list).
The plugin's primary and historical purpose is to intercept requests
for New.net names such as "pie.shop" before they get to a standard DNS
resolver, and change the actual request to "pie.shop.new.net" so that
the name can be resolved. However, at the time of this writing, the
software now also redirects mistyped and otherwise non-existing domains
(both legitimate DNS domains and New.net keywords) to a paid-placement search engine called "Quick!" (elevonsearch.com). [Screen shot]
This functionality is similar in many respects to the Verisign
'SiteFinder' service, which causes queries that would normally return a
DNS error to instead return a search page advertising that the domain
is available / for sale, among other things. The rollout of Verisign's
SiteFinder sparked widespread outrage among Internet folk, particularly
ISPs, and even prompted
over concerns that the feature violated fundamental Internet standards
(namely, that non-existant domains should report as non-existant).
Beginning in approximately September, 2002, the New.net software began
including an advertising module that would spawn pop-up ads
for the "Firstlook.com Search Portal" approximately once per day. This
functionality was removed within about a month amidst user complaints
(even longtime New.net supporters/sycophants were crying foul), but
there's no guarantee against something like it (or completely
different, as seen above) reappearing in the future.
In light of facts such as these, we feel that New.net has
demonstrated ability, and even willingness, to use its existing foot in
the door to push other, potentially unwanted, software and
technologies. The preceding has been a statement of opinion.
The NewDotNet software places
a reference in Windows' Add/Remove Programs dialogue. It is recommended
that you use this to remove the program, as explained in more
in the New.Net FAQ.
DO NOT simply delete the DLL, as it tampers with
the default Winsock settings and manual removal will cause you to lose
Internet access.The Add/Remove dialogue is
available by clicking Start -> Settings -> Control Panel -> Add/Remove
Programs. To remove the plug-in, select new.net from the list and click
Add/Remove. Rebooting the computer will complete the removal.
The supplied Add/Remove
option has been known to fail in some circumstances. If this happens, New.Net
recommends that you e-mail New.Net support
or phone them at (626) 229-7800. As the New.net software is being constantly
updated, removal information on this Web site can easily become out-of-date.
I have written a small utility,
LSP-Fix, that repairs corrupted Winsock stacks.
This can be used to remove entries left behind by New.net and similar software, restoring access to machines
that cannot connect to the Internet. You can download it here. Note however, that this is NOT an uninstaller of anything, it is only to fix connection problems.
New.net now offers an uninstaller
from their Web site. Unfortunately, due to their prominent legal warning
against linking to it, as well as New.net's demonstrated alacrity
toward legal threats and lawsuits,
we are unable to link you directly to it as this would put cexx.org in
a legally actionable position. (We also could incur legal wrath for
making any kind of wisecracks about this.) Scroll way down near the
bottom of the linked page, and look for the download link with a name
Ed. note: After following
any of the removal procedures, search for the DLL and verify that it has
indeed been removed!
In addition, some versions
appear to come with an additional file that appears under MSIE: the Tldctl2c
Class. To remove this...
In Internet Explorer,
click on Tools > Internet Options. Select the General
tab. Click Settings > View Objects. In the Downloaded
Program Files window, find Tldctl2c Class and delete it. Rebooting
the computer will complete the removal.
According to New.Net, the file
is an "ActiveX installer remnant" that is not needed and does not affect
What's In A Name?
Internet Domain Name System (DNS) standard was created in 1983 by Paul
Mockapetris as a platform-agnostic method to replace numeric Internet
Protocol (IP) addresses such as “126.96.36.199” with easier-to-remember
text strings such as “www.google.com”. Now a fundamental Internet
standard, this system stores domain resolution information on thirteen
redundant “Root” servers across the globe, which in turn propagate
their data to a larger number of lower-level servers.
In the "www.google.com" example above, google.com is the domain name owned by Google. The string ".com" at the end is called the extension or
top-level domain (TLD). The string "www" at the beginning is not part of the domain
name--is refers to a specific machine with the name "www" within the
Google hierarchy. This is called a subdomain.
An owner of a top-level domain name such as google.com can, at no cost,
create and use a nearly infinite number of subdomains, such as
alice.google.com, bob.google.com, or even
my.other.subdomain.is.at.google.com. using standard software.
A customer purchasing a New.net name, in the form of "pie.shop" and
displayed in the user's browser window as "pie.shop", has actually
bought a fourth-level subdomain, "pie.shop.new.net". When the user
types "www.pie.shop" into a browser window, the New.net software
intercepts the request and changes the query sent to the DNS server to
"www.pie.shop.new.net". New.net has acknowledged and agrees that the
names it sells are not valid Internet domain names. Although New.net
places a disclaimer to this effect at the bottom of their home page,
and presumably, makes the user click through an 'I Agree' at the time
of purchase (the domain-purchasing features of the New.net web site
were unavailable when we were testing), we
believe that the wording of such statements fails to adequately notify
the customer that a significant percentage of Internet users will not be
able to resolve the name. We in addition note that, despite New.net's
own admissions that New.net names are not domain names, the New.net web
site consistently uses the terms "domains" and "domain names" to refer to these fourth-level subdomains. This has been noted during a visit to the New.net web site on March 16, 2004.
In addition, we have received complaints from New.net customers
asserting that they were not aware that New.net keywords were
substantially different from domain names and that a large percentage
of their customers would not be able to reach their sites using the
New.net name. Upon finding out that customers can't reach them, many
are justifiably angered and occasionally express their feelings on the
New.net discussion forums located at
We have heard a number of reports of respondents having posts deleted
or being banned from the forum after making negative statements about
the company or its software.
don't know why anyone would buy a name many of their customers can't
resolve, nor why it would cost more than a valid domain name usable by
100% of the Internet population, but we suppose that's their right. And
yes, this is a statement of opinion.)
When Worlds Collide
Coordination of this naming system is now handled by the Internet
Corporation for Assigned Names and Numbers (ICANN), an international
One of the key goals of ICANN's operatorship is to ensure that the DNS maintans universal resolvability.
This is a critical design feature of the DNS which ensures that a DNS
"question" (domain resolution query) will have the same "answer" under
all circumstances, e.g. regardless of who is doing the asking, or where
they are located. For example, when you use your friend's computer, typing in a
particular Web address will bring up the same site that it did on your
computer, even if your friend accesses the Internet from a different ISP and uses a different operating system.
When additional, non-authoritative roots are thrown into the mix,
however, this produces situations in which names are not universally
resolvable. That is, at best, a site that exists on a machine that uses
the non-authoritative namespace is not accessible on a machine that
doesn't. At worst, accessing the same name on different machines could
bring up completely different sites. Rather than the question having a single and well-established answer,
a proliferation of non-authoritative roots will cause this answer to
depend on whichever non-authoritative registrar has been able to fight
its way to the top of that particular computer's protocol chain.
The set consisting of all possible names under a particular naming system is called a namespace.
The possible names under the DNS constitute one such namespace, as does
the set of possible names under alternate systems such as "New.net
names". The availability of the same name in multiple namespaces makes
possible a condition known as a namespace collision, in which multiple
parties simultaneously “own” the same name. The result of this
condition is that the name would sometimes resolve to one site, and
sometimes another, depending on the specific computer system or
Internet Service Provider in use at the time. The situation would also
promote disputes over the ownership of the name, and make it possible
for one person's assigned name to direct Internet users to an unrelated
site of unknown repute, or even a competitor. We feel that the New.net
Web site fails to adequately inform potential customers of the very
real possibility of namespace collisions, and the potential
consequences of such collisions at such time that any top-level domain
extension already allocated within the New.net proprietary namespace
becomes part of the official DNS structure. CounterExploitation is
informed and believes that New.net, Inc. has allocated names with
top-level domain extensions, including, but not limited to, .law,
.travel, .xxx and .kids, which “already overlap with applications to
ICANN for new TLD introductions”. (Source:
Keeping the Internet a Reliable Global Public Resource: Response to New.net "Policy Paper", 2001).
On March 19, 2004, ICANN announced the applications for ten new
top-level domains. One of them, .xxx, is already being assigned under
the New.net namespace.
Known Compatability Issues
New.net affirms that
the latest version of their software, together with the latest versions
of the software listed below, have no problems, and has demanded
removal of this entire section. However, the following well-documented
compatibility issues are known to have existed between the New.Net
software and the third-party products listed below. Some dead links
have been removed.
We feel that factual
historical information about companies and products is an important
tool to help consumers make informed decisions and resolve problems.
We also feel that it is unreasonable to assume that all users are
running the most up-to-date version of each software program on their
computers. For these reasons, we have no intention
of censoring factual historical information from the
CounterExploitation web site.
WebFerret: Presence of
an older version of the New.Net plugin caused the WebFerret
software to crash with the error message, "illegal operation error (unknown module)".
The author's recommended solution was to remove New.Net.
Microsoft Internet Security
and Acceleration (ISA):
From the Microsoft Knowledge Base: "After you install a third-party program (such as the NewDot and Babylon clients)
on a computer that is running the Internet Security and Acceleration (ISA)
Server Firewall client software, you may experience problems with network
connectivity, slow loading of the operating system and error messages on
blue screens or STOP error messages. The same problem may also occur if the
ISA Server Firewall client is installed after the third party client or provider."
Microsoft has confirmed this to be a bug in ISA. The recommended
solution is to either install
patch from Microsoft, or remove New.Net. For more information, please
read the following Microsoft Knowledge Base articles:
Firewall Client Conflict with Third-Party Layered Service Providers Causes Connectivity Problems
Proxy Client Conflict with Third-Party Providers Causes Problems
ZoneLabs Zone Alarm: There have been reports in the past that the plug-in is capable of accessing the Internet undetected
by the old versions of the personal firewall software,
Other reports indicate ZA successfully detecting and blocking its connection
attempts. A user has confirmed that Zone Alarm (free) 2.6 detects the app
successfully. This behaviour is most likely because the DLL is a function
library and not a stand-alone program--it must be linked by Windows' "RunDLL32.exe"
wrapper. If a ZA rule has already been established for RunDLL32.exe running
another DLL, newdot~*.dll would obtain the same permissions already granted
to RunDLL32.exe. This behaviour appears to have been fixed as of version 2.6
of Zone Alarm. To clarify (and to keep lawyers off my back), there is no
evidence to suggest that any bypasses are intentional or malicious. Zone
Alarm has not recommended a solution, but we recommend updating Zone Alarm
to version 2.6 or later.
NewDotNet is loaded on startup
a Windows component that allows DLLs (dynamically-linked function libraries)
to be run as stand-alone applications. Registry Run key: rundll32
The NewDotNet DLL does not
seem to be affected by disabling it in MSCONFIG, according to the reports
I have received. To verify, disable it using MSCONFIG, load a Web browser
and try to connect to Internet sites (everything should work as before).
Now rename the DLL (restarting Windows if necessary), and try it again.
the DLL has been renamed or removed in any way other than using the New.Net
uninstaller, you will no longer be able to access any web sites or email
until it is either restored, or its Layered Service Provider entries are removed from the Windows registry (see next paragraph).
The New.Net plugin is installed
as a Layered Service Provider (LSP) under Windows, which makes all requests
pass through it. If such a program is removed, but its LSP entries remain,
these requests have nowhere to go! Highly technical information on LSPs
My LSP-Fix utility (repairs corrupted LSP stacks) is here.
Earthlink, @Home, Juno
are listed as ISPs that have an arrangement with
New.net to resolve New.net keywords on the ISP's side. In addition, the
following are known to have partnered with new.net and bundled the
foistware with their products at some point:
RadLight / Subtitle Studio
RealNetworks (RealOne Player)
Mindset Interactive (NetPalNow)
Some software bundling
3rd-party foistware will allow you to "opt out" of installation, but
others will refuse to install the program you actually downloaded
unless you consent to installation of the New.net software (and
possibly other 3rd-party products).
Ed. Note: I would much rather
prefer it if New.Net would stick to adding DNS server entries (DNS server
search order) to resolve their domains instead of using a buggy plugin.
This would eliminate numerous problems for users and helpdesks alike. New.Net
does explain reasons for doing it this way, in case anyone is wondering:
You can remove the New.Net plugin entirely and still be able to access
New.Net keywords, simply by adding ".new.net" to the end.
Installing as a Layered Service
Provider (LSP) allows the software to work with AOL's proprietary software
as well as machines behind an external proxy. According to New.Net, the
LSP status is also to allow email resolution of New.Net domains.
Ed. note: This email part
sounded strange to me at first, and I suspect I am not alone, so let me
clarify this as I understand it: With a regular WWW domain, every application
could use the OS-supplied DNS stack to resolve the domain, with no need
of a plug-in. But unless you are running your own mailserver, your mail
is sent to your ISP's server, which may or may not support
New.Net 'bogus' domains. If the sending ISP cannot resolve new.net domains,
the mails can not be delivered. The plugin solves this by intercepting
the mails and adding ".new.net" to the end of the email address before
it leaves the user's machine. The plugin on the other end, if present,
can then remove the ".new.net" from the address. E.g. firstname.lastname@example.org
would become email@example.com. (This also means the plugin is
unnecessary, if you are willing to add ".new.net" to the address yourself
;) More details on new.net email behaviour are available in the
It functions as a "marketing
tool", according to New.Net: when the plug-in is installed, it can resolve
addresses immediately without asking for a reboot. Adding a new DNS server
on most systems requires a reboot before they are used.
E.g.: A Web page http://www.example.shop
becomes http://www.example.shop.new.net and
IMPORTANT: If you are
experiencing problems with New.net foistware or its removal, please contact
new.net for assistance, either by emailing
their tech support or contacting by phone at (626) 229-7800 (beware--NOT
a toll-free call). I'm not a technical support provider for New.Net or
other purveyors of unnecessary software, and what is on this Web site is really about all
the information I have. If you email me asking for help removing new.net,
you will get back a message directing you to contact New.net support.
Winsock repair utility
detailed Winsock restore procedure - A reader shares an in-depth Winsock
restoration procedure for Windows 98 and ME.
and SaveNow removal instructions available from Microsoft's Knowledge
All trademarks are hereby acknowledged as the property of their respective owners. For more fun, read our legal information.