You will see reference to improper removal in the article
listed below.
It is from
http://www.windowsstartup.com/wso/detail.php?id=1874
Your generous donations help keep this site online! Click
here to support cexx.org.
Foistware: New Net, Inc. (NewDotNet) DLL
On March 16, 2004, CounterExploitation received a
threatening letter from New.net, Inc., demanding the removal
of "much, if not all" of the information presented here. You
can read the original certified letter here, and our
response here. While we feel that all of the opinions which
were expressed herein, including comments made in jest,
constitute lawfully protected speech, we have revised this
page to clarify our position and remove all traces of humor.
Sorry for the boring but informative read. If you want to
read other boring but informative things, you can read
New.net's legal threat to ICANN (and ICANN's response), or
the lawsuit New.net has filed against a well-known
anti-spyware company.
General
New.net is one of many ventures spun off by Idealab!, a
famous (or perhaps infamous) venture-capital incubator that
has become a household name in certain circles. The
company's primary product is "New.net domain names", which
consist of Web site addresses ending with non-standard
extensions such as .free, .xxx and .shop. Unfortunately, the
"New.net names" are not acutally valid Internet domain names
and do not exist outside of New.net's self-created
namespace. A New.net name displayed to the user as
"pie.shop" is actually "pie.shop.new.net"; the New.net
software intercepts requests for New.net names and redirects
them in the background so that the user continues to see
"pie.shop" displayed in the browser window [Screen shot]
[Packet capture]. To avoid confusion between the Internet
DNS and the services offered by New.Net, Inc., for the
remainder of this document we will use the term domain name
to refer to a valid Internet domain name resolved via the
standard DNS root servers, and keyword to refer to a name
that exists only within New.net, Inc.'s proprietary
namespace. More information about this important distinction
is presented below, under the section entitled "What's In A
Name?".
Since New.net keywords are not part of the DNS, Internet
users are unable to reach them unless they either install
New.net's browser plugin, or subscribe to one of a limited
number of Internet services that New.net has an arrangement
with to resolve New.net keywords in addition to domain
names. At the bottom of their homepage, New.net displays a
number indicating the approximate number of PCs they believe
to be able to access a site using a New.net keyword.
However, we are not aware of any published statistic
regarding the percentage of Internet users this number
represents.
The New.net browser plugin:
The NewDotNet software is what we like to call Foistware:
it's something that you probably didn't ask for, and never
felt a need for, but it came along anyway with an unrelated
program you downloaded. New.net accomplishes this by
compensating the authors of unrelated third-party software,
which has ranged from media players to peer-to-peer file
sharing programs, for "bundling" the browser plugin with
their program. At one time, New.Net advertised a 5 cent
commission for each system the plugin was successfully
installed on; however, we are unable to find current
published figures for compensation. For its part, New.net
has updated its policies to require "distribution partners"
to now prominently disclose software bundling practices in
the program's End-User License Agreement (EULA) and provide
an "I agree" or similar checkbox or button. Historically,
however, we have been made aware of complaints from numerous
users asserting that they do not know what the New.net
client does or how it got onto their systems.
The New.net software consists of a browser "plug-in" DLL
(e.g. newdotnet?_??.dll, where ??? indicate a version
number), which, in current versions, is placed in C:\Program
Files\NewDotNet . Some older versions of the software
installed themselves in the Windows directory (typically
C:\WinNT\ for NT/2000/XP users, C:\Windows\ for everybody
else). Once installed, the client runs silently at start-up
(via Rundll32) by a Run key placed in the Windows registry.
The software may be more accurately termed an OS plugin due
to the way it integrates itself with the network
configuration (Windows Sockets, or Winsock stack) so that
all DNS queries are passed through the New.net DLL. If the
DLL is removed without also rolling back the changes made to
the Winsock stack, such as by simply deleting the file, the
computer's Internet connection will be broken.
The New.net software periodically checks for updates and
installs them automatically. At the time of this writing
(and for at least a year now), it transmits a GUID during
the update check, but has not been known to transmit other
information (it's not reading your grocery list).
The plugin's primary and historical purpose is to intercept
requests for New.net names such as "pie.shop" before they
get to a standard DNS resolver, and change the actual
request to "pie.shop.new.net" so that the name can be
resolved. However, at the time of this writing, the software
now also redirects mistyped and otherwise non-existing
domains (both legitimate DNS domains and New.net keywords)
to a paid-placement search engine called "Quick!"
(elevonsearch.com). [Screen shot] This functionality is
similar in many respects to the Verisign 'SiteFinder'
service, which causes queries that would normally return a
DNS error to instead return a search page advertising that
the domain is available / for sale, among other things. The
rollout of Verisign's SiteFinder sparked widespread outrage
among Internet folk, particularly ISPs, and even prompted
several lawsuits over concerns that the feature violated
fundamental Internet standards (namely, that non-existant
domains should report as non-existant).
Beginning in approximately September, 2002, the New.net
software began including an advertising module that would
spawn pop-up ads for the "Firstlook.com Search Portal"
approximately once per day. This functionality was removed
within about a month amidst user complaints (even longtime
New.net supporters/sycophants were crying foul), but there's
no guarantee against something like it (or completely
different, as seen above) reappearing in the future.
In light of facts such as these, we feel that New.net has
demonstrated ability, and even willingness, to use its
existing foot in the door to push other, potentially
unwanted, software and technologies. The preceding has been
a statement of opinion.
Removal Procedure:
The NewDotNet software places a reference in Windows'
Add/Remove Programs dialogue. It is recommended that you use
this to remove the program, as explained in more detail in
the New.Net FAQ.
DO NOT simply delete the DLL, as it tampers with the default
Winsock settings and manual removal will cause you to lose
Internet access.
The Add/Remove dialogue is available by clicking Start ->
Settings -> Control Panel -> Add/Remove Programs. To remove
the plug-in, select new.net from the list and click
Add/Remove. Rebooting the computer will complete the
removal.
The supplied Add/Remove option has been known to fail in
some circumstances. If this happens, New.Net recommends that
you e-mail New.Net support or phone them at (626) 229-7800.
As the New.net software is being constantly updated, removal
information on this Web site can easily become out-of-date.
I have written a small utility, LSP-Fix, that repairs
corrupted Winsock stacks. This can be used to remove entries
left behind by New.net and similar software, restoring
access to machines that cannot connect to the Internet. You
can download it here. Note however, that this is NOT an
uninstaller of anything, it is only to fix connection
problems.
Additionally, New.net now offers an uninstaller from their
Web site. Unfortunately, due to their prominent legal
warning against linking to it, as well as New.net's
demonstrated alacrity toward legal threats and lawsuits, we
are unable to link you directly to it as this would put
cexx.org in a legally actionable position. (We also could
incur legal wrath for making any kind of wisecracks about
this.) Scroll way down near the bottom of the linked page,
and look for the download link with a name like
uninstall#_##.exe.
Ed. note: After following any of the removal procedures,
search for the DLL and verify that it has indeed been
removed!
In addition, some versions appear to come with an additional
file that appears under MSIE: the Tldctl2c Class. To remove
this...
In Internet Explorer, click on Tools > Internet Options.
Select the General tab. Click Settings > View Objects. In
the Downloaded Program Files window, find Tldctl2c Class and
delete it. Rebooting the computer will complete the removal.
According to New.Net, the file is an "ActiveX installer
remnant" that is not needed and does not affect the plugin.
What's In A Name?
The Internet Domain Name System (DNS) standard was created
in 1983 by Paul Mockapetris as a platform-agnostic method to
replace numeric Internet Protocol (IP) addresses such as
"216.239.37.99" with easier-to-remember text strings such as
"
www.google.com". Now a fundamental Internet standard, this
system stores domain resolution information on thirteen
redundant "Root" servers across the globe, which in turn
propagate their data to a larger number of lower-level
servers.
In the "
www.google.com" example above, google.com is the
domain name owned by Google. The string ".com" at the end is
called the extension or top-level domain (TLD). The string
"www" at the beginning is not part of the domain name--is
refers to a specific machine with the name "www" within the
Google hierarchy. This is called a subdomain. An owner of a
top-level domain name such as google.com can, at no cost,
create and use a nearly infinite number of subdomains, such
as alice.google.com, bob.google.com, or even
my.other.subdomain.is.at.google.com. using standard
software.
A customer purchasing a New.net name, in the form of
"pie.shop" and displayed in the user's browser window as
"pie.shop", has actually bought a fourth-level subdomain,
"pie.shop.new.net". When the user types "
www.pie.shop" into
a browser window, the New.net software intercepts the
request and changes the query sent to the DNS server to
"
www.pie.shop.new.net". New.net has acknowledged and agrees
that the names it sells are not valid Internet domain names.
Although New.net places a disclaimer to this effect at the
bottom of their home page, and presumably, makes the user
click through an 'I Agree' at the time of purchase (the
domain-purchasing features of the New.net web site were
unavailable when we were testing), we believe that the
wording of such statements fails to adequately notify the
customer that a significant percentage of Internet users
will not be able to resolve the name. We in addition note
that, despite New.net's own admissions that New.net names
are not domain names, the New.net web site consistently uses
the terms "domains" and "domain names" to refer to these
fourth-level subdomains. This has been noted during a visit
to the New.net web site on March 16, 2004.
In addition, we have received complaints from New.net
customers asserting that they were not aware that New.net
keywords were substantially different from domain names and
that a large percentage of their customers would not be able
to reach their sites using the New.net name. Upon finding
out that customers can't reach them, many are justifiably
angered and occasionally express their feelings on the
New.net discussion forums located at
http://new.chat.new.net. We have heard a number of reports
of respondents having posts deleted or being banned from the
forum after making negative statements about the company or
its software.
(We don't know why anyone would buy a name many of their
customers can't resolve, nor why it would cost more than a
valid domain name usable by 100% of the Internet population,
but we suppose that's their right. And yes, this is a
statement of opinion.)
When Worlds Collide
Coordination of this naming system is now handled by the
Internet Corporation for Assigned Names and Numbers (ICANN),
an international non-profit corporation. One of the key
goals of ICANN's operatorship is to ensure that the DNS
maintans universal resolvability. This is a critical design
feature of the DNS which ensures that a DNS "question"
(domain resolution query) will have the same "answer" under
all circumstances, e.g. regardless of who is doing the
asking, or where they are located. For example, when you use
your friend's computer, typing in a particular Web address
will bring up the same site that it did on your computer,
even if your friend accesses the Internet from a different
ISP and uses a different operating system.
When additional, non-authoritative roots are thrown into the
mix, however, this produces situations in which names are
not universally resolvable. That is, at best, a site that
exists on a machine that uses the non-authoritative
namespace is not accessible on a machine that doesn't. At
worst, accessing the same name on different machines could
bring up completely different sites. Rather than the
question having a single and well-established answer, a
proliferation of non-authoritative roots will cause this
answer to depend on whichever non-authoritative registrar
has been able to fight its way to the top of that particular
computer's protocol chain.
The set consisting of all possible names under a particular
naming system is called a namespace. The possible names
under the DNS constitute one such namespace, as does the set
of possible names under alternate systems such as "New.net
names". The availability of the same name in multiple
namespaces makes possible a condition known as a namespace
collision, in which multiple parties simultaneously "own"
the same name. The result of this condition is that the name
would sometimes resolve to one site, and sometimes another,
depending on the specific computer system or Internet
Service Provider in use at the time. The situation would
also promote disputes over the ownership of the name, and
make it possible for one person's assigned name to direct
Internet users to an unrelated site of unknown repute, or
even a competitor. We feel that the New.net Web site fails
to adequately inform potential customers of the very real
possibility of namespace collisions, and the potential
consequences of such collisions at such time that any
top-level domain extension already allocated within the
New.net proprietary namespace becomes part of the official
DNS structure. CounterExploitation is informed and believes
that New.net, Inc. has allocated names with top-level domain
extensions, including, but not limited to, .law, .travel,
..xxx and .kids, which "already overlap with applications to
ICANN for new TLD introductions". (Source: Keeping the
Internet a Reliable Global Public Resource: Response to
New.net "Policy Paper", 2001).
On March 19, 2004, ICANN announced the applications for ten
new top-level domains. One of them, .xxx, is already being
assigned under the New.net namespace.
Known Compatability Issues
New.net affirms that the latest version of their software,
together with the latest versions of the software listed
below, have no problems, and has demanded removal of this
entire section. However, the following well-documented
compatibility issues are known to have existed between the
New.Net software and the third-party products listed below.
Some dead links have been removed.
We feel that factual historical information about companies
and products is an important tool to help consumers make
informed decisions and resolve problems. We also feel that
it is unreasonable to assume that all users are running the
most up-to-date version of each software program on their
computers. For these reasons, we have no intention of
censoring factual historical information from the
CounterExploitation web site.
a.. WebFerret: Presence of an older version of the New.Net
plugin caused the WebFerret software to crash with the error
message, "illegal operation error (unknown module)". The
author's recommended solution was to remove New.Net.
b.. Microsoft Internet Security and Acceleration (ISA):
From the Microsoft Knowledge Base: "After you install a
third-party program (such as the NewDot and Babylon clients)
on a computer that is running the Internet Security and
Acceleration (ISA) Server Firewall client software, you may
experience problems with network connectivity, slow loading
of the operating system and error messages on blue screens
or STOP error messages. The same problem may also occur if
the ISA Server Firewall client is installed after the third
party client or provider." Microsoft has confirmed this to
be a bug in ISA. The recommended solution is to either
install this patch from Microsoft, or remove New.Net. For
more information, please read the following Microsoft
Knowledge Base articles:
Firewall Client Conflict with Third-Party Layered Service
Providers Causes Connectivity Problems
Proxy Client Conflict with Third-Party Providers Causes
Problems
a.. Rational Software's ClearCase (since acquired by IBM):
ClearCase is a extremely high level Version Control System
(VCS) used in major shops. The program is very network
dependent. Compatibility issues have been reported both by
users and the ClearCase documentation. In one case, a user
has reported continuing to experience problems even after
New.Net was removed, eventually solved by an OS reinstall.
b.. Norton AntiVirus: In older versions of NAV, e-mail
protection may be unable to load when the New.net client is
present.
c.. CallWave Answering Machine: It is reported that
Callwave will make continual dial-out attempts because it
cannot make contact on startup.
d.. Microsoft Dungeon Seige: From the Microsoft Knowledge
Base: "When you try to connect to a multiplayer game of
Dungeon Siege 1.0 by using the ZoneMatch server, you may
receive an error message similar to the following:
"Microsoft Dungeon Siege has encountered a problem and
needs to close. We are sorry for the inconvenience." This
problem may occur if the third-party product New.net is
installed on your computer." The solution recommended by the
Microsoft Knowledge Base is to remove New.net.
Dungeon Siege: "Has Encountered a Problem and Needs to
Close" Error Message When You Try to Connect by Using the
ZoneMatch Server
a.. ZoneLabs Zone Alarm: There have been reports in the
past that the plug-in is capable of accessing the Internet
undetected by the old versions of the personal firewall
software, Zone Alarm. Other reports indicate ZA successfully
detecting and blocking its connection attempts. A user has
confirmed that Zone Alarm (free) 2.6 detects the app
successfully. This behaviour is most likely because the DLL
is a function library and not a stand-alone program--it must
be linked by Windows' "RunDLL32.exe" wrapper. If a ZA rule
has already been established for RunDLL32.exe running
another DLL, newdot~*.dll would obtain the same permissions
already granted to RunDLL32.exe. This behaviour appears to
have been fixed as of version 2.6 of Zone Alarm. To clarify
(and to keep lawyers off my back), there is no evidence to
suggest that any bypasses are intentional or malicious. Zone
Alarm has not recommended a solution, but we recommend
updating Zone Alarm to version 2.6 or later.
More Information:
NewDotNet is loaded on startup using Rundll32.exe, a Windows
component that allows DLLs (dynamically-linked function
libraries) to be run as stand-alone applications. Registry
Run key: rundll32 C:\WINDOWS\NEWDOT~1.DLL,NewDotNetStartUp
The NewDotNet DLL does not seem to be affected by disabling
it in MSCONFIG, according to the reports I have received. To
verify, disable it using MSCONFIG, load a Web browser and
try to connect to Internet sites (everything should work as
before). Now rename the DLL (restarting Windows if
necessary), and try it again. If the DLL has been renamed or
removed in any way other than using the New.Net uninstaller,
you will no longer be able to access any web sites or email
until it is either restored, or its Layered Service Provider
entries are removed from the Windows registry (see next
paragraph).
The New.Net plugin is installed as a Layered Service
Provider (LSP) under Windows, which makes all requests pass
through it. If such a program is removed, but its LSP
entries remain, these requests have nowhere to go! Highly
technical information on LSPs is available here. My LSP-Fix
utility (repairs corrupted LSP stacks) is here.
Earthlink, @Home, Juno and NetZero are listed as ISPs that
have an arrangement with New.net to resolve New.net keywords
on the ISP's side. In addition, the following are known to
have partnered with new.net and bundled the foistware with
their products at some point:
Go!Zilla
BearShare
Mp3.com
iMesh
Babylon
Webshots
gDivx
BikiniDesk
RadLight / Subtitle Studio
RealNetworks (RealOne Player)
UK Software
Cydoor (LingoWare)
Grokster
KaZaA
Mindset Interactive (NetPalNow)
Some software bundling 3rd-party foistware will allow you to
"opt out" of installation, but others will refuse to install
the program you actually downloaded unless you consent to
installation of the New.net software (and possibly other
3rd-party products).
Ed. Note: I would much rather prefer it if New.Net would
stick to adding DNS server entries (DNS server search order)
to resolve their domains instead of using a buggy plugin.
This would eliminate numerous problems for users and
helpdesks alike. New.Net does explain reasons for doing it
this way, in case anyone is wondering:
a.. Installing as a Layered Service Provider (LSP) allows
the software to work with AOL's proprietary software as well
as machines behind an external proxy. According to New.Net,
the LSP status is also to allow email resolution of New.Net
domains.
a.. Ed. note: This email part sounded strange to me at
first, and I suspect I am not alone, so let me clarify this
as I understand it: With a regular WWW domain, every
application could use the OS-supplied DNS stack to resolve
the domain, with no need of a plug-in. But unless you are
running your own mailserver, your mail is sent to your ISP's
server, which may or may not support New.Net 'bogus'
domains. If the sending ISP cannot resolve new.net domains,
the mails can not be delivered. The plugin solves this by
intercepting the mails and adding ".new.net" to the end of
the email address before it leaves the user's machine. The
plugin on the other end, if present, can then remove the
".new.net" from the address. E.g. (e-mail address removed) would
become (e-mail address removed). (This also means the
plugin is entirely unnecessary, if you are willing to add
".new.net" to the address yourself
More details on
new.net email behaviour are available in the New.Net FAQ.
b.. It functions as a "marketing tool", according to
New.Net: when the plug-in is installed, it can resolve
addresses immediately without asking for a reboot. Adding a
new DNS server on most systems requires a reboot before they
are used.
You can remove the New.Net plugin entirely and still be able
to access New.Net keywords, simply by adding ".new.net" to
the end.
E.g.: A Web page
http://www.example.shop becomes
http://www.example.shop.new.net and (e-mail address removed)
becomes (e-mail address removed).
IMPORTANT: If you are experiencing problems with New.net
foistware or its removal, please contact new.net for
assistance, either by emailing their tech support or
contacting by phone at (626) 229-7800 (beware--NOT a
toll-free call). I'm not a technical support provider for
New.Net or other purveyors of unnecessary software, and what
is on this Web site is really about all the information I
have. If you email me asking for help removing new.net, you
will get back a message directing you to contact New.net
support.
Links:
Automatic Winsock repair utility
Experimental Winsock-restore procedure
More detailed Winsock restore procedure - A reader shares an
in-depth Winsock restoration procedure for Windows 98 and
ME.
New.Net and SaveNow removal instructions available from
Microsoft's Knowledge Base.
New.net Homepage
All trademarks are hereby acknowledged as the property of
their respective owners. For more fun, read our legal
information.
message | after my son downloaded music we were left wth an array
| of unwanted programmes, most of whch I got rid of recenly
| by using spyware eg GAIN, gtor. However, I got a message
| at one stage that one of these unwanted programmes had
| changed some windows information and the computer could
| no run without it. This is ture, Ican no longer log onto
| the interne and get an error message which says
| C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL. Does anyone know hat I
| can do ? Heather
