CommonName


· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Recommendations ·
· Detection and Removal ·
· Research ·



Overview

Summary:

An IE toolbar allowing you to enter keywords or a company name to go to CommonName customers' web sites. Newer versions have added search and Gator-like form-filling functions. Originally a normal service, the software has become bundled adware. CommonName includes a re-installer (winnet.exe) that may defeat your removal efforts.

Vendor Notes:

"The CommonName Toolbar supercharges your IE browser. Direct navigation - from your browsers address bar type a common name or keyword to navigate to a website instead of a complex URL. Power search - from your browser address bar, search up to 17 of your favourite search engines with a single click. No longer need to remember and type the URLs of the search engine websites. Form filler - fills out online forms with your business or personal details in a matter of clicks. Your details are stored locally and securely in encrypted files. Login manager – remembers login names and passwords for your regularly visited websites. No more remembering and re-typing your passwords. Online bookmark manager - store and manage your favourite bookmarks online and access them at anytime anywhere in the world.

"CommonName is the largest global direct navigation provider in the world. We are also one of the oldest and most experienced keyword providers, with more than 22 million installed users." - www.commonname.com

From the vendor: CommonName provides a keyword navigation and powersearch search engine service. Further products, such as Login Manager and Form Filler are also provided with the Toolbar version of the software. We will leave it up to users to judge the usefulness of our product, but we want to emphasize that we do not collect personal user information nor track personal web usage. We have a strict privacy policy. If you are unhappy after trying our service, remove it from your computer through Settings/Control Panel/Add Remove Programs. If you need help, feel free to contact us at support@commonname.com.

Alias:

Adware/Sqwire [Panda], Downloader-BT [McAfee], Spyware/CommonName [Panda]

Category:

Search Hijacker: Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.

Adware: Software that displays popup/popunder ads when the primary user interface is not visible or which do not appear to be assocaited with the product.

Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.

Toolbar: A group of buttons which perform common tasks. A toolbar for Internet Explorer is nomally located below the menu bar at the top of the form. Toolbars may be created by Browser Helper Objects.

Variants:

  • CommonName.Toolbar: installs an IE toolbar with a keyword lookup box.
  • CommonName.Agent: takes over searches entered into the standard IE address bar (by means of an IE Browser Helper Object), and pops up ads occasionally.
  • CommonName.Mib: version 3.6.0.0 onwards also includes a WinSock2 Layered Service Provider, CNMib.dll.
  • CommonName.Zenet: version 3.6.2.0 onwards also has its BHO re-register itself periodically, to make it hard to remove manually.
  • CommonName.Winnet: version 4.0.0.0 onwards also has a separate updating process, which re-registers itself constantly, to make it even harder to remove manually.
  • CommonName.Comwiz: later 4.x versions use two restarting processes instead of one. If one process is killed the other one starts it back up again. However the LSP seems no longer to be in use.
  • CommonName.Agent
  • CommonName.Cnbabe
  • CommonName.Comwiz
  • CommonName.Mib
  • CommonName.Toolbar
  • CommonName.Winnet
  • CommonName.Zenet
  • Similar Pests:

    Search Hijacker · Adware · Browser Helper Object · Toolbar

    Origins

    Group:

    CommonName Limited

    Vendor:

    CommonName Limited

    By This Group:

    CommonName.Agent ·

    Mailing Address:

    D M Priest & Company Limited, 12 Cheadle Wood, Cheadle Hulme, Stockport, Cheshire, Great Britain

    Phone:

    866-437-5286; 44 161 486 1110 fax: 44 161 486 9936

    URL:

    http://www.commonname.com/English/home.asp

    Date of Origin:

    Variants from December, 2001 to April, 2005

    Distribution

    Distribution:

    Included in many file-sharing programs, such as Grokster and iMesh, and older versions of KaZaA. Also available as a download from Download.com. "The main way that we distribute our software is by partnering our product with some of the world’s most popular pieces of software. For example, one of our major partners is iMesh, an extremely popular piece of consumer software. Whenever someone installs iMesh, they also install CommonName – but don’t take our word for it, try it! Go to www.imesh.com and download their software. ... As of the start of October 2002, over 22 million people have installed the CommonName software." [source]

    Prevalence:

  • CommonName: 0.1%
  • CommonName.Agent: < 0.00005%
  • CommonName.Mib: < 0.00005%
  • CommonName.Toolbar: 0.0%
  • CommonName.Winnet: < 0.00005%
  • CommonName.Zenet: < 0.00005%
  • More Info

    Clot Factor:

  • CommonName: 4
  • The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.

    Growth:

  • CommonName: Insufficient data to report growth
  • CommonName.Toolbar: Insufficient data to report growth
  • CommonName.Winnet: Insufficient data to report growth
  • Operation

    Advertising:

    Yes. All variants except CommonName.Toolbar open pop-under advertising once a day, and change search settings to point to commonname.com.

    Storage Required:

  • CommonName: at least 18217 KB
  • CommonName.Winnet: at least 217 KB
  • Browser Performance:

    Likely to slow performance of Internet Explorer.

    Risks

    Privacy Issues:

    Cookies are used to identify you when requests are made to CommonName. This may occur when the advertising is opened and a keyword is entered into the address bar.

    When you visit a URL whose top-level-domain that CommonName.Agent or CommonName.Mib does not know about (eg. alternative TLDs or intranet hostnames) a request is also made. This could allow users to be tracked across web site visits. CommonName.Agent also does not know about .edu, .mil, .int, .su and .gb.

    Privacy Policy:

    http://www.commonname.com/en/pcn/help/cn_privacypolicy.asp

    Security Issues:

    Yes. CommonName.Winnet and CommonName.Comwiz can download and execute arbitrary code from their controlling server, as an update feature.

    Stability Issues:

    CommonName can cause Explorer to crash occasionally with a 'runtime error' in CNBabe, or an 'illegal operation' in CNMib.

    CommonName.Agent also had a bug in its unknown-top-level-domain code which meant that any URL longer than 72 characters became corrupted.

    CommonName.Agent and CommonName.Mib can cause 404 pages to be suppressed.

    CommonName.Winnet can bombard you with autodial requests if you are not connected to the Internet when it wants to check for updates.

    Recommendations

    Prevention:

    PPMemCheck will detect winnet.exe when it loads, and can stop it, remove it from the drive, and remove it from its startup location. Once you have done this, you can now scan and delete all CommonName objects found. CNBabe.dll will be running, and will be deleted upon reboot. If you elect to do this, upon reboot, your network and Internet connection will be normal. If you have not run PPMemCheck to disable CommonName when you scan with PestPatrol, you may still simply delete all instances of CommonName that have been found, and CommonName will be removed perfectly.

    PPMemCheck finds CommonName in Memory

    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.



    Manual Removal:

    There is an uninstaller at http://www.commonname.com/en/oneclick/uninstall.asp?submit=self that you might try.

    Caution: imperfect removal can result in loss of Internet connection for variants using cnmib.dll. Each successive variant of CommonName gets harder to remove manually. Do not try to uninstall CommonName/Mib, CommonName/Zenet, or CommonName/Winnet by just deleting the files. They include a Winsock2 layered service provider module (LSP); if you manage to delete this you will lose network connectivity.

    Removal with Unins.exe Version 4.2.0.0 (right click on winnet.exe to see what version you have) comes with CommonName\Toolbar\unins.exe Running it will take you to a web page where, after completing a form, you may retrieve an uninstaller named uninstbb.exe You may get this uninstaller here, save as uninstbb.exe, and run it to remove CommonName without losing your network/Internet connections. You will then have 35 or more files and registry entries that must be removed by some other means.


    CommonName/Winnet

    Do not try to uninstall by just deleting the files. It includes a Winsock2 Layered Service Provider module (LSP). If you delete this, you will lose network connectivity.

    You must first kill the 'winnet.exe' process (otherwise, it will keep setting itself up to run automatically). Press Ctrl-Alt-Delete and open the Task Manager. If you are using Windows NT/2000/XP, choose the 'Processes' tab to list all programs. Choose 'winnet.exe' and end the process.

     

    Continue with the instructions for CommonName/Zenet.


    CommonName/Zenet

    Do not try to uninstall by just deleting the files. It includes a Winsock2 Layered Service Provider module (LSP). If you delete this, you will lose network connectivity.

    Open the registry (Start->Run->regedit). Open the key 'HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}', right click the 'InProcServer32' subkey and choose 'Delete'. (This neuters the CommonName BHO but doesn't completely remove it, so it won't notice the change and re-register itself.)

    Now go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. There will be a value here titled 'Zenet' (or 'Winnet', for that variant). Delete it and reboot the machine immediately.

    Continue with the instructions for CommonName/Mib.


    CommonName/Mib

    Do not try to uninstall by just deleting the files. It includes a Winsock2 Layered Service Provider module (LSP). If you delete this, you will lose network connectivity.

    The CNMib.dll module must now be removed from the Winsock2 LSP chain. CounterExploitation's tool LSPFix can do this for you. Download it, run it and tell it to 'Remove' CNMib.dll, and 'Keep' everything else.

    You can also do it by hand if you are brave. Open the registry (Start->Run->regedit) and open the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\ Parameters\Protocol_Catalog9\Catalog_Entries. There will be a list of numeric subkeys; open each one and double-click its 'PackedCatalogItem' value. You should be able to see a filename at the top of the right-hand column in the 'Edit Binary Value' window. If it is 'C:\Program Files\CommonName\Toolbar\cnmib.dll' or similar, delete the entire '00000somenumber' key. The path must point exactly at the cnmib.dll file! Do not delete the key just because you see a cnmib hanging on the end - for example '%SystemRoot%\system32\mswsock.dll.r\cnmib.dll' actually points to mswsock, not cnmib.

    Then rename the numeric subkeys so that they count up each number from 000000000001, filling in any gaps you left by deleting old ones. Finally, go back up to 'Protocol_Catalog9' and change the 'Num_Catalog_Entries' value to reflect the new number of subkeys you have. Set the base to decimal in the 'Edit DWORD value' window and enter the highest number subkey that is left after renaming.

    If your manual removal went wrong in any way you will have lost your networking ability. Sorry! LSPFix may still be able to rescue you in this situation, but otherwise you are looking at a reinstall of Windows or at least its networking components.

    Once the LSP is gone, continue with the instructions for CommonName/Agent.


    CommonName/Agent

    Open the registry (Start->Run->regedit) and delete the following keys and values:

    HKEY_LOCAL_MACHINE\Software\CommonName
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Add A Page Note
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Bookmark This Page
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Email This Link
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Search using CommonName
    HKEY_CLASSES_ROOT\BabeIE.AgentIE
    HKEY_CLASSES_ROOT\BabeIE.AgentIE.1
    HKEY_CLASSES_ROOT\BabeIE.Handler
    HKEY_CLASSES_ROOT\BabeIE.Handler.1
    HKEY_CLASSES_ROOT\BabeIE.Helper
    HKEY_CLASSES_ROOT\BabeIE.Helper.1
    HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}
    HKEY_CLASSES_ROOT\CLSID\{6656b666-992f-4d74-8588-8ca69e97d90c}
    HKEY_CLASSES_ROOT\CLSID\{9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
    HKEY_CLASSES_ROOT\TypeLib\{D879D743-E2CC-4161-8034-2234203681C9}
    HKEY_CLASSES_ROOT\TypeLib\{DD0032DF-CEEF-4E0A-8B75-E4D8861E11E5}
    HKEY_CLASSES_ROOT\Protocols\Handler\cn
    Reboot and you should be able to delete the entire CommonName folder in Program Files. Finally, you can use Internet Options->Programs->Reset Web Settings to restore the normal search options.

    If you are removing CommonName/Winnet, CommonName/Zenet, CommonName/Mib, or CommonName/Agent, proceed to Cleaning Up.


    CommonName/Toolbar

    First, deregister CNBabe. To do this, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

    cd "%WinDir%\System"
    regsvr32 /u "C:\Program Files\CommonName\Toolbar\CNBabe.dll"
    (Change the filename above if your Program Files folder is somewhere other than 'C:\Program Files' - for example if you are using a different drive, or a non-English version of Windows.)

    Reboot and you should be able to delete the CommonName folder in Program Files.


    Cleaning Up. Finally you can clean up by deleting the following registry keys if found:

    HKEY_CLASSES_ROOT\appid\cnform.exe
    HKEY_CLASSES_ROOT\appid\winnet.exe
    HKEY_CLASSES_ROOT\appid\{118a2bfa-5ac7-4d29-beb9-d68f4d2cccab}
    HKEY_CLASSES_ROOT\appid\{ae6ddeb6-5683-4f5d-ad53-0f93b02a3f93}
    HKEY_CLASSES_ROOT\babeie.agentie
    HKEY_CLASSES_ROOT\babeie.agentie.1
    HKEY_CLASSES_ROOT\babeie.handler
    HKEY_CLASSES_ROOT\babeie.helper
    HKEY_CLASSES_ROOT\babeie.helper.1
    HKEY_CLASSES_ROOT\babie.handler.1
    HKEY_CLASSES_ROOT\babie.helper.1
    HKEY_CLASSES_ROOT\clsid\{00000000-0000-0000-0000-000000000000}
    HKEY_CLASSES_ROOT\clsid\{0e5c2cc6-72da-4342-94b3-76b47a1c6d14}
    HKEY_CLASSES_ROOT\clsid\{139d88e5-c372-469d-b4c5-1fe00852ab9b}
    HKEY_CLASSES_ROOT\clsid\{1e1b2879-88ff-11d2-8d96-d7acac95951f}
    HKEY_CLASSES_ROOT\clsid\{2eb3eff2-f707-4ea8-81aa-4b65d2799f31}
    HKEY_CLASSES_ROOT\clsid\{4f9ca775-2c5f-4e2a-b157-cb440564f7f4}
    HKEY_CLASSES_ROOT\clsid\{6656b666-992f-4d74-8588-8ca69e97d90c}
    HKEY_CLASSES_ROOT\clsid\{882f36a6-5178-477b-a00a-2e1d3b7e8e80}
    HKEY_CLASSES_ROOT\clsid\{9346a6bb-1ed0-4174-afb4-13cd4ec0aa40}
    HKEY_CLASSES_ROOT\clsid\{a3e3f04c-f98c-4295-95ef-41c57425b077}
    HKEY_CLASSES_ROOT\clsid\{a6475e6b-3c2e-4b1f-82fd-8f1c0b1d8ad0}
    HKEY_CLASSES_ROOT\clsid\{ecb81a15-365c-4953-827f-6e848634c1f0}
    HKEY_CLASSES_ROOT\cnbar.activater
    HKEY_CLASSES_ROOT\cnbar.activater.1
    HKEY_CLASSES_ROOT\cnbar.bandsink
    HKEY_CLASSES_ROOT\cnbar.bandsink.1
    HKEY_CLASSES_ROOT\cnbar.cnbarband
    HKEY_CLASSES_ROOT\cnbar.cnbarband.1
    HKEY_CLASSES_ROOT\cnbar.explorerbar
    HKEY_CLASSES_ROOT\cnbar.explorerbar
    HKEY_CLASSES_ROOT\cnbar.explorerbar.1
    HKEY_CLASSES_ROOT\cnform.cnbarhelper
    HKEY_CLASSES_ROOT\cnform.cnbarhelper.1
    HKEY_CLASSES_ROOT\cnform.history
    HKEY_CLASSES_ROOT\cnform.history.1
    HKEY_CLASSES_ROOT\interface\{2d0f5208-3198-49a4-86a7-d65e9e582751}
    HKEY_CLASSES_ROOT\interface\{4f476e6b-1eca-4a3b-845a-505d8892da1a}
    HKEY_CLASSES_ROOT\interface\{53b1b977-193e-4a9f-b9fc-e1dcc24016a1}
    HKEY_CLASSES_ROOT\interface\{64809b75-d8c3-4052-a7ad-6a3ecc39218e}
    HKEY_CLASSES_ROOT\interface\{8adbbe3e-1841-4708-85df-727ccee6220b}
    HKEY_CLASSES_ROOT\interface\{99908473-1135-4009-be4f-32b921f86ed9}
    HKEY_CLASSES_ROOT\interface\{a7fe5e20-9866-4c49-b5ed-3991954a2acd}
    HKEY_CLASSES_ROOT\interface\{fb68cc40-c725-491a-aac3-f37dde794edb}
    HKEY_CLASSES_ROOT\protocols\handler\cn
    HKEY_CLASSES_ROOT\software\microsoft\internet explorer\toolbar{00000000-0000-0000-0000-000000000000}
    HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{1e1b2879-88ff-11d2-8d96-d7acac95951f}
    HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{6656b666-992f-4d74-8588-8cac9e79d90c}
    HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{a6475e6b-3c2e-4b1f-82fd-8f1c0b1d8ad0}
    HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\uninstall\commonname toolbar 3.50_is1
    HKEY_CLASSES_ROOT\typelib\{541a3704-4320-4e2d-9371-e4a4c9803191}
    HKEY_CLASSES_ROOT\typelib\{ac04dc43-28e9-4746-9164-c200a04b8921}
    HKEY_CLASSES_ROOT\typelib\{c4b81c49-5ea5-490b-af95-04994a4214d4}
    HKEY_CLASSES_ROOT\typelib\{cc364a32-d59b-4e9c-9156-f0050c45005b}
    HKEY_CLASSES_ROOT\typelib\{d879d743-e2cc-4161-8034-2234203681c9}
    HKEY_CLASSES_ROOT\typelib\{dd0032df-ceef-4e0a-8b75-e4d8861e11e5}
    HKEY_CLASSES_ROOT\winnet.update
    HKEY_CLASSES_ROOT\winnet.update.1
    HKEY_CURRENT_USER\software\
    HKEY_CURRENT_USER\software\microsoft\internet explorer\menuextadd a page note
    HKEY_CURRENT_USER\software\microsoft\internet explorer\menuextbookmark this page
    HKEY_CURRENT_USER\software\microsoft\internet explorer\menuextemail this link
    HKEY_CURRENT_USER\software\microsoft\internet explorer\menuextsearch using commonname
    HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\add a page note
    HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\bookmark this page
    HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\email this link
    HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\search using
    HKEY_LOCAL_MACHINE\babeie.helper
    HKEY_LOCAL_MACHINE\babeie.helper.1
    HKEY_LOCAL_MACHINE\software\classes\babeie.handler.1
    HKEY_LOCAL_MACHINE\software\
    HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6656b666-992f-4d74-8588-8ca69e97d90c}
    HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\advancedoptions\
    HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar{a3e3f04c-f98c-4295-95ef-41c57425b077}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-0000-0000-0000-000000000000}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{139d88e5-c372-469d-b4c5-1fe00852ab9b}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{a6475e6b-3c2e-4b1f-82fd-8f1c0b1d8ad0}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runcommonname
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runwinnet
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\commonname toolbar 3.50_is1
    HKEY_LOCAL_MACHINE\winnet.update

    Stop Running Processes:

    Kill these running processes with Task Manager:

    Remove AutoRun Reference:

    Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
    If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ib7mrhhqi, delete it and reboot the machine immediately.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\cndesk, delete it and reboot the machine immediately.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\inetmgr, delete it and reboot the machine immediately.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\tsa, delete it and reboot the machine immediately.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winnet, delete it and reboot the machine immediately.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\zenet, delete it and reboot the machine immediately.



    Unregister DLLs:

    Unregister these DLLs with Regsvr32, then reboot:

    Clean Registry:

    Remove these registry items (if present) with RegEdit:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Remove Directories:

    Remove these directories (if present) with Windows Explorer:

    Restore Settings:

    After following the instructions above, you will still need to restore your original settings and prevent this from happening again. Here''s how.

    Research

    File Analyses:

    More Info:

  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
  • Research By:

  • Andrew Clover
  • PestPatrol's Pest Research Center
  • Last Revised:

    April 15, 2005