CommonName

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Recommendations ·
· Detection and Removal ·
· Research ·

Overview

Summary:

Vendor Notes:

"The CommonName Toolbar supercharges your IE browser. Direct navigation - from your browsers address bar type a common name or keyword to navigate to a website instead of a complex URL. Power search - from your browser address bar, search up to 17 of your favourite search engines with a single click. No longer need to remember and type the URLs of the search engine websites. Form filler - fills out online forms with your business or personal details in a matter of clicks. Your details are stored locally and securely in encrypted files. Login manager – remembers login names and passwords for your regularly visited websites. No more remembering and re-typing your passwords. Online bookmark manager - store and manage your favourite bookmarks online and access them at anytime anywhere in the world.

"CommonName is the largest global direct navigation provider in the world. We are also one of the oldest and most experienced keyword providers, with more than 22 million installed users." - www.commonname.com

From the vendor: CommonName provides a keyword navigation and powersearch search engine service. Further products, such as Login Manager and Form Filler are also provided with the Toolbar version of the software. We will leave it up to users to judge the usefulness of our product, but we want to emphasize that we do not collect personal user information nor track personal web usage. We have a strict privacy policy. If you are unhappy after trying our service, remove it from your computer through Settings/Control Panel/Add Remove Programs. If you need help, feel free to contact us at support@commonname.com.

Alias:

Category:

Search Hijacker: Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.

Adware: Software that displays popup/popunder ads when the primary user interface is not visible or which do not appear to be assocaited with the product.

Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.

Toolbar: A group of buttons which perform common tasks. A toolbar for Internet Explorer is nomally located below the menu bar at the top of the form. Toolbars may be created by Browser Helper Objects.

Variants:

Similar Pests:

Origins

Group:

Vendor:

By This Group:

Mailing Address:

Phone:

URL:

Date of Origin:

Distribution

Distribution:

Included in many file-sharing programs, such as Grokster and iMesh, and older versions of KaZaA. Also available as a download from Download.com. "The main way that we distribute our software is by partnering our product with some of the world’s most popular pieces of software. For example, one of our major partners is iMesh, an extremely popular piece of consumer software. Whenever someone installs iMesh, they also install CommonName – but don’t take our word for it, try it! Go to www.imesh.com and download their software. ... As of the start of October 2002, over 22 million people have installed the CommonName software." [source]

Prevalence:

Clot Factor:

The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.

Growth:

Operation

Advertising:

Storage Required:

Browser Performance:

Risks

Privacy Issues:

Cookies are used to identify you when requests are made to CommonName. This may occur when the advertising is opened and a keyword is entered into the address bar.

When you visit a URL whose top-level-domain that CommonName.Agent or CommonName.Mib does not know about (eg. alternative TLDs or intranet hostnames) a request is also made. This could allow users to be tracked across web site visits. CommonName.Agent also does not know about .edu, .mil, .int, .su and .gb.

Privacy Policy:

Security Issues:

Stability Issues:

CommonName can cause Explorer to crash occasionally with a 'runtime error' in CNBabe, or an 'illegal operation' in CNMib.

CommonName.Agent also had a bug in its unknown-top-level-domain code which meant that any URL longer than 72 characters became corrupted.

CommonName.Agent and CommonName.Mib can cause 404 pages to be suppressed.

CommonName.Winnet can bombard you with autodial requests if you are not connected to the Internet when it wants to check for updates.

Recommendations

Prevention:

PPMemCheck will detect winnet.exe when it loads, and can stop it, remove it from the drive, and remove it from its startup location. Once you have done this, you can now scan and delete all CommonName objects found. CNBabe.dll will be running, and will be deleted upon reboot. If you elect to do this, upon reboot, your network and Internet connection will be normal. If you have not run PPMemCheck to disable CommonName when you scan with PestPatrol, you may still simply delete all instances of CommonName that have been found, and CommonName will be removed perfectly.

PPMemCheck finds CommonName in Memory

Detection and Removal

Automatic Removal:

PestPatrol detects this.

PestPatrol removes this.

Manual Removal:

Removal with Unins.exe Version 4.2.0.0 (right click on winnet.exe to see what version you have) comes with CommonName\Toolbar\unins.exe Running it will take you to a web page where, after completing a form, you may retrieve an uninstaller named uninstbb.exe You may get this uninstaller here, save as uninstbb.exe, and run it to remove CommonName without losing your network/Internet connections. You will then have 35 or more files and registry entries that must be removed by some other means.

CommonName/Winnet

Do not try to uninstall by just deleting the files. It includes a Winsock2 Layered Service Provider module (LSP). If you delete this, you will lose network connectivity.

You must first kill the 'winnet.exe' process (otherwise, it will keep setting itself up to run automatically). Press Ctrl-Alt-Delete and open the Task Manager. If you are using Windows NT/2000/XP, choose the 'Processes' tab to list all programs. Choose 'winnet.exe' and end the process.

Continue with the instructions for CommonName/Zenet.

CommonName/Zenet

Do not try to uninstall by just deleting the files. It includes a Winsock2 Layered Service Provider module (LSP). If you delete this, you will lose network connectivity.

Open the registry (Start->Run->regedit). Open the key 'HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}', right click the 'InProcServer32' subkey and choose 'Delete'. (This neuters the CommonName BHO but doesn't completely remove it, so it won't notice the change and re-register itself.)

Now go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. There will be a value here titled 'Zenet' (or 'Winnet', for that variant). Delete it and reboot the machine immediately.

Continue with the instructions for CommonName/Mib.

CommonName/Mib

Do not try to uninstall by just deleting the files. It includes a Winsock2 Layered Service Provider module (LSP). If you delete this, you will lose network connectivity.

The CNMib.dll module must now be removed from the Winsock2 LSP chain. CounterExploitation's tool LSPFix can do this for you. Download it, run it and tell it to 'Remove' CNMib.dll, and 'Keep' everything else.

You can also do it by hand if you are brave. Open the registry (Start->Run->regedit) and open the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\ Parameters\Protocol_Catalog9\Catalog_Entries. There will be a list of numeric subkeys; open each one and double-click its 'PackedCatalogItem' value. You should be able to see a filename at the top of the right-hand column in the 'Edit Binary Value' window. If it is 'C:\Program Files\CommonName\Toolbar\cnmib.dll' or similar, delete the entire '00000somenumber' key. The path must point exactly at the cnmib.dll file! Do not delete the key just because you see a cnmib hanging on the end - for example '%SystemRoot%\system32\mswsock.dll.r\cnmib.dll' actually points to mswsock, not cnmib.

Then rename the numeric subkeys so that they count up each number from 000000000001, filling in any gaps you left by deleting old ones. Finally, go back up to 'Protocol_Catalog9' and change the 'Num_Catalog_Entries' value to reflect the new number of subkeys you have. Set the base to decimal in the 'Edit DWORD value' window and enter the highest number subkey that is left after renaming.

If your manual removal went wrong in any way you will have lost your networking ability. Sorry! LSPFix may still be able to rescue you in this situation, but otherwise you are looking at a reinstall of Windows or at least its networking components.

Once the LSP is gone, continue with the instructions for CommonName/Agent.

CommonName/Agent

Open the registry (Start->Run->regedit) and delete the following keys and values:

HKEY_LOCAL_MACHINE\Software\CommonName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Add A Page Note
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Bookmark This Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Email This Link
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Search using CommonName
HKEY_CLASSES_ROOT\BabeIE.AgentIE
HKEY_CLASSES_ROOT\BabeIE.AgentIE.1
HKEY_CLASSES_ROOT\BabeIE.Handler
HKEY_CLASSES_ROOT\BabeIE.Handler.1
HKEY_CLASSES_ROOT\BabeIE.Helper
HKEY_CLASSES_ROOT\BabeIE.Helper.1
HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}
HKEY_CLASSES_ROOT\CLSID\{6656b666-992f-4d74-8588-8ca69e97d90c}
HKEY_CLASSES_ROOT\CLSID\{9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
HKEY_CLASSES_ROOT\TypeLib\{D879D743-E2CC-4161-8034-2234203681C9}
HKEY_CLASSES_ROOT\TypeLib\{DD0032DF-CEEF-4E0A-8B75-E4D8861E11E5}
HKEY_CLASSES_ROOT\Protocols\Handler\cn
Reboot and you should be able to delete the entire CommonName folder in Program Files. Finally, you can use Internet Options->Programs->Reset Web Settings to restore the normal search options.

If you are removing CommonName/Winnet, CommonName/Zenet, CommonName/Mib, or CommonName/Agent, proceed to Cleaning Up.

CommonName/Toolbar

First, deregister CNBabe. To do this, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\CommonName\Toolbar\CNBabe.dll"
(Change the filename above if your Program Files folder is somewhere other than 'C:\Program Files' - for example if you are using a different drive, or a non-English version of Windows.)

Reboot and you should be able to delete the CommonName folder in Program Files.

Cleaning Up. Finally you can clean up by deleting the following registry keys if found:

HKEY_CLASSES_ROOT\appid\cnform.exe
HKEY_CLASSES_ROOT\appid\winnet.exe
HKEY_CLASSES_ROOT\appid\{118a2bfa-5ac7-4d29-beb9-d68f4d2cccab}
HKEY_CLASSES_ROOT\appid\{ae6ddeb6-5683-4f5d-ad53-0f93b02a3f93}
HKEY_CLASSES_ROOT\babeie.agentie
HKEY_CLASSES_ROOT\babeie.agentie.1
HKEY_CLASSES_ROOT\babeie.handler
HKEY_CLASSES_ROOT\babeie.helper
HKEY_CLASSES_ROOT\babeie.helper.1
HKEY_CLASSES_ROOT\babie.handler.1
HKEY_CLASSES_ROOT\babie.helper.1
HKEY_CLASSES_ROOT\clsid\{00000000-0000-0000-0000-000000000000}
HKEY_CLASSES_ROOT\clsid\{0e5c2cc6-72da-4342-94b3-76b47a1c6d14}
HKEY_CLASSES_ROOT\clsid\{139d88e5-c372-469d-b4c5-1fe00852ab9b}
HKEY_CLASSES_ROOT\clsid\{1e1b2879-88ff-11d2-8d96-d7acac95951f}
HKEY_CLASSES_ROOT\clsid\{2eb3eff2-f707-4ea8-81aa-4b65d2799f31}
HKEY_CLASSES_ROOT\clsid\{4f9ca775-2c5f-4e2a-b157-cb440564f7f4}
HKEY_CLASSES_ROOT\clsid\{6656b666-992f-4d74-8588-8ca69e97d90c}
HKEY_CLASSES_ROOT\clsid\{882f36a6-5178-477b-a00a-2e1d3b7e8e80}
HKEY_CLASSES_ROOT\clsid\{9346a6bb-1ed0-4174-afb4-13cd4ec0aa40}
HKEY_CLASSES_ROOT\clsid\{a3e3f04c-f98c-4295-95ef-41c57425b077}
HKEY_CLASSES_ROOT\clsid\{a6475e6b-3c2e-4b1f-82fd-8f1c0b1d8ad0}
HKEY_CLASSES_ROOT\clsid\{ecb81a15-365c-4953-827f-6e848634c1f0}
HKEY_CLASSES_ROOT\cnbar.activater
HKEY_CLASSES_ROOT\cnbar.activater.1
HKEY_CLASSES_ROOT\cnbar.bandsink
HKEY_CLASSES_ROOT\cnbar.bandsink.1
HKEY_CLASSES_ROOT\cnbar.cnbarband
HKEY_CLASSES_ROOT\cnbar.cnbarband.1
HKEY_CLASSES_ROOT\cnbar.explorerbar
HKEY_CLASSES_ROOT\cnbar.explorerbar
HKEY_CLASSES_ROOT\cnbar.explorerbar.1
HKEY_CLASSES_ROOT\cnform.cnbarhelper
HKEY_CLASSES_ROOT\cnform.cnbarhelper.1
HKEY_CLASSES_ROOT\cnform.history
HKEY_CLASSES_ROOT\cnform.history.1
HKEY_CLASSES_ROOT\interface\{2d0f5208-3198-49a4-86a7-d65e9e582751}
HKEY_CLASSES_ROOT\interface\{4f476e6b-1eca-4a3b-845a-505d8892da1a}
HKEY_CLASSES_ROOT\interface\{53b1b977-193e-4a9f-b9fc-e1dcc24016a1}
HKEY_CLASSES_ROOT\interface\{64809b75-d8c3-4052-a7ad-6a3ecc39218e}
HKEY_CLASSES_ROOT\interface\{8adbbe3e-1841-4708-85df-727ccee6220b}
HKEY_CLASSES_ROOT\interface\{99908473-1135-4009-be4f-32b921f86ed9}
HKEY_CLASSES_ROOT\interface\{a7fe5e20-9866-4c49-b5ed-3991954a2acd}
HKEY_CLASSES_ROOT\interface\{fb68cc40-c725-491a-aac3-f37dde794edb}
HKEY_CLASSES_ROOT\protocols\handler\cn
HKEY_CLASSES_ROOT\software\microsoft\internet explorer\toolbar{00000000-0000-0000-0000-000000000000}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{1e1b2879-88ff-11d2-8d96-d7acac95951f}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{6656b666-992f-4d74-8588-8cac9e79d90c}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{a6475e6b-3c2e-4b1f-82fd-8f1c0b1d8ad0}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\uninstall\commonname toolbar 3.50_is1
HKEY_CLASSES_ROOT\typelib\{541a3704-4320-4e2d-9371-e4a4c9803191}
HKEY_CLASSES_ROOT\typelib\{ac04dc43-28e9-4746-9164-c200a04b8921}
HKEY_CLASSES_ROOT\typelib\{c4b81c49-5ea5-490b-af95-04994a4214d4}
HKEY_CLASSES_ROOT\typelib\{cc364a32-d59b-4e9c-9156-f0050c45005b}
HKEY_CLASSES_ROOT\typelib\{d879d743-e2cc-4161-8034-2234203681c9}
HKEY_CLASSES_ROOT\typelib\{dd0032df-ceef-4e0a-8b75-e4d8861e11e5}
HKEY_CLASSES_ROOT\winnet.update
HKEY_CLASSES_ROOT\winnet.update.1
HKEY_CURRENT_USER\software\
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuextadd a page note
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuextbookmark this page
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuextemail this link
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuextsearch using commonname
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\add a page note
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\bookmark this page
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\email this link
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\search using
HKEY_LOCAL_MACHINE\babeie.helper
HKEY_LOCAL_MACHINE\babeie.helper.1
HKEY_LOCAL_MACHINE\software\classes\babeie.handler.1
HKEY_LOCAL_MACHINE\software\
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6656b666-992f-4d74-8588-8ca69e97d90c}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\advancedoptions\
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar{a3e3f04c-f98c-4295-95ef-41c57425b077}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-0000-0000-0000-000000000000}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{139d88e5-c372-469d-b4c5-1fe00852ab9b}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{a6475e6b-3c2e-4b1f-82fd-8f1c0b1d8ad0}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runcommonname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runwinnet
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\commonname toolbar 3.50_is1
HKEY_LOCAL_MACHINE\winnet.update

Research

File Analyses:

• CommonName: babe.dat ·  babe.dll ·  babeie.dll ·  cnbabe.dll ·  cnbabeie.rtf ·  cnbar.exe ·  cnbarie.dll ·  cnbarie.dll.txt ·  cnbarieasm.txt ·  cndesk.exe ·  cnform.exe ·  cnmib.dll ·  cnoutlook.dll ·  cnoutlook.exe ·  commonname desktop 3.0.lnk ·  commonname eula.txt ·  commonname privacy policy.txt ·  commonname toolbar 3.30.lnk ·  commonname toolbar user guide - overview.txt ·  commonname toolbar user guide.txt ·  commonname user guide email agent.txt ·  commonname website terms and conditions.txt ·  commonname.mdb ·  commonname.txt ·  commonname.wif ·  comwiz.exe ·  createbookmark.htm ·  createnote.htm ·  dfs.dat ·  emaillink.htm ·  exit.dat ·  inetkw.dll ·  inetkw.exe ·  inetmgr.exe ·  inetsvc.exe ·  mib.dat ·  navigate.htm ·  newsbar.htm ·  resdll.dll ·  roiic.dll ·  roiil.exe ·  roiim.exe ·  roiip.exe ·  system.dat ·  ts.exe ·  tsm.exe ·  unins.exe ·  unins000.dat ·  uninstall commonname desktop 3.0.lnk ·  uninstall commonname toolbar 3.30.lnk ·  url2.dat ·  vocabulary ·  winnet.exe ·  winnet.to_be_deleted
• CommonName.Winnet: cnbabe.dll ·  winnet.exe

More Info:

Research By:

Last Revised: