Fighting Spyware, Malware and Adware one File at a Time.
Navigation Links

Database of Spyware Home

About the Project

View the Database

Forums

Database of Spyware Site Map

Terms of Use

CommonName

Overview

Summary

 An IE toolbar allowing you to enter keywords or a company name to go to CommonName customers' web sites. Newer versions have added search and Gator-like form-filling functions. Originally a normal service, the software has become bundled adware. CommonName includes a re-installer (winnet.exe) that may defeat your removal efforts.

Vendor Description

 

"The CommonName Toolbar supercharges your IE browser. Direct navigation - from your browsers address bar type a common name or keyword to navigate to a website instead of a complex URL. Power search - from your browser address bar, search up to 17 of your favourite search engines with a single click. No longer need to remember and type the URLs of the search engine websites. Form filler - fills out online forms with your business or personal details in a matter of clicks. Your details are stored locally and securely in encrypted files. Login manager – remembers login names and passwords for your regularly visited websites. No more remembering and re-typing your passwords. Online bookmark manager - store and manage your favourite bookmarks online and access them at anytime anywhere in the world.

"CommonName is the largest global direct navigation provider in the world. We are also one of the oldest and most experienced keyword providers, with more than 22 million installed users." - www.commonname.com

From the vendor: CommonName provides a keyword navigation and powersearch search engine service. Further products, such as Login Manager and Form Filler are also provided with the Toolbar version of the software. We will leave it up to users to judge the usefulness of our product, but we want to emphasize that we do not collect personal user information nor track personal web usage. We have a strict privacy policy. If you are unhappy after trying our service, remove it from your computer through Settings/Control Panel/Add Remove Programs. If you need help, feel free to contact us at support@commonname.com.

Alias

 Adware/Sqwire [Panda], Downloader-BT [McAfee], Spyware/CommonName [Panda],

Category

 Search Hijacker: Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.

Adware:  Software that displays popup/popunder ads when the primary user interface is not visible or which do not appear to be assocaited with the product.

Browser Helper Object:  (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.

Toolbar:  A group of buttons which perform common tasks. A toolbar for Internet Explorer is nomally located below the menu bar at the top of the form. Toolbars may be created by Browser Helper Objects.

Variants

  
  • CommonName.Toolbar: installs an IE toolbar with a keyword lookup box.
  • CommonName.Agent: takes over searches entered into the standard IE address bar (by means of an IE Browser Helper Object), and pops up ads occasionally.
  • CommonName.Mib: version 3.6.0.0 onwards also includes a WinSock2 Layered Service Provider, CNMib.dll.
  • CommonName.Zenet: version 3.6.2.0 onwards also has its BHO re-register itself periodically, to make it hard to remove manually.
  • CommonName.Winnet: version 4.0.0.0 onwards also has a separate updating process, which re-registers itself constantly, to make it even harder to remove manually.
  • CommonName.Comwiz: later 4.x versions use two restarting processes instead of one. If one process is killed the other one starts it back up again. However the LSP seems no longer to be in use. ·  CommonName.Agent ·  CommonName.Cnbabe ·  CommonName.Comwiz ·  CommonName.Mib ·  CommonName.Toolbar ·  CommonName.Winnet ·  CommonName.Zenet ·

    • Reasons For Retention

     Changes browser settings other than homepage, without user permission.
     

    Origins

     

    Group

     CommonName Limited

    Vendor

     CommonName Limited

    Others By This Group

     CommonName.Agent· CommonName.Cnbabe· CommonName.com· CommonName.Comwiz· CommonName.Mib· CommonName.Toolbar· CommonName.Winnet· CommonName.Zenet·

    Mailing Address

     D M Priest & Company Limited, 12 Cheadle Wood, Cheadle Hulme, Stockport, Cheshire, Great Britain

    Phone:

     866-437-5286; 44 161 486 1110 fax: 44 161 486 9936

    URL

     http://www.commonname.com/English/home.asp

    Date of Origin

     Variants from December, 2001 to July, 2005
     

    Detection and Removal

    Manual Removal

     There is an uninstaller at http://www.commonname.com/en/oneclick/uninstall.asp?submit=self that you might try.

    Caution: imperfect removal can result in loss of Internet connection for variants using cnmib.dll. Each successive variant of CommonName gets harder to remove manually. Do not try to uninstall CommonName/Mib, CommonName/Zenet, or CommonName/Winnet by just deleting the files. They include a Winsock2 layered service provider module (LSP); if you manage to delete this you will lose network connectivity.

    Removal with Unins.exe Version 4.2.0.0 (right click on winnet.exe to see what version you have) comes with CommonName\Toolbar\unins.exe Running it will take you to a web page where, after completing a form, you may retrieve an uninstaller named uninstbb.exe You may get this uninstaller here, save as uninstbb.exe, and run it to remove CommonName without losing your network/Internet connections. You will then have 35 or more files and registry entries that must be removed by some other means.

    CommonName/Winnet

    Do not try to uninstall by just deleting the files. It includes a Winsock2 Layered Service Provider module (LSP). If you delete this, you will lose network connectivity.

    You must first kill the 'winnet.exe' process (otherwise, it will keep setting itself up to run automatically). Press Ctrl-Alt-Delete and open the Task Manager. If you are using Windows NT/2000/XP, choose the 'Processes' tab to list all programs. Choose 'winnet.exe' and end the process.

     

    Continue with the instructions for CommonName/Zenet.

    CommonName/Zenet

    Do not try to uninstall by just deleting the files. It includes a Winsock2 Layered Service Provider module (LSP). If you delete this, you will lose network connectivity.

    Open the registry (Start->Run->regedit). Open the key 'HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}', right click the 'InProcServer32' subkey and choose 'Delete'. (This neuters the CommonName BHO but doesn't completely remove it, so it won't notice the change and re-register itself.)

    Now go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. There will be a value here titled 'Zenet' (or 'Winnet', for that variant). Delete it and reboot the machine immediately.

    Continue with the instructions for CommonName/Mib.

    CommonName/Mib

    Do not try to uninstall by just deleting the files. It includes a Winsock2 Layered Service Provider module (LSP). If you delete this, you will lose network connectivity.

    The CNMib.dll module must now be removed from the Winsock2 LSP chain. CounterExploitation's tool LSPFix can do this for you. Download it, run it and tell it to 'Remove' CNMib.dll, and 'Keep' everything else.

    You can also do it by hand if you are brave. Open the registry (Start->Run->regedit) and open the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\ Parameters\Protocol_Catalog9\Catalog_Entries. There will be a list of numeric subkeys; open each one and double-click its 'PackedCatalogItem' value. You should be able to see a filename at the top of the right-hand column in the 'Edit Binary Value' window. If it is 'C:\Program Files\CommonName\Toolbar\cnmib.dll' or similar, delete the entire '00000somenumber' key. The path must point exactly at the cnmib.dll file! Do not delete the key just because you see a cnmib hanging on the end - for example '%SystemRoot%\system32\mswsock.dll.r\cnmib.dll' actually points to mswsock, not cnmib.

    Then rename the numeric subkeys so that they count up each number from 000000000001, filling in any gaps you left by deleting old ones. Finally, go back up to 'Protocol_Catalog9' and change the 'Num_Catalog_Entries' value to reflect the new number of subkeys you have. Set the base to decimal in the 'Edit DWORD value' window and enter the highest number subkey that is left after renaming.

    If your manual removal went wrong in any way you will have lost your networking ability. Sorry! LSPFix may still be able to rescue you in this situation, but otherwise you are looking at a reinstall of Windows or at least its networking components.

    Once the LSP is gone, continue with the instructions for CommonName/Agent.

    CommonName/Agent

    Open the registry (Start->Run->regedit) and delete the following keys and values:

    HKEY_LOCAL_MACHINE\Software\CommonName
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Add A Page Note
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Bookmark This Page
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Email This Link
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Search using CommonName
    HKEY_CLASSES_ROOT\BabeIE.AgentIE
    HKEY_CLASSES_ROOT\BabeIE.AgentIE.1
    HKEY_CLASSES_ROOT\BabeIE.Handler
    HKEY_CLASSES_ROOT\BabeIE.Handler.1
    HKEY_CLASSES_ROOT\BabeIE.Helper
    HKEY_CLASSES_ROOT\BabeIE.Helper.1
    HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}
    HKEY_CLASSES_ROOT\CLSID\{6656b666-992f-4d74-8588-8ca69e97d90c}
    HKEY_CLASSES_ROOT\CLSID\{9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
    HKEY_CLASSES_ROOT\TypeLib\{D879D743-E2CC-4161-8034-2234203681C9}
    HKEY_CLASSES_ROOT\TypeLib\{DD0032DF-CEEF-4E0A-8B75-E4D8861E11E5}
    HKEY_CLASSES_ROOT\Protocols\Handler\cn
    Reboot and you should be able to delete the entire CommonName folder in Program Files. Finally, you can use Internet Options->Programs->Reset Web Settings to restore the normal search options.

    If you are removing CommonName/Winnet, CommonName/Zenet, CommonName/Mib, or CommonName/Agent, proceed to Cleaning Up.

    CommonName/Toolbar

    First, deregister CNBabe. To do this, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

    cd "%WinDir%\System"
    regsvr32 /u "C:\Program Files\CommonName\Toolbar\CNBabe.dll"
    (Change the filename above if your Program Files folder is somewhere other than 'C:\Program Files' - for example if you are using a different drive, or a non-English version of Windows.)

    Reboot and you should be able to delete the CommonName folder in Program Files.

    Cleaning Up. Finally you can clean up by delet


     Stop Running Processes:

    Kill these running processes with Task Manager:



    Remove Autorun Reference:

    Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


    If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ib7mrhhqi, delete it and reboot the machine immediately.

    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\cndesk, delete it and reboot the machine immediately.

    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\inetmgr, delete it and reboot the machine immediately.

    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\tsa, delete it and reboot the machine immediately.

    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winnet, delete it and reboot the machine immediately.

    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\zenet, delete it and reboot the machine immediately.



    Unregister DLLs:

    Unregister these DLLs with Regsvr32, then reboot:



    Clean Registry:

    Remove these registry items (if present) with RegEdit:



    Remove Files:

    Remove these files (if present) with Windows Explorer:



    Remove Directories:

    Remove these directories (if present) with Windows Explorer:



    Restore Settings:

    After following the instructions above, you will still need to restore your original settings and prevent this from happening again.
     
    CommSpy  CommandCenter  CommanderToolbar  Common.lst  CommonDialogs  CommonName  CommonName.Agent  CommonName.Cnbabe  CommonName.Comwiz  CommonName.Mib  
     
    Site Map 2006 © Copyright DatabaseofSpyware.com. All rights reserved. Terms of Use
    Another Proud Thor Schrock Development