Limited Time!
Totally FREE Web Design!
Click here!

Parasite: CommonName

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

CommonName is marketed as a ‘keywords’ service, allowing one to enter simple names insatead of URLs.

After its original release, the software has become a complicated (and sometimes buggy) search-hijacker and adware, aggressively bundled with many third-party apps.

Variants

CommonName/Toolbar: installs an IE toolbar with a keyword lookup box.

CommonName/Agent: takes over searches entered into the standard IE address bar (by means of an IE Browser Helper Object), and pops up ads occasionally.

CommonName/Mib: version 3.6.0.0 onwards also includes a WinSock2 Layered Service Provider, CNMib.dll.

CommonName/Zenet: version 3.6.2.0 onwards also has its BHO re-register itself periodically, to make it hard to remove manually.

CommonName/Winnet: version 4.0.0.0 onwards also has a separate updating process, which re-registers itself constantly, to make it even harder to remove manually.

CommonName/Comwiz: later 4.x versions use two restarting processes instead of one. In a trick learned from virus authors, if one process is killed the other one starts it back up again. However the LSP seems no longer to be in use.

Also known as

CNBabeIE after the file name used. CommonName/Toolbar is known internally as BabeIE, CommonName/Agent and Mib as BabeIE2.

Distribution

Included in many file-sharing programs, such as Grokster, iMesh, FreeWire, MThree MP3 tools and older versions of KaZaA.

What it does

Advertising

Yes. All variants except Toolbar connect to their controlling servers once a day, who may ask them to open pop-under advertising. They also change search settings to point to commonname.com.

Privacy violation

Cookies are used to identify you when requests are made to CommonName. This may occur when the advertising is opened, a keyword is entered into the address bar.

When you visit a URL whose top-level-domain the CommonName/Agent or Mib software does not know about (eg. alternative TLDs or intranet hostnames; CommonName/Agent also does not know about .edu, .mil, .int, .su and .gb), a request is also made. This could allow users to be tracked across web site visits.

Security issues

Yes (Winnet, Comwiz variants): Can download and execute arbitrary code from its controlling server, as an update feature.

No (other variants).

Stability problems

Can cause Explorer to crash occasionally with a ‘runtime error’ in CNBabe, or an ‘illegal operation’ in CNMib.

CommonName/Agent also had a bug in its unknown-top-level-domain code which meant that any URL longer than 72 characters became corrupted.

The Agent and Mib variants can cause 404 pages not to be shown.

The Winnet variant can bombard you with autodial requests if you are not connected to the internet when it wants to check for updates.

Removal

For Agent, Toolbar and Mib variants, the CommonName entry in the Control Panel’s Add/Remove Programs option should work fine.

With the later variants (Zenet onwards), unfortunately, this just sends you to a page on CommonName’s web site with a form to submit leading to an uninstaller download. This requires a working Internet Explorer with ActiveX downloads enabled to function.

Spybot S&D update 2002-09-08 and later, and Ad-Aware can remove the Toolbar and Agent variants; Spybot update 2002-11-30 and HijackThis 1.8 can remove the Mib variant.

Manual removal

Each successive variant of CommonName gets harder to remove by hand. Variants with an LSP (Mib, Zenet, Winnet) are particularly tricky: do not try to delete them by just deleting the files. If you manage to delete the LSP you will lose network connectivity.

CommonName/Comwiz

This variant cannot be manually uninstalled from the normal desktop. You have to boot Windows without letting the two self-restoring processes start up.

On Windows NT/2000/XP/2003, you can do this by pressing F8 just before Windows XP starts loading and choosing ‘Safe Mode’. Open the ‘Program Files’ folder and delete the ‘CommonName’ folder inside it.

On Windows 95/98/Me, you will have to boot to DOS to do it, and enter the commands:

cd "\Program Files"
deltree /Y CommonName

This is a ‘dirty’ way of uninstalling the software, leaving behind a bit of a mess. If you like you can clear up by deleting the registry keys mentioned in the instructions fro CommonName/Agent.

CommonName/Winnet

You must first kill the ‘winnet.exe’ process (otherwise, it will keep setting itself up to run automatically). Press Ctrl-Alt-Delete and open the Task Manager. If you are using Windows NT/2000/XP, choose the ‘Processes’ tab to list all programs. Choose ‘winnet.exe’ and end the process.

Continue with the instructions for Zenet.

CommonName/Zenet

Open the registry (Start->Run->regedit). Open the key ‘HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}’, right click the ‘InProcServer32’ subkey and choose ‘Delete’. (This neuters the CommonName BHO but doesn’t completely remove it, so it won’t notice the change and re-register itself.)

Now go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. There will be a value here titled ‘Zenet’ (or ‘Winnet’, for that variant). Delete it and reboot the machine immediately.

Continue with the instructions for Mib.

CommonName/Mib

The CNMib.dll module must now be removed from the Winsock2 LSP chain. CounterExploitation’s tool LSPFix can do this for you. Download it, run it and tell it to ‘Remove’ CNMib.dll, and ‘Keep’ everything else.

You can also do it by hand if you are brave. Open the registry (Start->Run->regedit) and open the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\ Parameters\Protocol_Catalog9\Catalog_Entries. There will be a list of numeric subkeys; open each one and double-click its ‘PackedCatalogItem’ value. You should be able to see a filename at the top of the right-hand column in the ‘Edit Binary Value’ window. If it is ‘C:\Program Files\CommonName\Toolbar\cnmib.dll’ or similar, delete the entire ‘00000somenumber’ key. The path must point exactly at the cnmib.dll file! Do not delete the key just because you see a cnmib hanging on the end - for example ‘%SystemRoot%\system32\mswsock.dll.r\cnmib.dll’ actually points to mswsock, not cnmib.

Then rename the numeric subkeys so that they count up each number from 000000000001, filling in any gaps you left by deleting old ones. Finally, go back up to ‘Protocol_Catalog9’ and change the ‘Num_Catalog_Entries’ value to reflect the new number of subkeys you have. Set the base to decimal in the ‘Edit DWORD value’ window and enter the highest number subkey that is left after renaming.

If your manual removal went wrong in any way you will have lost your networking ability. Sorry! LSPFix may still be able to rescue you in this situation, but otherwise you are looking at a reinstall of Windows or at least its networking components.

Once the LSP is gone, continue with the instructions for Agent.

CommonName/Agent

Open the registry (Start->Run->regedit) and delete the following keys and values:

HKEY_LOCAL_MACHINE\Software\CommonName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Add A Page Note
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Bookmark This Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Email This Link
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Search using CommonName
HKEY_CLASSES_ROOT\BabeIE.AgentIE
HKEY_CLASSES_ROOT\BabeIE.AgentIE.1
HKEY_CLASSES_ROOT\BabeIE.Handler
HKEY_CLASSES_ROOT\BabeIE.Handler.1
HKEY_CLASSES_ROOT\BabeIE.Helper
HKEY_CLASSES_ROOT\BabeIE.Helper.1
HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}
HKEY_CLASSES_ROOT\CLSID\{6656b666-992f-4d74-8588-8ca69e97d90c}
HKEY_CLASSES_ROOT\CLSID\{9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
HKEY_CLASSES_ROOT\TypeLib\{D879D743-E2CC-4161-8034-2234203681C9}
HKEY_CLASSES_ROOT\TypeLib\{DD0032DF-CEEF-4E0A-8B75-E4D8861E11E5}
HKEY_CLASSES_ROOT\Protocols\Handler\cn

Reboot and you should be able to delete the entire CommonName folder in Program Files. Finally, you can use Internet Options->Programs->Reset Web Settings to restore the normal search options.

Phew! You can stop now.

CommonName/Toolbar

First, deregister CNBabe. To do this, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\CommonName\Toolbar\CNBabe.dll"

(Change the filename above if your Program Files folder is somewhere other than ‘C:\Program Files’ - for example if you are using a different drive, or a non-English version of Windows.)

Reboot and you should be able to delete the CommonName folder in Program Files.

Links

Official CommonName site.

Vendor statement

CommonName provides a keyword navigation and powersearch search engine service. Further products, such as Login Manager and Form Filler are also provided with the Toolbar version of the software. We will leave it up to users to judge the usefulness of our product, but we want to emphasize that we do not collect personal user information nor track personal web usage. We have a strict privacy policy.

If you are unhappy after trying our service, remove it from your computer through Settings/Control Panel/Add Remove Programs. If you need help, feel free to contact us at support@commonname.com.