About CommonName
Also known as: CNBabeIE, BabeIE, BabeIE2.
An IE toolbar allowing you to enter keywords or a company
name to go to CommonName customers' web sites. Newer versions
have added search and Gator-like form-filling functions.
Originally a normal service, the software has become bundled
adware. CommonName includes a re-installer (winnet.exe) that
may defeat your removal efforts.
Variants:
- CommonName.Toolbar: installs an IE toolbar with a
keyword lookup box.
- CommonName.Agent: takes over searches entered into the
standard IE address bar (by means of an IE Browser Helper
Object), and pops up ads occasionally.
- CommonName.Mib: version 3.6.0.0 onwards also includes a
WinSock2 Layered Service Provider, CNMib.dll.
- CommonName.Zenet: version 3.6.2.0 onwards also has its
BHO re-register itself periodically, to make it hard to
remove manually.
- CommonName.Winnet: version 4.0.0.0 onwards also has a
separate updating process, which re-registers itself
constantly, to make it even harder to remove manually.
- CommonName.Comwiz: later 4.x versions use two restarting
processes instead of one. If one process is killed the
other one starts it back up again. However the LSP seems
no longer to be in use.
- CommonName.Cnbabe
- CommonName.Winnet
Removal Instructions
Automatic Removal:
CommonName can be detected and removed Automatically
by Spyware Doctor, also SpyEraser.
Manual Removal:
Caution: imperfect removal can result
in loss of Internet connection for variants using cnmib.dll.
Each successive variant of CommonName gets harder to remove
manually. Do not try to uninstall CommonName/Mib, CommonName/Zenet,
or CommonName/Winnet by just deleting the files. They include
a Winsock2 layered service provider module (LSP); if you
manage to delete this you will lose network connectivity.
Removal with Unins.exe Version 4.2.0.0 (right click
on winnet.exe to see what version you have) comes with
CommonName\Toolbar\unins.exe Running it will take you to a web
page where, after completing a form, you may retrieve an
uninstaller named uninstbb.exe. You will then have
35 or more files and registry entries that must be removed by
some other means.
CommonName/Winnet
Do not try to uninstall by just
deleting the files. It includes a Winsock2 Layered Service
Provider module (LSP). If you delete this, you will lose
network connectivity.
You must first kill the 'winnet.exe' process (otherwise, it
will keep setting itself up to run automatically). Press
Ctrl-Alt-Delete and open the Task Manager. If you are using
Windows NT/2000/XP, choose the 'Processes' tab to list all
programs. Choose 'winnet.exe' and end the process.
CommonName/Zenet
Do not try to uninstall by just
deleting the files. It includes a Winsock2 Layered Service
Provider module (LSP). If you delete this, you will lose
network connectivity.
Open the registry (Start->Run->regedit). Open the key
'HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}',
right click the 'InProcServer32' subkey and choose 'Delete'.
(This neuters the CommonName BHO but doesn't completely remove
it, so it won't notice the change and re-register itself.)
Now go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
There will be a value here titled 'Zenet' (or 'Winnet', for
that variant). Delete it and reboot the machine immediately.
CommonName/Mib
Do not try to uninstall by just
deleting the files. It includes a Winsock2 Layered Service
Provider module (LSP). If you delete this, you will lose
network connectivity.
The CNMib.dll module must now be removed from the Winsock2
LSP chain. CounterExploitation's tool LSPFix can do this for
you. Download it, run it and tell it to 'Remove' CNMib.dll,
and 'Keep' everything else.
You can also do it by hand if you are brave. Open the
registry (Start->Run->regedit) and open the key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries. There will be a
list of numeric subkeys; open each one and double-click its 'PackedCatalogItem'
value. You should be able to see a filename at the top of the
right-hand column in the 'Edit Binary Value' window. If it is
'C:\Program Files\CommonName\Toolbar\cnmib.dll' or similar,
delete the entire '00000somenumber' key. The path must point
exactly at the cnmib.dll file! Do not delete the key just
because you see a cnmib hanging on the end - for example '%SystemRoot%\system32\mswsock.dll.r\cnmib.dll'
actually points to mswsock, not cnmib.
Then rename the numeric subkeys so that they count up each
number from 000000000001, filling in any gaps you left by
deleting old ones. Finally, go back up to 'Protocol_Catalog9'
and change the 'Num_Catalog_Entries' value to reflect the new
number of subkeys you have. Set the base to decimal in the
'Edit DWORD value' window and enter the highest number subkey
that is left after renaming.
If your manual removal went wrong in any way you will have
lost your networking ability. Sorry! LSPFix may still be able
to rescue you in this situation, but otherwise you are looking
at a reinstall of Windows or at least its networking
components.
CommonName/Agent
Open the registry (Start->Run->regedit) and delete
the following keys and values:
HKEY_LOCAL_MACHINE\Software\CommonName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Add
A Page Note
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Bookmark
This Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Email
This Link
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Search
using CommonName
HKEY_CLASSES_ROOT\BabeIE.AgentIE
HKEY_CLASSES_ROOT\BabeIE.AgentIE.1
HKEY_CLASSES_ROOT\BabeIE.Handler
HKEY_CLASSES_ROOT\BabeIE.Handler.1
HKEY_CLASSES_ROOT\BabeIE.Helper
HKEY_CLASSES_ROOT\BabeIE.Helper.1
HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}
HKEY_CLASSES_ROOT\CLSID\{6656b666-992f-4d74-8588-8ca69e97d90c}
HKEY_CLASSES_ROOT\CLSID\{9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
HKEY_CLASSES_ROOT\TypeLib\{D879D743-E2CC-4161-8034-2234203681C9}
HKEY_CLASSES_ROOT\TypeLib\{DD0032DF-CEEF-4E0A-8B75-E4D8861E11E5}
HKEY_CLASSES_ROOT\Protocols\Handler\cn
Reboot and you should be able to delete the entire CommonName
folder in Program Files. Finally, you can use Internet
Options->Programs->Reset Web Settings to restore the
normal search options.
If you are removing CommonName/Winnet, CommonName/Zenet,
CommonName/Mib, or CommonName/Agent, proceed to Cleaning
Up.
CommonName/Toolbar
First, deregister CNBabe. To do this, open a DOS command
prompt window (from Start->Programs->Accessories) and
enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\CommonName\Toolbar\CNBabe.dll"
(Change the filename above if your Program Files folder is
somewhere other than 'C:\Program Files' - for example if you
are using a different drive, or a non-English version of
Windows.)
Reboot and you should be able to delete the CommonName
folder in Program Files.
Cleaning Up. Finally you can clean up by deleting
the following registry keys if found:
HKEY_CLASSES_ROOT\appid\cnform.exe
HKEY_CLASSES_ROOT\appid\winnet.exe
HKEY_CLASSES_ROOT\appid\{118a2bfa-5ac7-4d29-beb9-d68f4d2cccab}
HKEY_CLASSES_ROOT\appid\{ae6ddeb6-5683-4f5d-ad53-0f93b02a3f93}
HKEY_CLASSES_ROOT\babeie.agentie
HKEY_CLASSES_ROOT\cnbar.explorerbar
HKEY_CLASSES_ROOT\cnbar.explorerbar.1
HKEY_CLASSES_ROOT\cnform.cnbarhelper
HKEY_CLASSES_ROOT\cnform.cnbarhelper.1
HKEY_CLASSES_ROOT\cnform.history
HKEY_CLASSES_ROOT\cnform.history.1
HKEY_CLASSES_ROOT\protocols\handler\cn
HKEY_CLASSES_ROOT\software\microsoft\internet
explorer\toolbar{00000000-0000-0000-0000-000000000000}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer
\browser
helper objects\{1e1b2879-88ff-11d2-8d96-d7acac95951f}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer
\browser
helper objects\{6656b666-992f-4d74-8588-8cac9e79d90c}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer
\browser
helper objects\{a6475e6b-3c2e-4b1f-82fd-8f1c0b1d8ad0}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\uninstall
\commonname
toolbar 3.50_is1
HKEY_CLASSES_ROOT\winnet.update
HKEY_CLASSES_ROOT\winnet.update.1
HKEY_CURRENT_USER\software\
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuextadd
a page note
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuextbookmark
this page
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuextemail
this link
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuextsearch
using commonname
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\add
a page note
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\bookmark
this page
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\email
this link
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\search
using
HKEY_LOCAL_MACHINE\babeie.helper
HKEY_LOCAL_MACHINE\babeie.helper.1
HKEY_LOCAL_MACHINE\software\classes\babeie.handler.1
HKEY_LOCAL_MACHINE\software\
HKEY_LOCAL_MACHINE\software\microsoft\code store
database\distribution
units\{6656b666-992f-4d74-8588-8ca69e97d90c}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\advancedoptions\
HKEY_LOCAL_MACHINE\software\microsoft\internet
explorer\toolbar{a3e3f04c-f98c-4295-95ef-41c57425b077}
HKEY_LOCAL_MACHINE\winnet.update
......
- Kill these running processes with Task Manager:
c:\progra~1\common~2\addres~1\winnet.exe
programfilesdir+\commonname\addressbar\comwiz.exe
programfilesdir+\commonname\addressbar\unins.exe
programfilesdir+\commonname\addressbar\winnet.exe
programfilesdir+\commonname\desktop\cndesk.exe
programfilesdir+\commonname\desktop\unins000.exe
programfilesdir+\commonname\toolbar\cnform.exe
programfilesdir+\commonname\toolbar\comwiz.exe
programfilesdir+\commonname\toolbar\unins.exe
programfilesdir+\commonname\toolbar\winnet.exe
programfilesdir+\common~2\toolbar\cnform.exe4172cnbabeie.exe
cnbabe4.exe
cnbabeie4.exe
cnbar.exe
cnoutlook.exe
- Go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you find the value winnet, delete it and reboot
the machine immediately. If you find the value zenet,
delete it and reboot the machine immediately.
- Unregister these DLLs with Regsvr32, then reboot:
programfilesdir+\commonname\addressbar\cnbabe.dll
programfilesdir+\commonname\desktop\babe.dll
programfilesdir+\commonname\desktop\resdll.dll
programfilesdir+\commonname\toolbar\babeie.dll
programfilesdir+\commonname\toolbar\cnbabe.dll
programfilesdir+\commonname\toolbar\cnbarie.dll
programfilesdir+\commonname\toolbar\cnmib.dll
systemroot+\system32\babeie.dll
systemroot+\system32\cnbabe.dll
systemroot+\system32\cnbarie.dll
systemroot+\system32\htmledit.dll
systemroot+\system\babeie.dll
systemroot+\system\cnbabe.dll
systemroot+\system\cnbarie.dll
systemroot+\system\htmledit.dllcnoutlook.dll
- Remove these registry items (if present) with RegEdit:
HKEY_CLASSES_ROOT\appid\cnform.exe
HKEY_CLASSES_ROOT\appid\winnet.exe
HKEY_CLASSES_ROOT\appid\{118a2bfa-5ac7-4d29-beb9-d68f4d2cccab}
HKEY_CLASSES_ROOT\appid\{ae6ddeb6-5683-4f5d-ad53-0f93b02a3f93}
HKEY_CLASSES_ROOT\babeie.agentie
HKEY_CLASSES_ROOT\babeie.agentie.1
HKEY_CLASSES_ROOT\babeie.handler
HKEY_CLASSES_ROOT\cnbar.bandsink
HKEY_CLASSES_ROOT\cnbar.bandsink.1
HKEY_CLASSES_ROOT\cnbar.cnbarband
HKEY_CLASSES_ROOT\cnbar.cnbarband.1
HKEY_CLASSES_ROOT\cnbar.explorerbar
HKEY_CLASSES_ROOT\cnbar.explorerbar.1
HKEY_CLASSES_ROOT\cnform.cnbarhelper
HKEY_CLASSES_ROOT\cnform.cnbarhelper.1
HKEY_CLASSES_ROOT\cnform.history
HKEY_CLASSES_ROOT\cnform.history.1
HKEY_CLASSES_ROOT\dnserr.dnserrobj
HKEY_CLASSES_ROOT\dnserr.dnserrobj.1
HKEY_CLASSES_ROOT\protocols\handler\cn
HKEY_CLASSES_ROOT\software\microsoft\internet explorer\toolbar\{00000000-0000-0000-0000-000000000000}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer
\browser helper objects\{00000000-0000-0000-0000-000000000000}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer
\browser helper objects\{1e1b2879-88ff-11d2-8d96-d7acac95951f}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer
\browser helper objects\{6656b666-992f-4d74-8588-8cac9e79d90c}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer
\browser helper objects\{a6475e6b-3c2e-4b1f-82fd-8f1c0b1d8ad0}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\uninstall
\commonname toolbar 3.50_is1
HKEY_CLASSES_ROOT\winnet.update
HKEY_CLASSES_ROOT\winnet.update.1
HKEY_CURRENT_USER\software\commonname
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\add a page note
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\bookmark this page
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\email this link
HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\search using commonname
HKEY_LOCAL_MACHINE\software\classes\typelib\{d879d743-e2cc-4161-8034-2234203681c9}
HKEY_LOCAL_MACHINE\software\classes\winnet.update
HKEY_LOCAL_MACHINE\software\classes\winnet.update.1
HKEY_LOCAL_MACHINE\software\classes\winnet.update\clsid
HKEY_LOCAL_MACHINE\software\classes\winnet.update\curver
HKEY_LOCAL_MACHINE\software\commonname
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6656b666-992f-4d74-8588-8ca69e97d90c}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\advancedoptions
\commonname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\cndesk
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\winnet
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\zenet
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall
\commonname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall
\commonname desktop 3.0_is1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall
\commonname toolbar 3.30_is1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall
\commonname toolbar 3.50_is1
HKEY_LOCAL_MACHINE\winnet.update
HKEY_USERS\s-1-5-21-1960408961-1993962763-1343024091-1003\software
\microsoft\internet explorer\menuext\add a page note
HKEY_USERS\s-1-5-21-1960408961-1993962763-1343024091-1003\software
\microsoft\internet explorer\menuext\bookmark this page
HKEY_USERS\s-1-5-21-1960408961-1993962763-1343024091-1003\software
\microsoft\internet explorer\menuext\email this link
HKEY_USERS\s-1-5-21-1960408961-1993962763-1343024091-1003\software
\microsoft\internet explorer\menuext\search using commonname
......
- Remove these files (if present) with Windows Explorer:
c:\documents and settings\all users.windows\start menu\programs\commonname\commonname desktop 3.0.lnk
c:\documents and settings\all users.windows\start menu\programs\commonname\commonname toolbar 3.30.lnk
c:\documents and settings\all users.windows\start
menu\programs\commonname
\uninstall commonname toolbar 3.30.lnk
c:\progra~1\common~2\addres~1\winnet.exe
profilepath+\desktop\commonname desktop 3.0.lnk
programfilesdir+\common~2\toolbar\cnform.exe
systemroot+\system32\babeie.dll
systemroot+\system\cnbabe.dll
systemroot+\system\cnbarie.dll
systemroot+\system\htmledit.dll4172cnbabeie.exe
babe.dat
cnbabe4.exe
cnbabeie.rtf
cnbabeie4.exe
cnbar.exe
cnbarie.dll.txt
cnbarieasm.txt
cnoutlook.dll
cnoutlook.exe
cnoutlook.mdb
commonname privacy policy.txt
commonname toolbar user guide - overview.txt
commonname toolbar user guide.txt
commonname user guide email agent.txt
commonname website terms and conditions.txt
commonname.mdb
commonname.txt
commonname.wif
dfs.dat
exit.dat
mib.dat
newsbar.htm
system.dat
unins000.dat
uninstall commonname desktop 3.0.lnk
url2.dat
winnet.to_be_deleted
......
- Remove these directories (if present) with Windows
Explorer:
c:\documents and settings\all users.windows\start menu\programs\commonname
profilepath+\application data\commonname
programfilesdir+\commonname
- After
following the instructions above, you will still need to
restore your original settings and prevent this from happening
again. Here's how.
Sponsored Links:
Removal Instructions for Other Adwares &
Spywares
| 
