CommonName Spyware Profile
Title: CommonName
Also Known as: CommonName/Agent, CommonName/Toolbar, BabeIE
Severity scale:
CommonName is a spyware program with two main components. It has a Browser Hijacker and a Toolbar function. It was first discovered in 2003 and was created by CommonName Ltd.
The Browser Hijacker and the toolbar work together. When you enter a search term in the t or in a normal search, it redirects your browser to one of its affiliate sites. The toolbar also generates pop-ups based on keywords on the pages you’re viewing.
CommonName is a very difficult program to get rid of. Its files are hidden, so it should not be removed manually. Use SpyZooka for a guaranteed successful removal.
Also Known As:
CommonName/Agent, CommonName/Toolbar, BabeIE, BabeIE2, CNMib
Associated Files:
Winnet.exe Comwiz.exe Cnbabe.dll Winik.sys, HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{046D6EA4-15E3-4b27-8010-45BD78A9219E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{5A5F9339-F6A5-4464-95E3-A00BCA6206E3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\CLSID\{746CEE9E-7A1D-417f-9A35-804A0217268B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{3C7624D1-C414-4D1B-8FE9-52FA0558FB62}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{C8FFABC6-B706-4278-9399-169DF9FBF37E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{127ACE33-7EA8-45F0-8B55-EFE8B8068BEF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\INetKW.Browser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\INetKW.Browser.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\INetKW.Handler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\INetKW.Handler.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\INetKW.Helper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\INetKW.Helper.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects\{046D6EA4-15E3-4b27-8010-45BD78A9219E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inetmgr
HKEY_LOCAL_MACHINE\SOFTWARE\Internet Keyword
HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM NAME]\User
HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM NAME]\App
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\[NAME SERVICE IS REGISTERED AS]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[NAME SERVICE IS REGISTERED AS]
HKEY_USERS\S-1-5-21-1960408961-507921405-725345543-500\Software\Internet Keyword
HKEY_USERS\S-1-5-21-1960408961-507921405-725345543-500\Software\[RANDOM NAME]\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Note: The [RANDOM NAME] variable in this and subsequent files refers to different random names, not the same randomly chosen name every time.
Adds the values:
“DisplayName” = “Internet Keyword”
“UninstallString” = “C:\Program Files\Internet Keyword\unins.exe”
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Keyword
Creates some of the following files and folders:
C:\Program Files\CommonName
C:\Program Files\Internet Keyword
C:\Program Files\[RANDOM NAME]\babe.dat
C:\Program Files\[RANDOM NAME]\cnml.exe
C:\Program Files\[RANDOM NAME]\dfs.dat
C:\Program Files\[RANDOM NAME]\exit.dat
C:\Program Files\[RANDOM NAME]\[RANDOM NAME].dll
C:\Program Files\[RANDOM NAME]\[RANDOM NAME].exe
C:\Program Files\[RANDOM NAME]\[RANDOM NAME].exe
C:\Program Files\[RANDOM NAME]\[RANDOM NAME].exe
C:\Program Files\[RANDOM NAME]\obj.dat
C:\Program Files\[RANDOM NAME]\profile.dat
C:\Program Files\[RANDOM NAME]\url1.dat
C:\Program Files\[RANDOM NAME]\url2.dat
C:\Program Files\[RANDOM NAME]\url8.dat
C:\Program Files\[RANDOM NAME]\url9.dat
C:\Program Files\[RANDOM NAME]\urlx.dat
C:\Program Files\[RANDOM NAME]\WINIK.SYS
C:\Program Files\[RANDOM NAME]\[RANDOM NAME].dll
C:\Program Files\[RANDOM NAME]\[RANDOM NAME].exe
C:\WINDOWS\system32\[RANDOM NAME].ini
C:\WINDOWS\system32\[RANDOM NAME].ini
C:\WINDOWS\system32\[RANDOM NAME].ini
May drop the following file, which is a rookit component that hides processes, registry subkeys, and files associated with this risk:
%System%\drivers\winik.sys
“CommonName” came out of nowhere… I tried to remove it with Spybot – Search & Destroy, Twister Anti-TrojanVirus, avast! Antivirus, Spyware Nuker XT but nothing worked. Finally I tried Spyzooka and it remove it forever. I appreciate your help.