GAIN, Gator and CommonName

[d3m0nger]

Hi, I just can't get rid of this commonName spam Trojan.

''Each successive variant of CommonName gets harder to remove by hand. Do not try to uninstall the later variants (Mib, Zenet, Winnet) by just deleting the files. They include a Winsock2 layered service provider module (LSP); if you manage to delete this you will lose network connectivity.''

Somehow My Ad-aware is corrupted and It doesn't remove/find CommonName, Gain or Gator. I've reinstalled Ad-aware A few times But It doesn't work.

In my task bar It shows Winnet which is One of them and Zenet.

When I close them down they just show up again at a different location.

I can't delete them. Does anyone Know how to remove them manually?

[gryphon]

It seems kind of overkill mayby, but when you can't quarentine a virus succesfully the only real option left is a compleat reformat of the drive and reinstallation of all software on it.

[ same as with a hacked / comprimised system ]

Have you got a firusscanner installed and if so does it detect it ?

[d3m0nger]

I have norton anti virus 2003, completely updated, But It doesn't detect anything

[d3m0nger]

I manually removed CommonName :

You must first kill the 'winnet.exe' process (otherwise, it will keep setting itself up to run automatically). Press Ctrl-Alt-Delete and open the Task Manager. If you are using Windows NT/2000/XP, choose the 'Processes' tab to list all programs. Choose 'winnet.exe' and end the process.

Continue with the instructions for Zenet.

CommonName/Zenet

Open the registry (Start->Run->regedit). Open the key 'HKEY_CLASSES_ROOTCLSID{00000000-0000-0000-0000-000000000000}', right click the 'InProcServer32' subkey and choose 'Delete'. (This neuters the CommonName BHO but doesn't completely remove it, so it won't notice the change and re-register itself.)

Now go to the key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun. There will be a value here titled 'Zenet' (or 'Winnet', for that variant). Delete it and reboot the machine immediately.

Continue with the instructions for Mib.

CommonName/Mib

The CNMib.dll module must now be removed from the Winsock2 LSP chain. CounterExploitation's tool LSPFix can do this for you. Download it, run it and tell it to 'Remove' CNMib.dll, and 'Keep' everything else.

You can also do it by hand if you are brave. Open the registry (Start->Run->regedit) and open the key HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinSock2 ParametersProtocol_Catalog9Catalog_Entries. There will be a list of numeric subkeys; open each one and double-click its 'PackedCatalogItem' value. You should be able to see a filename at the top of the right-hand column in the 'Edit Binary Value' window. If it is 'C:Program FilesCommonNameToolbarcnmib.dll' or similar, delete the entire '00000somenumber' key. The path must point exactly at the cnmib.dll file! Do not delete the key just because you see a cnmib hanging on the end - for example '%SystemRoot%system32mswsock.dll.rcnmib.dll' actually points to mswsock, not cnmib.

Then rename the numeric subkeys so that they count up each number from 000000000001, filling in any gaps you left by deleting old ones. Finally, go back up to 'Protocol_Catalog9' and change the 'Num_Catalog_Entries' value to reflect the new number of subkeys you have. Set the base to decimal in the 'Edit DWORD value' window and enter the highest number subkey that is left after renaming.

If your manual removal went wrong in any way you will have lost your networking ability. Sorry! LSPFix may still be able to rescue you in this situation, but otherwise you are looking at a reinstall of Windows or at least its networking components.

Once the LSP is gone, continue with the instructions for Agent.

CommonName/Agent

Open the registry (Start->Run->regedit) and delete the following keys and values:

HKEY_LOCAL_MACHINESoftwareCommonName

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtAdd A Page Note

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtBookmark This Page

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtEmail This Link

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtSearch using CommonName

HKEY_CLASSES_ROOTBabeIE.AgentIE

HKEY_CLASSES_ROOTBabeIE.AgentIE.1

HKEY_CLASSES_ROOTBabeIE.Handler

HKEY_CLASSES_ROOTBabeIE.Handler.1

HKEY_CLASSES_ROOTBabeIE.Helper

HKEY_CLASSES_ROOTBabeIE.Helper.1

HKEY_CLASSES_ROOTCLSID{00000000-0000-0000-0000-000000000000}

HKEY_CLASSES_ROOTCLSID{6656b666-992f-4d74-8588-8ca69e97d90c}

HKEY_CLASSES_ROOTCLSID{9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}

HKEY_CLASSES_ROOTTypeLib{D879D743-E2CC-4161-8034-2234203681C9}

HKEY_CLASSES_ROOTTypeLib{DD0032DF-CEEF-4E0A-8B75-E4D8861E11E5}

HKEY_CLASSES_ROOTProtocolsHandlercn

Reboot and you should be able to delete the entire CommonName folder in Program Files. Finally, you can use Internet Options->Programs->Reset Web Settings to restore the normal search options.

Phew! You can stop now.

CommonName/Toolbar

First, deregister CNBabe. To do this, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%System"

regsvr32 /u "C:Program FilesCommonNameToolbarCNBabe.dll"

(Change the filename above if your Program Files folder is somewhere other than 'C:Program Files' - for example if you are using a different drive, or a non-English version of Windows.)

Reboot and you should be able to delete the CommonName folder in Program Files.

[Nyarlathotep]

I have norton anti virus 2003, completely updated, But It doesn't detect anything

Just shows what kind of crap program it is :)

Seroously, well done on getting it removed. I do not know how you go the virus, but you might want to trace your steps back as to where you got it from.

[d3m0nger]

Thanks :)

Norton is indeed a crap program.

I found out where I got it from,

The good(bad)Old kazaa (classic not lite) is responseble for this,

You can also get it from iMESH or morpheus,

I delete all these peerTopeer file sharing programs and I'll never use them again.

Good day,

av