This site is temporarily down. Please come back. Content-type: text/html; charset=utf-8 Removed Spysheriff, now error message 'ibm0001.exe not found'
DelphiFAQ Home Search:

Removed Spysheriff, now error message 'ibm0001.exe not found'

 

comments143 comments. Current rating: 5 stars (32 votes). Leave comments and/ or rate it.

Question:

Your article on Spysheriff is very helpful, however when booting I still get the message ibm00001.exe not found. Any suggestions?

Answer:

It is unclear if this ibm0001.exe is really related with Spysheriff. When my machine was infected with Spysheriff, I did not have this file on my hard disk.
However, after some research it has been found that they appear to be related. Maybe there are different versions of Spysheriff or different degrees of infestation.

This file is either in the root folder (c:\) or for example here:

c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Other files involved are:
ibm00001.dll
ibm00001.exe
ibm00002.dll
kernels64.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe


If you boot in safe mode and delete this file or if you delete it using a tool which will delete it right at boot time, then you still will have a reference in the registry to this file.

(Look at the registry by starting REGEDIT.EXE from the Run box.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This branch has an entry named 'Shell' which should simply say 'explorer.exe'.

In case of an infestation, it will have the ibm0001.exe (or ..) as an argument after explorer.exe, e.g. like this:
  • Shell: explorer.exe "c:\ibm00001.exe"
  • Shell: explorer.exe 'c:\Windows\System32\kernels64.exe'

Modify this registry entry back to 'explorer.exe' only. and delete the file kernels64.exe which may be located either in c:\ or in c:\Windows\System32\

Update:
As described in the comments section, there may be a LOT of spaces between the word 'explorer.exe' and the argument. If you just briefly view the entry, then you will not see the argument. Make sure to edit the value.
Alternatively you can also search the registry for occurences of the term 'ibm000'.

Note:

If you cannot find the reference in the registry, do not forget to check in your file 'system.ini' as reported by an anonymous user in the comment section. In his case, Explorer.exe is starting with ibm00001.exe as a paramater passed through the system.ini. (This may depend on the various Windows versions.)

  1. Open file SYSTEM.INI with NOTEPAD and press F3 to find it:
    shell=explorer.exe ibm00001.exe
  2. Delete the 'ibm00001.exe' here.
  3. Then reboot and it should be good.
Here's a screenshot, thanks to the anonymous poster:


Content-type: text/html

Comments:

You are on page 1 of 10, other pages: [1] 2 3 4 5 6 7 8 9 10
2005-11-21, 05:50:43
tina from Malaysia  
thanks for this but i didnt have explorer.exe 'c:\ibm00001.exe'
i only had explorer.exe
and pc is still having that red with white X saying ur computer is infected.plz helppppp
2005-11-21, 08:24:47
hollabr@saic.com from United States  
spysheriff completely redoes registry settings..in terms of desktop settings, themes, etc...it took me about an hour of having to restore the default registry settings to have my sister's system back to normal...
2005-11-23, 00:50:29
anonymous from Romania  
rating
In some cases, the registry key will contain a lot of blank spaces after explorer.exe. I have seen this on my computer, the Shell entry went something like
'explorer.exe [...lots of blank spaces...] 'C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe''
Obviously, this was done to fool people looking through the registry unattentively - double-clicking the value in the registry editor reveals the 'hidden' argument to explorer.exe.

Anyway, thanks for this, it reminded me to search through the bloody Registry (I'd forgotten to do that).
2005-11-23, 12:36:29
Oskar from Slovenia  
rating
yep, mr. anonymous here was right, in my case there was a whole bunch of spaces as well... try editing the value and you'll see.

good luck ;)
2005-11-23, 14:04:24
anonymous from Germany  
Could be there in the reg open the key and look.
Because its use a lot of spaces so you don't see it in the window itself.
2005-11-24, 18:35:25
anonymous from United States  
if you want to get rid of them 3 files ibm00001.dll
ibm00001.exe
ibm00002.dll you to go to regedit go to find and type them in
then delete the
2005-11-24, 18:37:16
anonymous from United States  
f you want to get rid of them 3 files ibm00001.dll
ibm00001.exe
ibm00002.dll
you have to go to regedit go to find and type them in
then delete them sorry about the speeling dam keyboard keys getting stuck
2005-11-24, 18:50:17
anonymous from United States  
rating
yea spysherrif messed mine computer all up watch what files you download
off the net just for the hell of it i d/l all kind of stuf on my older computer just to see these dam virus's come from
here is a short list then you can figure what to stay off or go on
stay away from sex sites,bearshare, limewire etc. etc.cracks for software
i worked on this stuff for 6 months just to see were all this junk comes from
the crack sites have a lot of virus's. the only thing i can figure out why is the goverment is involled with this stuff a lot people tell me at times
they got a virus and i ask them what sites did you vist 9 out of 10 times
it was either the sex sites or the illeagl crack and things if you don't believe me then go and mess around with these and good luck re doing your computer ,and loading windows back up thtas the only thing you can really do when you get this junk sometimes it take re loadeding 2 times to take all the junk off so like i said watch were you go and do ,i have been into computer since 1979 ran a bbs, so i know what im talking about seen it and been there .there are things i know that will blow your mind about compiters. i'll give you one big hint it;s a tracking device so big brother i hope i spoiled it for you
2005-11-27, 02:46:41
partyland ;) from Latvia  
rating
how to get that file? each time when i turn on PC than that stupid window says your PC cant find ibm0001.exe :( what i must to do?
2005-11-28, 11:25:59
kiki from United States  
I have a new problem... after dealing with spysheriff and following the instructions on getting rid of it.... I got my desktop back to normal, however I am being bombed with pop ups as if I was trying to send an email from outlook and norton would be checking it for virus... Over and over.....the popups emulate the symantec real deal and will read scanning message one of eleven. It will keep on doing it until it fills the entire desktop. Has any of you had this before? I thought I got rid of spy sheriff and now this..... Dang i!
2005-11-29, 11:40:57
rzwierz from Poland  
rating
thanks a lot. you saved me a lot of work saying about spaces that will be put between explorer.exe and the path to ibm00.....

your're great
2005-11-29, 17:12:01
trinitron79@yahoo.com from United States  
I'm getting the same thing as kiki. Not sure what else to check. I did notice that I had little boxes in the MSCONFIG for programs to run when the computer starts. Any ideas?
2005-11-30, 20:01:16
keith737@ntlworld.com from United Kingdom  
I got these infections and the little red circle and the X
win patrol informed me immediatly
A very good little program
2005-12-01, 17:42:27
Danny_skunk@yahoo.com from United States  
I deleted spysheriff, and stopped all files I knew of that were not of my system. After working a while, I got the desktop back to normal. My only problem is that Svchost.exe is working 100% of the computer. I am able to end this supposedly important file through the Task manager, and get my computer back to normal, but I dont want to have the risk.
2005-12-02, 12:10:06
anonymous from United Kingdom  
the box is removed and so is spysheriff but i cant change my background still
You are on page 1 of 10, other pages: [1] 2 3 4 5 6 7 8 9 10

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: