This site is temporarily down. Please come back. Content-type: text/html; charset=utf-8 Removed Spysheriff, now error message 'ibm0001.exe not found'
DelphiFAQ Home Search:

Removed Spysheriff, now error message 'ibm0001.exe not found'

 

comments143 comments. Current rating: 5 stars (32 votes). Leave comments and/ or rate it.

Question:

Your article on Spysheriff is very helpful, however when booting I still get the message ibm00001.exe not found. Any suggestions?

Answer:

It is unclear if this ibm0001.exe is really related with Spysheriff. When my machine was infected with Spysheriff, I did not have this file on my hard disk.
However, after some research it has been found that they appear to be related. Maybe there are different versions of Spysheriff or different degrees of infestation.

This file is either in the root folder (c:\) or for example here:

c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Other files involved are:
ibm00001.dll
ibm00001.exe
ibm00002.dll
kernels64.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe


If you boot in safe mode and delete this file or if you delete it using a tool which will delete it right at boot time, then you still will have a reference in the registry to this file.

(Look at the registry by starting REGEDIT.EXE from the Run box.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This branch has an entry named 'Shell' which should simply say 'explorer.exe'.

In case of an infestation, it will have the ibm0001.exe (or ..) as an argument after explorer.exe, e.g. like this:
  • Shell: explorer.exe "c:\ibm00001.exe"
  • Shell: explorer.exe 'c:\Windows\System32\kernels64.exe'

Modify this registry entry back to 'explorer.exe' only. and delete the file kernels64.exe which may be located either in c:\ or in c:\Windows\System32\

Update:
As described in the comments section, there may be a LOT of spaces between the word 'explorer.exe' and the argument. If you just briefly view the entry, then you will not see the argument. Make sure to edit the value.
Alternatively you can also search the registry for occurences of the term 'ibm000'.

Note:

If you cannot find the reference in the registry, do not forget to check in your file 'system.ini' as reported by an anonymous user in the comment section. In his case, Explorer.exe is starting with ibm00001.exe as a paramater passed through the system.ini. (This may depend on the various Windows versions.)

  1. Open file SYSTEM.INI with NOTEPAD and press F3 to find it:
    shell=explorer.exe ibm00001.exe
  2. Delete the 'ibm00001.exe' here.
  3. Then reboot and it should be good.
Here's a screenshot, thanks to the anonymous poster:


Content-type: text/html

Comments:

You are on page 2 of 10, other pages: 1 [2] 3 4 5 6 7 8 9 10
2005-12-05, 05:09:38
anonymous from United States  
thanks for the registry key
2005-12-05, 13:55:16
anonymous from United States  
rating
Some sites have also included another nasty little payload with this one... Look for paytime.exe folders/app/reg values.
2005-12-06, 04:00:46
anonymous from Sweden  

-------------- ive got IBM0001 writen all over my registery :( its alota those and some are still there when i delite and come back
2005-12-06, 19:03:11
anonymous from United States  
if i find any spysherriff punks, i'll KILL EM
2005-12-07, 21:57:57
110baby@txcyber.com from United States  
rating
tina, had the same problem. i ran Norton 2006 fixed problem but got the X on start up saying couldn't find ....ibm00001.exe. i went to regedit located spaces and text after the explore.exe. modified it back to explore.exe and no more X. thanks for all the help
2005-12-08, 20:56:46
anonymous from Malaysia  
mine running on win 98 os, where can i find those regedit or wtever it call thing...this ibm00001 really suxx..anyone out there help me!!
2005-12-12, 14:41:13
anonymous from India  
rating
Please let us know the files that comes with spysheriff Pls..................... and my OS is win 2000
2005-12-13, 16:02:03
Meltdown from New Zealand  
I've removed the spyware fine but now I get the same problem, my pc is infected with popups. Damn bastards
2005-12-14, 13:43:48
anonymous from United Kingdom  
hi thanks for the advice....ive removed all the .exe's but when i logg on get the annoying windows can find ibm0001.dll ect ive followed your instruction but in regedit when i go all the way down to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
i only see these folders
credentials
GPExtensions
notify
special accounts

i dont see the branch called shell

im also getting loads of pop ups please please help
2005-12-15, 09:46:09
jussnb from United States  
'I got my desktop back to normal, however I am being bombed with pop ups as if I was trying to send an email from outlook and norton would be checking it for virus... Over and over.....the popups emulate the symantec real deal and will read scanning message one of eleven. It will keep on doing it until it fills the entire desktop. Has any of you had this before?'

I'm having the same problem, although I'm pretty sure it isn't just 'emulating' the Symantec e-mail scan...the virus/worm is actually using our computers to send e-mails.

Can anyone help us out with this? Every time my computer connects to the Internet, it automatically starts sending out tons of e-mails.
2005-12-16, 22:23:34
anonymous from United States  
same problem here, as most of the above. only got this problem AFTER loading new version of NORTON WORKS which really sucks - maybe norton is in the deal with spysheriff.
2005-12-17, 15:37:42
anonymous from United States  
Explorer.exe is starting with ibm00001.exe as a paramater passed through the system.ini. The f3 find for the text should be able to find it. Open it with notepad and find

shell=explorer.exe ibm00001.exe

delete 'ibm00001.exe'
reboot and should be good

Picture of it here
http://www.myfilest..apcopy.gif
2005-12-17, 18:18:19
volfan67@excite.com from United States  
Hey, contracted the spysheriff crap, Got some useful advise but still can not change my background on my desktop. Could someone please help?
2005-12-18, 05:49:52
herman from Netherlands  
hello you must look in regedit for desktop.html remove it en you can change your background afgter you have don that you can change you background to normaal
2005-12-19, 02:23:59
connie from Malaysia  
Thanks!!!! The ways provided really save my computer.
You are on page 2 of 10, other pages: 1 [2] 3 4 5 6 7 8 9 10

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: