This site is temporarily down. Please come back. Content-type: text/html; charset=utf-8 Removed Spysheriff, now error message 'ibm0001.exe not found'
DelphiFAQ Home Search:

Removed Spysheriff, now error message 'ibm0001.exe not found'

 

comments143 comments. Current rating: 5 stars (32 votes). Leave comments and/ or rate it.

Question:

Your article on Spysheriff is very helpful, however when booting I still get the message ibm00001.exe not found. Any suggestions?

Answer:

It is unclear if this ibm0001.exe is really related with Spysheriff. When my machine was infected with Spysheriff, I did not have this file on my hard disk.
However, after some research it has been found that they appear to be related. Maybe there are different versions of Spysheriff or different degrees of infestation.

This file is either in the root folder (c:\) or for example here:

c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Other files involved are:
ibm00001.dll
ibm00001.exe
ibm00002.dll
kernels64.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe


If you boot in safe mode and delete this file or if you delete it using a tool which will delete it right at boot time, then you still will have a reference in the registry to this file.

(Look at the registry by starting REGEDIT.EXE from the Run box.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This branch has an entry named 'Shell' which should simply say 'explorer.exe'.

In case of an infestation, it will have the ibm0001.exe (or ..) as an argument after explorer.exe, e.g. like this:
  • Shell: explorer.exe "c:\ibm00001.exe"
  • Shell: explorer.exe 'c:\Windows\System32\kernels64.exe'

Modify this registry entry back to 'explorer.exe' only. and delete the file kernels64.exe which may be located either in c:\ or in c:\Windows\System32\

Update:
As described in the comments section, there may be a LOT of spaces between the word 'explorer.exe' and the argument. If you just briefly view the entry, then you will not see the argument. Make sure to edit the value.
Alternatively you can also search the registry for occurences of the term 'ibm000'.

Note:

If you cannot find the reference in the registry, do not forget to check in your file 'system.ini' as reported by an anonymous user in the comment section. In his case, Explorer.exe is starting with ibm00001.exe as a paramater passed through the system.ini. (This may depend on the various Windows versions.)

  1. Open file SYSTEM.INI with NOTEPAD and press F3 to find it:
    shell=explorer.exe ibm00001.exe
  2. Delete the 'ibm00001.exe' here.
  3. Then reboot and it should be good.
Here's a screenshot, thanks to the anonymous poster:


Content-type: text/html

Comments:

You are on page 3 of 10, other pages: 1 2 [3] 4 5 6 7 8 9 10
2005-12-19, 19:18:57
anonymous from United States  
got rid of the spysheriff messages and the desktop, but still bombarded with the popups like mentioned above. cannot locate any of the file mentioned to cure the popups - i hope the spysheriff group contract aids -
2005-12-19, 21:56:15
elfy from United Kingdom  
thanks for the help, it helped a treat! thought i was going to have to format, again! if i have any more problems with it i will let you know, thanks again!
2005-12-21, 04:45:09
RabidMonkey from United States  
rating
jussnb: I'm not entirely sure on whether it hijacks Symantec's applications or just emulates it, as you said, but in either case you can avoid the spamming via the email proxy by examining the processes list and simply killing the symantec ones when they spawn. They did appear as genuine symantec processes to me, too. In either case, if you kill the email proxy processes the messages will go away until you reboot, and by that time you should be able to clean out the infection, or at least the elements which are causing the major problems.
2005-12-21, 05:07:56
bhupen.jesalpura@gmail.com from India  
rating
Thanks a lot. Because of 'ibm00001.exe' unwanted page was opened.
2005-12-22, 18:58:51
anonymous from United States  
thanks a lot,

for those who cant get it fixed this, i hope can explain it a tiny bit better.
i thought when u open shell up ur supposed to change the ibm00001.exe in 'c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe ' but they fooled me. just click on the command as u were gona type something, but instead press the left arrow key, then it will reveal that big space they were talking about. so just high light everything EXCEPT explorer.exe and detele it
2005-12-23, 00:05:01
anonymous from United States  
Thanks so much every thing worked super fantastic.
you are a computer genius.......thanks.
how do you remove the spyshriff background
any suggestions?
2005-12-23, 00:46:37
anonymous from United States  
I GOT IT ! I GOT IT!!!!!!!!!!
to remove the annoying blue background do this..........
press run and type regedit........
go here.....
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersiosion\Policies\system
click the 'system' folder........
after you click it, on the left panel, you should get the one on the top that says 'default'.......
on the bottom delete the one that says 'wallpaper'
reboot your computer
tadah ! the blue spysheriff background does not load anymore !
2005-12-23, 02:42:48
Me from Canada  
Hey, I'm not sure what to do with the registry or whatever, but this is how I got rid of Shysheriff. I downloaded Ad-aware, Microsoft Antispyware, Spybot, clean up, and a few more(go to web page for directions) I updated the programs, removed my 'restore' which prevents the virus from hiding or something(I have the directions if needed), start back in safe mode and ran the programs. I didn't do anything else and things are pretty much back to normal.

http://search.netsc..23028.html
2005-12-23, 02:47:10
me from Canada  
Oh Yeah, better use a firewall like the free one from Zone Alarm as it will let you know when your computer is trying to access the internet and you can decide what to allow. Windows firewall won't give you that kind of control.
2005-12-24, 19:11:46
mytos_kunn@hotmail.com from Chile  
hi , need help i dont have in regedit HKEY_CURRENT_USER\ Software\Microsoft\ Windows\CurrentVersion\ Policies\system
after policies i only have a explorer folder thats all and in the shell folder i only have explorer.exe nothing about white space or 'ibm00001.exe' so i cant think in something to fix my desktop to normal plz if any have another idea would be very nice. need to end this spysheriff pain
2005-12-25, 14:19:38
Chaoticimpulse from United States  
To fix your desktop (get rid of the active desktop) go to control panel and go to 'display'. (This is the same as rightclicking on the desktop, but since it's actually a webpage, it brings up web-related menues and not the normal menu.) Go to the Desktop tab and then at the bottom, 'Customize desktop...' Another windows with a 'Web' tab at the top should pop up; go to the 'Web' tab and uncheck the 'Warning' homepage box. Hit OK until you're all out of the boxes and it should be back to normal...For Win XP only, sorry :< -- Hope this helps
2005-12-26, 12:40:52
b_o_w_k_s@hotmail.com from United Kingdom  
Firstly, thank you to everyone who has contiributed here; it took a long time but I have nearly erased all sign of spysheriff. All that remains is a yellow triangle in the taskbar, enclosing a black exclamation mark.
Clicking on the triangle opens this warning message:
'Warning your computer is at risk
Spyware detected on your PC
Windows did not find any spyware protection on this computer
Click to choose recommended spyware protection software'

Perhaps this warning doesn't really matter but it worries me, and after fixing so many problems on my computer I cannot let this thing win. Please help
2005-12-26, 13:16:05
b_o_w_k_s@hotmail.com from United Kingdom  
My computer also randomly loads adverts and webpages.
Please help
2005-12-26, 17:13:31
Chris from Venezuela  
I do all the steps and still i can put my wallpaper (i dont have anymore 'system infection or System Stopped) but i can change it... and the unwanted webpages keep poping up...
I deleted all the ibm000files.. all the winstall, all the spysheriff files...
and others (from different sources)... i fix the register... what else can i do?

It's much better now but the virus it's alive!!!! what can i do?
2005-12-26, 17:15:24
Chris from Venezuela  
wait... i do something from a guy upstairs and i now i can change de background thanks man... i use the way of the Regedit.exe now is one problem less... Only the popups left... c'on people we can!!!
You are on page 3 of 10, other pages: 1 2 [3] 4 5 6 7 8 9 10

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: