DelphiFAQ Home Search:

Removed Spysheriff, now error message 'ibm0001.exe not found'

 

comments148 comments. Current rating: 5 stars (33 votes). Leave comments and/ or rate it.

Question:

Your article on Spysheriff is very helpful, however when booting I still get the message ibm00001.exe not found. Any suggestions?

Answer:

It is unclear if this ibm0001.exe is really related with Spysheriff. When my machine was infected with Spysheriff, I did not have this file on my hard disk.
However, after some research it has been found that they appear to be related. Maybe there are different versions of Spysheriff or different degrees of infestation.

This file is either in the root folder (c:\) or for example here:

c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Other files involved are:
ibm00001.dll
ibm00001.exe
ibm00002.dll
kernels64.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe


If you boot in safe mode and delete this file or if you delete it using a tool which will delete it right at boot time, then you still will have a reference in the registry to this file.

(Look at the registry by starting REGEDIT.EXE from the Run box.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This branch has an entry named 'Shell' which should simply say 'explorer.exe'.

In case of an infestation, it will have the ibm0001.exe (or ..) as an argument after explorer.exe, e.g. like this:
  • Shell: explorer.exe "c:\ibm00001.exe"
  • Shell: explorer.exe 'c:\Windows\System32\kernels64.exe'

Modify this registry entry back to 'explorer.exe' only. and delete the file kernels64.exe which may be located either in c:\ or in c:\Windows\System32\

Update:
As described in the comments section, there may be a LOT of spaces between the word 'explorer.exe' and the argument. If you just briefly view the entry, then you will not see the argument. Make sure to edit the value.
Alternatively you can also search the registry for occurences of the term 'ibm000'.

Note:

If you cannot find the reference in the registry, do not forget to check in your file 'system.ini' as reported by an anonymous user in the comment section. In his case, Explorer.exe is starting with ibm00001.exe as a paramater passed through the system.ini. (This may depend on the various Windows versions.)

  1. Open file SYSTEM.INI with NOTEPAD and press F3 to find it:
    shell=explorer.exe ibm00001.exe
  2. Delete the 'ibm00001.exe' here.
  3. Then reboot and it should be good.
Here's a screenshot, thanks to the anonymous poster:


Content-type: text/html

Comments:

You are on page 5 of 10, other pages: 1 2 3 4 [5] 6 7 8 9 10
2005-12-28, 06:15:01
-DaNtsu- from Finland  
HEEELP!!! spysheriff changed my wallpaper to VIRUS INFECTION- your system is infected with blaa blaa blaa, how can i get rid of it looks so ugly with red txt on blk
2005-12-28, 06:23:44
DaNtsu from Finland  
wAAARning!!! found new involved file!! C:\windows\kl.exe is involved to the Win32.32.Anserin.R worm
2005-12-28, 09:42:44
Danie from Ecuador  
I fond this file !!!!

ibm00001.exe-31e6a1bc.pf in windows/prefetch

Any hint what is it????
2005-12-28, 14:32:07
SweetErica1974@yahoo.com from United States  
rating
I seem to have picked up SpySheriff along with paytime.exe packaged with either Kazaa or Limewire yesterday. The red circle with the white X seems to be related to a process called 'tool2.exe' in the windows folder. Try deleting that-- mine went away after that. Make sure you end the process in task manager first! I also deleted 'tool1, tool3, and tool4, as well as paytime.exe. Downloaded Spybot form majorgeeks.com, updated it, along with my ad-aware. deleted winstall.exe, and ran those. Spybot found quite alot. I've NEVER messed with RegEdit before...but found I can search it from ya'll. Deleted all those ibm0000*. I suggest also searching for paytime, KL, and 180up in the RegEdit. I hadn't heard that one mentioned yet. I use AOL dial-up, and I kept getting a message that 180up.biz was wanting internet acess, and it kept trying to start my AOL. Thanks for all the help!
2005-12-28, 14:44:47
SweetErica1974@yahoo.com from United States  
rating
Forgot to mention: At the top of the page, it is mentioned that there may be different versions of SpySheriff or degrees of installation. There MUST be, as I never had a problem with my desktop-- it remained normal, I just had the irritating bubble popping up over the red circle/ white X telling me that windows had detected spyware and to click to downlaod the latest spyware protection. I actually clicked on it at one point, I think. But I never had the ugly black and red screen screaming that I had a problem. My CPU usage was nearly constantly at 100% tho. This seems to be resolved so far, after doing the things I mentioned earlier. Thanks again!
2005-12-28, 16:30:21
anonymous from United States  
Whew! Got rid of the nasty ibm0001.exe, but where do I find the other two in the regedit area? Getting rid of this one worked like a charm, but I really want to get these other culprits as well. Suggestions? Search doesn't bring them up.

ibm00001.dll
ibm00002.dll
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe

Thanks...this site ROCKS!
2005-12-28, 18:05:53
anonymous from Germany  
as sniper mentioned> deleted everything but still have 10 iexplorers running (170 meg!) & tons of pop-ups.

anybody any idea how to get rid of it?
thx in advance
2005-12-28, 18:54:40
[hidden] from United States  
well, I just installed and did a full systmem scan with Norton 2006 and it got rid of all traces of this damn spysharrif and everything, my computer is running smooth again :)
2005-12-28, 19:29:47
anonymous from United States  
Just thought I would let you know after spending 2 days trying to find all of the ibm000 junk, I downloaded the REGSEEKER that was posted above, IT WORKED and very simple too! you just type in the name of the file you are looking for and it brings them all up, then you simply delete them, except for the one that comes up under shell-explorer ibm00001.exe that one you have to modify back to just shell explorer. I no longer have the error message on startup that sayC: \programfiles\commonfiles\microsoftshared\webfolders\ibm00000001.exe not found. Also there is noway I would have found them all, they were all over the place. what a crock of junk spysheriff is!! GoodLuck! RegSeeker is a nifty little free program I'm keeping!
2005-12-28, 19:35:06
[hidden] from United States  
rating
HELP!!! I THINK I DID EVERYTHING I was supposed to do, but when i open my internet explorer i get a message saying on the web page basically saying that an outside computer has gained access to my computer and that they know that i am using mozilla and stuff like that how do i get the internet explorer page corrected???
2005-12-28, 22:33:58
KanMan from United States  
rating
thanks man like most of you im done with this ghay spy sheriff but now im left with these annoying pop ups. I use firefox 1.5 and every 10 seconds or so i get a pop up which opens in a new tab and ocaisonally a pop up animation on the screen. anyone with a solution to the pop ups?
2005-12-29, 00:25:31
elmoztreat from United States  
rating
Thanks all for your efforts in finding a painful but helpful solution to this pesky culprit.
2005-12-29, 15:05:34
anonymous from United States  
Chaoticimpulse, thank you so much!! with your advice, i was able to get my desktop back ground again! and thanks to everyone who has contributed to this website.. you guys are awesome!
2005-12-29, 17:11:35
cybertwat from United Kingdom  
anyone know what file 'ekzzv.dll' is? it seems to be playing havoc with AVG, saying that virus Startpage.21.B1 is in the file - AVG keeps deleting it but it keeps reappearing, normally when I first open up IE. Managed to get rid of the Spysheriff desktop, but desktop now is slightly pixellated, and occasionally I'll have a scrolling message going across the top of the screen, warning me that spyware is present????

being a bit of a dumbf*ck as far as computers and registries go, etc., I'm struggling to understand a lot of what is being suggested here - is it easier to just reformat tha hard drive???

Oh yeah, and my home page keeps defaulting to about:blank, no matter how many times I try to change it.
2005-12-30, 06:07:24
anonymous from United States  
rating
How to delete Spy Sheriff after 24 hours later, I Fixed it. Solution was all the above plus Regedit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
This branch has an entry named 'Shell' which should simply say 'explorer.exe'.
In case of an infestation, it will have the ibm0001.exe as an argument after explorer.exe, e.g. like this:

Shell: explorer.exe 'c:\WINDOWS/system32\kernels64.exe'

Modify this registry entry back to 'explorer.exe' only. and delete 'c:\WINDOWS/system32\kernels64.exe' In addition delete file Kernels64.exe in C:
You are on page 5 of 10, other pages: 1 2 3 4 [5] 6 7 8 9 10

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: