DelphiFAQ Home Search:

Removed Spysheriff, now error message 'ibm0001.exe not found'

 

comments152 comments. Current rating: 5 stars (33 votes). Leave comments and/ or rate it.

Question:

Your article on Spysheriff is very helpful, however when booting I still get the message ibm00001.exe not found. Any suggestions?

Answer:

It is unclear if this ibm0001.exe is really related with Spysheriff. When my machine was infected with Spysheriff, I did not have this file on my hard disk.
However, after some research it has been found that they appear to be related. Maybe there are different versions of Spysheriff or different degrees of infestation.

This file is either in the root folder (c:\) or for example here:

c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Other files involved are:
ibm00001.dll
ibm00001.exe
ibm00002.dll
kernels64.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe


If you boot in safe mode and delete this file or if you delete it using a tool which will delete it right at boot time, then you still will have a reference in the registry to this file.

(Look at the registry by starting REGEDIT.EXE from the Run box.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This branch has an entry named 'Shell' which should simply say 'explorer.exe'.

In case of an infestation, it will have the ibm0001.exe (or ..) as an argument after explorer.exe, e.g. like this:
  • Shell: explorer.exe "c:\ibm00001.exe"
  • Shell: explorer.exe 'c:\Windows\System32\kernels64.exe'

Modify this registry entry back to 'explorer.exe' only. and delete the file kernels64.exe which may be located either in c:\ or in c:\Windows\System32\

Update:
As described in the comments section, there may be a LOT of spaces between the word 'explorer.exe' and the argument. If you just briefly view the entry, then you will not see the argument. Make sure to edit the value.
Alternatively you can also search the registry for occurences of the term 'ibm000'.

Note:

If you cannot find the reference in the registry, do not forget to check in your file 'system.ini' as reported by an anonymous user in the comment section. In his case, Explorer.exe is starting with ibm00001.exe as a paramater passed through the system.ini. (This may depend on the various Windows versions.)

  1. Open file SYSTEM.INI with NOTEPAD and press F3 to find it:
    shell=explorer.exe ibm00001.exe
  2. Delete the 'ibm00001.exe' here.
  3. Then reboot and it should be good.
Here's a screenshot, thanks to the anonymous poster:


Content-type: text/html

Comments:

You are on page 6 of 11, other pages: 1 2 3 4 5 [6] 7 8 9 10 11
2005-12-30, 12:19:08
anonymous from United Kingdom  
I had this Torjan.Anserin on my pc today and have spent all day trying to get rid of it.

Almost had it 2 hours ago but for some reason each time I log on to the internet all the normal pages I frequent are not in the cookie folder anymore and I have re-enter user/pass words again.

Out of desperation I tried to delete the two files that were either a) infected (as indicated by the Norton Anti Virus search) or b) created at the same time as the infected file.

The two files I deleted from the C drive were (and the recycle bin)

ibm0001.dll (blue square symbol)
ibm0002.dll (coloured cog symbol)

Then I re-booted and have lost my desktop shortcuts and the Start key all together. All I have is my screen with the wallpaper on it and to access any other programs I have to go via the Task Manager. Outlook express and Internet explorer are still useable but I'm really worried what I've done to the PC with this.

Anyone got any ideas/tips please??

HELP!!!
2005-12-30, 20:59:41
anonymous from Colombia  
rating
Thanks very much for all the tips, I finally find the solutions.
Pablo
2005-12-31, 18:58:01
anonymouse from Argentina  
my pc isn`t normal yet...although i can access to all the settings that spy sheriff blocked, it`s still not working the same before spy sheriff attacked this pc...
2006-01-01, 02:12:03
dychang@rochester.rr.com from United States  
And now what!
My Background system does not work anymore.
There is no color for wallpaper right now..
What should I do?
Whenever I try to set up the background, the background has locked and disable to click!! It's almost gone, something.. I don't know _-_;;;
How can I enable to work My Background!! Spy Sherriff killed my Background system..
2006-01-01, 02:15:10
Same Here. from United States  
I fixed it.. finally.

After I reboot my computer, it have been fixed!!!

Thanks guys for help!!!!!!!!!!!!!!! (Reboot!! Don't forget it!!!!!!!!!!!)
2006-01-01, 05:26:46
anonymous from United States  
i got rid of some stuff. i couldnt find alot of the stuff that was mentioned like the timer and the shell. i got rid of the background at least. well for the most part anyway. i need help with that :P my problem is i have a scrolling warning at the top of my screen that says press here for help. is this part of the program too? i refuse to click on it ( im computer dumb) please help me ><><><
2006-01-01, 16:57:07
anonymous from United States  
If anyone still having problems hasn't read the page here about SpySheriff, please do so! The scrolling warning is mentioned there. I never had that problem, or the change to my desktop, but many there have, and if you read everything, the solutions are likely there. Just go to the top of this page and in the search box type in Spy Sherrif.
2006-01-02, 04:01:33
com_on_back@yahoo.co.in from India  
I'm using WINDOWS XPfor this but i didnt have explorer.exe 'c:\ibm00001.exe'
i only had explorer.exe
and pc is still having that red with white X saying ur computer is infected.plz helppppp
2006-01-02, 12:08:38
anonymous from Germany  
@ ke*g**.us these nice files came on my pc (just 1 link clicked and it was done) :
$_2341233.TMP <<< check this one - here are all my stored passwords in :|
$_2341234.TMP
base.avd
base001.avd
base002.avd
country.exe
desktop.html
found.wav
heur000.dll
heur001.dll
heur002.dll
heur003.dll
HOSTS
ibm00001.dll
ibm00001.exe
ibm00002.dll
IESecurity.dll
Install.dat
kl.exe
notfound.wav
paytime.exe
ProcMon.dll
removed.wav
secure32.html
SpySheriff.dvm
SpySheriff.exe
tool2.exe
Uninstall.exe
uniq
winstall.exe

i think it was a .wmf exploit over javascript
i've restored nearly all except the wallpapers - i still cant change it in the dialog anymore (greyed out)
what i did to remove it:
killed all tasks and deleted the files which where created from the same time when the came
all was deleteable exept the ibm00002.dll - booted winpe therefore and deleted this also

now i'm running the IE as lowprivileged user and hopes it prevents this shit
2006-01-02, 12:10:33
anonymous from Germany  
anyone knows how often the content of $_2341233.TMP will be sent to their f*cking webserver?
2006-01-02, 13:24:19
anonymous from United States  
I don't care if the asshole who started this crap is 13... I want their ass in jail or Juvi!!!! If their site accepts payment.. it's traceable. Who do I contact to press charges and begin a class action suit?
2006-01-02, 14:19:56
anonymous from United States  
Will someone who paid these idiots check with their CC company to get a physical address of who owns, operates or created Spysherriff? Please post any and all contact info. Any Information will be helpful. I intend to prosecute... someone pissed on on the wrong tree!!!
2006-01-02, 19:32:31
[hidden] from United States  
My problem is that it has taken over my Internet Start/Home page. Makes it secure32.html. Can't change it to anything else. Even removed that from Windows but no result. Not very good on this any way. Help..... thanks to all

Edit:
FOUND ANSWER ABOVE AT:
http://www.delphifa..1005.shtml

THANKS FOR THE POST
2006-01-03, 15:33:36
Daniel from Ecuador  
Question, please Help!

I have te file TOOL5 in c://WINDOWS

Should I delete this one too???

Thanks!!!!
2006-01-04, 14:11:57
Menash from Israel  
Please help me!
I'v done everything and got rid of spy sheriff.
only problem left is that i cant put nothing on my desktop and it shows me that there is nothing on it, i can change my backround, but cant do nothing on desktop its empty its like my desktop is locked or somthing.
HELP!
You are on page 6 of 11, other pages: 1 2 3 4 5 [6] 7 8 9 10 11

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: