DelphiFAQ Home Search:

Removed Spysheriff, now error message 'ibm0001.exe not found'

 

comments152 comments. Current rating: 5 stars (33 votes). Leave comments and/ or rate it.

Question:

Your article on Spysheriff is very helpful, however when booting I still get the message ibm00001.exe not found. Any suggestions?

Answer:

It is unclear if this ibm0001.exe is really related with Spysheriff. When my machine was infected with Spysheriff, I did not have this file on my hard disk.
However, after some research it has been found that they appear to be related. Maybe there are different versions of Spysheriff or different degrees of infestation.

This file is either in the root folder (c:\) or for example here:

c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Other files involved are:
ibm00001.dll
ibm00001.exe
ibm00002.dll
kernels64.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe


If you boot in safe mode and delete this file or if you delete it using a tool which will delete it right at boot time, then you still will have a reference in the registry to this file.

(Look at the registry by starting REGEDIT.EXE from the Run box.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This branch has an entry named 'Shell' which should simply say 'explorer.exe'.

In case of an infestation, it will have the ibm0001.exe (or ..) as an argument after explorer.exe, e.g. like this:
  • Shell: explorer.exe "c:\ibm00001.exe"
  • Shell: explorer.exe 'c:\Windows\System32\kernels64.exe'

Modify this registry entry back to 'explorer.exe' only. and delete the file kernels64.exe which may be located either in c:\ or in c:\Windows\System32\

Update:
As described in the comments section, there may be a LOT of spaces between the word 'explorer.exe' and the argument. If you just briefly view the entry, then you will not see the argument. Make sure to edit the value.
Alternatively you can also search the registry for occurences of the term 'ibm000'.

Note:

If you cannot find the reference in the registry, do not forget to check in your file 'system.ini' as reported by an anonymous user in the comment section. In his case, Explorer.exe is starting with ibm00001.exe as a paramater passed through the system.ini. (This may depend on the various Windows versions.)

  1. Open file SYSTEM.INI with NOTEPAD and press F3 to find it:
    shell=explorer.exe ibm00001.exe
  2. Delete the 'ibm00001.exe' here.
  3. Then reboot and it should be good.
Here's a screenshot, thanks to the anonymous poster:


Content-type: text/html

Comments:

You are on page 7 of 11, other pages: 1 2 3 4 5 6 [7] 8 9 10 11
2006-01-05, 09:31:10
ReNe from Slovenia  
I remove all files of spysheriff everything is fine but i have one problem... when i start windows its open a popup file whic says that: can`t find the path or try change the name something like that :S of ibm0001 how can i remove this? please help me.
2006-01-05, 15:32:01
anonymous from United States  
Friends, Spy bot search destroy ver1.4 gets rid of this pathetic'VIRUS' of a program, the irony that a anti spyware software can hijack your system then extort you to buy thier crummmy excuse for a program-Spybot is legit, free,and most importantly the real thing-spybot.com

-a user.
2006-01-05, 15:52:38
[hidden] from United States  
If you have problems with the red circles in the tray bar, look at this document:

http://www.delphifa..1014.shtml
2006-01-06, 09:21:01
[hidden] from Germany  
rating
Hi. Had the same problem. Removed some trojans, had the ibm0001.exe not found error msg when booting up. This post helped me fix the problem. The registry key for shell was explorer.exe [lots of blanks] C:\blahblah...\ibm0001.exe. Searching the registry for ibm0001.exe didnt return any results for some reason. But thanks to your help i fixed it. Thank you!
2006-01-06, 17:29:28
from Canada  
same as above. Thanks.
2006-01-09, 06:53:27
dennis26miles@msn.com from United States  
i have something new with our freindly spysheriff. it has made a large sale sheet my homepage. i got rid of everything so that it is gone from my regedit, and add/rmove -- but it has:

1. a balloon in my lower left hand corner says: 'Intrusion etc. blah, blah and click' -- of course a click infrcts

2. In the cntrl-alt-del there is a process labeled atlyd32,exe -- when i end it - it ends - and guess what -- it recreates itself and gores back in the processes automatically

3. when i find atlyd32 in the registry i cannot delete it as it is running -- and i cannot stop it from running.

how do we gety rid of atlyd32?

better can we send the address of spysheriff to the patriot's act commotteee to be put permanently in gitmo

help!!!!!!!!
2006-01-13, 20:33:37
[hidden] from Hong Kong  
thanks a lot, it really works
2006-01-14, 09:46:44
dennis26miles@msn.com from United States  
i found a new and better way to get rid of spysheriff and all its morphs -- open up in a safe mode and go to an earlier reset point -- it worked and i am healed
2006-01-17, 11:53:06
Malcolm from United Kingdom  
rating
Thank you very much for this advice, it works!
2006-01-19, 15:05:28
anonymous from United States  
I need coordiantes where that stupid spysheriff is located...I want to shell them hard.
2006-01-24, 20:24:20
anonymous from United States  
rating
Thank you very much for the tips and advice on how to get rid of SpySheriff. It worked.
2006-01-25, 12:23:07
herman from Netherlands  
spy sheriff its gone but now im left with these annoying pop ups. I use ie explorer and every 10 seconds or so i get a pop up which opens in a new tab and ocaisonally a pop up animation on the screen. anyone with a solution to the pop ups?
help me thank you
2006-01-29, 14:50:42
anonymous from Germany  
rating
As mentioned near the start of this page, there may be a WHOLE LOT of spaces between Shell 'explorer.exe' and the remaining argument in the registry pane. Scroll horizontally to the very end of the pane and you will probably find an entry that contains 'ibm000...'. Delete it - problem solved!
2006-01-30, 12:02:41
anonymous from Lithuania  
Vot....
2006-02-02, 02:36:40
[hidden] from Greece  
I have tha same problem on Windows XP Pro! Please advice! Thanks

C.
You are on page 7 of 11, other pages: 1 2 3 4 5 6 [7] 8 9 10 11

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: