DelphiFAQ Home Search:

Removed Spysheriff, now error message 'ibm0001.exe not found'

 

comments152 comments. Current rating: 5 stars (33 votes). Leave comments and/ or rate it.

Question:

Your article on Spysheriff is very helpful, however when booting I still get the message ibm00001.exe not found. Any suggestions?

Answer:

It is unclear if this ibm0001.exe is really related with Spysheriff. When my machine was infected with Spysheriff, I did not have this file on my hard disk.
However, after some research it has been found that they appear to be related. Maybe there are different versions of Spysheriff or different degrees of infestation.

This file is either in the root folder (c:\) or for example here:

c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Other files involved are:
ibm00001.dll
ibm00001.exe
ibm00002.dll
kernels64.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe


If you boot in safe mode and delete this file or if you delete it using a tool which will delete it right at boot time, then you still will have a reference in the registry to this file.

(Look at the registry by starting REGEDIT.EXE from the Run box.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This branch has an entry named 'Shell' which should simply say 'explorer.exe'.

In case of an infestation, it will have the ibm0001.exe (or ..) as an argument after explorer.exe, e.g. like this:
  • Shell: explorer.exe "c:\ibm00001.exe"
  • Shell: explorer.exe 'c:\Windows\System32\kernels64.exe'

Modify this registry entry back to 'explorer.exe' only. and delete the file kernels64.exe which may be located either in c:\ or in c:\Windows\System32\

Update:
As described in the comments section, there may be a LOT of spaces between the word 'explorer.exe' and the argument. If you just briefly view the entry, then you will not see the argument. Make sure to edit the value.
Alternatively you can also search the registry for occurences of the term 'ibm000'.

Note:

If you cannot find the reference in the registry, do not forget to check in your file 'system.ini' as reported by an anonymous user in the comment section. In his case, Explorer.exe is starting with ibm00001.exe as a paramater passed through the system.ini. (This may depend on the various Windows versions.)

  1. Open file SYSTEM.INI with NOTEPAD and press F3 to find it:
    shell=explorer.exe ibm00001.exe
  2. Delete the 'ibm00001.exe' here.
  3. Then reboot and it should be good.
Here's a screenshot, thanks to the anonymous poster:


Content-type: text/html

Comments:

You are on page 8 of 11, other pages: 1 2 3 5 6 7 [8] 9 10 11
2006-02-04, 07:53:17
herman from Netherlands  
to remove spysheriff look here

http://securityresp..eriff.html
2006-02-04, 12:57:28
herman from Netherlands  
hello when you wand to remove the popups of spysheriff install spy docktor then run it en after go to savemode and run it again in savemode and restart again en and you dont have no more popups and spyware .
i hoop for you that it will work also for your windows and computer i dont have no more spyware on mi computer
gretings herman from holland
2006-02-13, 12:59:47
anonymous from Ecuador  
thanks... I had the message ibm0001 could not found... and I cleared it with the regedit =)
2006-02-13, 16:22:51
anonymous from United States  
rating
for anyone who deleted this file and still gets this message, i have two freeware files for you to download. I found that Microsoft Antispy, is better then Ad-Aware. Also AGV Free is better then anything i have seen. These two in conjunction took my computer to being a hunk of parts to something that i could actualy use. Any questions email me, lion_heart_04@hotmail.com
2006-02-14, 21:49:02
anonymous from United States  
you guys are f-ing awesome i wish i were as good as you so i could help out thank you thaznk you thank you
2006-02-16, 18:59:59
anonymous from United States  
rating
I will personally beat the shit out of whoever created this program if I can ever get any information on them. Please post anything you can get and I will post pictures of their broken nose.
2006-03-06, 14:51:01
anonymous from United States  
i dun have the kernels64.exe file . but i do have the kernels32.dll? is it safe?
2006-03-12, 16:13:48
anonymous  
Thanks very much for your help!!!!
2006-03-16, 15:54:19
anonymous from United States  
thanks for the help u safed my computer, it was the spaces so i did not see it.

after i edited it worked fine

thx again =)
2006-03-18, 12:06:12
anonymous from India  
hey thanx a lot for the help.you helped me remove tht startup X...
cheers!!....:-)
2006-04-03, 18:49:16
anonymous from United States  
thx i too was hit with the crap lol. also it added several other things. tetrez3.exe winstall.exe and tools*.exe but most it didnt get done i rebooted whilst the installer was still going on. still had to dig out 10 or 15 reg settings. those damn spaces thru me off too thats where this thread came in to help. and i seen lots in registry about spysheriff protecting desktop settings and home page stuff. so you with the desktop color problem id look into that. and it changed my hosts file also.

thx again
2006-04-11, 16:10:37
damn from Mexico  
Hey I've read this forum like 100 times and I don't know why I still can't modify the explorer.exe, regedit sends this message: 'Cannot edit Shell: Error writing the new value' any ideas guys??
2006-04-15, 08:51:24
mlegal from Brazil  
rating
Tanks for all people that contribute for solution of this problem.
2006-04-27, 07:58:01
anonymous from Trinidad and Tobago  
hey thnxs for all that info but i'm searching in the system.ini and i cant find shell=explorer.exe ibm00001.exe! but spysheriff is still there!! can anyone help me
2006-04-30, 17:49:48
al-da-pal from United States  
rating
great help. I right clicked the shell entry and then just modified it down to explorer.exe. much thanks.
You are on page 8 of 11, other pages: 1 2 3 5 6 7 [8] 9 10 11

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: