DelphiFAQ Home Search:

Removed Spysheriff, now error message 'ibm0001.exe not found'

 

comments152 comments. Current rating: 5 stars (33 votes). Leave comments and/ or rate it.

Question:

Your article on Spysheriff is very helpful, however when booting I still get the message ibm00001.exe not found. Any suggestions?

Answer:

It is unclear if this ibm0001.exe is really related with Spysheriff. When my machine was infected with Spysheriff, I did not have this file on my hard disk.
However, after some research it has been found that they appear to be related. Maybe there are different versions of Spysheriff or different degrees of infestation.

This file is either in the root folder (c:\) or for example here:

c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Other files involved are:
ibm00001.dll
ibm00001.exe
ibm00002.dll
kernels64.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe


If you boot in safe mode and delete this file or if you delete it using a tool which will delete it right at boot time, then you still will have a reference in the registry to this file.

(Look at the registry by starting REGEDIT.EXE from the Run box.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This branch has an entry named 'Shell' which should simply say 'explorer.exe'.

In case of an infestation, it will have the ibm0001.exe (or ..) as an argument after explorer.exe, e.g. like this:
  • Shell: explorer.exe "c:\ibm00001.exe"
  • Shell: explorer.exe 'c:\Windows\System32\kernels64.exe'

Modify this registry entry back to 'explorer.exe' only. and delete the file kernels64.exe which may be located either in c:\ or in c:\Windows\System32\

Update:
As described in the comments section, there may be a LOT of spaces between the word 'explorer.exe' and the argument. If you just briefly view the entry, then you will not see the argument. Make sure to edit the value.
Alternatively you can also search the registry for occurences of the term 'ibm000'.

Note:

If you cannot find the reference in the registry, do not forget to check in your file 'system.ini' as reported by an anonymous user in the comment section. In his case, Explorer.exe is starting with ibm00001.exe as a paramater passed through the system.ini. (This may depend on the various Windows versions.)

  1. Open file SYSTEM.INI with NOTEPAD and press F3 to find it:
    shell=explorer.exe ibm00001.exe
  2. Delete the 'ibm00001.exe' here.
  3. Then reboot and it should be good.
Here's a screenshot, thanks to the anonymous poster:


Content-type: text/html

Comments:

You are on page 9 of 11, other pages: 1 2 3 6 7 8 [9] 10 11
2006-05-06, 12:44:25
anonymous from United States  
Found mine at the end of alot of spaces....

2006-05-21, 11:05:24
Geo from Greece  
hi i need help here? PLZ! I have this kernels32.dll i think it is a virus. Also i Use ctrl+alt+delete and i can`t use it to close or open some programs cause a message at my screen pop-ups and telling me that it is disabled (ctrl+alt+delete). I use windowsXP . I found Kernels32.dll and Kernels8 at C:\WINDOWS\system32 . I also tried to delete these 2 files but no use cause it telling me that they are already on use. Then i hit ctrl+alt+delete and nothing.. same message again .
2006-05-28, 11:31:58
anonymous from United States  
Thanks so much!!!
2006-06-03, 05:29:41
Enforcer from Lithuania  
rating
I've read that some of you have problem with outgoing spam mail. It might be that Spysheriff also makes your computer a spam-zombie, so this is what I did: Loaded BartPE, it's CD bootable Windows and deleted Outlook from Program Files, because other way it just won't let me.

P.S. I wouldn't advise to delete kernel32.dll because it may be core file.
2006-06-07, 03:06:08
anonymous from India  
hi, i had the ibm0001.exe prob at the startup. i then downloaded regseeker with the help of which i cud find the ibm000 file on the registry, but instead of removing spaces, i deleted it. n now the problem has gone worse, the popup hasn't gone, but even my wallpaper has vanished.
guys can u tell a solution to my prob?
2006-06-07, 07:20:02
Paul from United Kingdom  
I have the ibm00001.exe message when starting up my pc, I have panda AV installed and I am not a pc genius, most of what you are all saying is like another language to me, could someone please explain in simple terms how to get rid of this message or whatever it is my pc has got.
thankyou very much :)

update :- ok I have found the 'shell' thing in the registry so do I just delete this down until it says explorer.exe and then reboot? is that all I have to do to be safe again?

what are the chances of all my info being stolen, I have had this on my pc for a good few weeks, I have noticed that nothing has gone missing (cash etc.) as of yet !!

BTW - do I have to do all this in safe mode ?

thanking you very much again !
2006-06-08, 07:43:57
Paul from United Kingdom  
BTW - My Panda AV got rid of a virus called Trj/Torpig.BU - what is this ? and it wont let me alter the shell thing back to explorer.exe - it keeps blocking the action !!!.

SOMEONE PLEASE ANSWER THESE MESSAGES, IM DESPERATE !!!!!!!!!!!
2006-06-09, 12:12:54
Paul from United Kingdom  
THANKS for all the replies - NOT ! anyways Panda AV says there are no viruses etc. and I have deleted the shell thing, all thats left is explorer.exe

so does this mean im in the clear now ? is there anything else to do ?
2006-06-13, 14:32:41
[hidden] from Canada  
I did everything in the regedit ...i found explorer.exe but nothing next to it ...how tdo I get to the ibm00001.exe...i still have the dialog box...but i don't think i have anything..I remember that Norton got it ..I put it in the quarantine and after I delete it from Norton...but I still have the box when I open my computer..l
2006-07-01, 18:33:32
anonymous from Portugal  
rating
Hey people...I just fixed this 'problem'....you have to open regedit and make a search...just type ibm0000
Next, delete all the entries related...mine were like ibm0001 and one or two more....after this, search again...you will see that it highlights an entrie named 'Shell'. you have to click on it and press 'modify'. Where it says below 'value data' you just have to edit what it has there. Since I didn't know if this entrie was important or not I left it only with 'explorer.exe'at the value data.
Close Regedit and restart your computer and it'll be gone! :) GO PORTUGAL!!world soccer champion 2006 xD i hope :)
2006-07-13, 13:41:02
anonymous from United States  
see - Shell: explorer.exe 'c:\ibm00001.exe' - above

I had this line but so much white space was added all I saw was 'Shell: explorer.exe.

Only after hitting EDIT did it show up. Took me 2 days. Now I get a clean boot.
2006-08-04, 08:31:55
[hidden] from Canada  
Ok. A quick question for someone who knows what they're talking about. I first tried the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon solution, (after having deleted that damn ibm00001.exe file months ago), but there was no value set at all - just 'default' in the name column, and 'value not set' in the data column. No problem. Tried looking in my system.ini file, and lo and behold, there it was. Deleted the value and rebooted, and the little message at startup is now gone, which was my objective. But out of curiousity, having seen this mentioned here, I searched the registry from regedit for 'ibm0001' (and 'ibm000,' but came up with the same results), and found several entries. I've included a pic showing both the search screen and the results. Maybe excessive, and useless to anyone reading this, but I really have no idea. Here's my question: I don't know much about computers, and this is pretty much totally unknown territory for me, obviously. The problem is gone, but with mention of all that crap still in my registry, is this causing any issues, however tiny, that I could just emiminate by deleting these other entries? Even if it's simply slowing my computer down a tiny bit on startup, I want that gone, but I don't want to do anything that could cause any more problems, either. Could someone please tell me whether or not to delete any and/or all of those entries, and if so, which ones?

**Shit. I am a moron. I was about to try to type all this in in text, since I realize the pic I uploaded isn't legible, when I realized what all these entries were, and confirmed it with Google. For those of you who know what this means, here's a chuckle for ya. The registry key I found all these entries in waHKEY_CURRENT_USER\ Software\Microsoft\CurrentVersion\Explorer\er\Doc Find Spec MRU. Please excuse me; I'm going to retire to the corner with my dunce cap now.


Keywords: screenshot
2006-10-04, 21:44:24
j.oddy@aapt.net.au from Australia  
I had the spysherrif problem. The solution i used was:

1: Downloading RegSeeker ( http://www.hoverdes..Seeker.zip )
Run that, then click find in registry, type in 'ibm0000' (minus the quotations)
It will run and find around 5 enteries.

* ibm00001.exe
* ibm00001.dll
* ibm00002.dll

And two ibm0000 files related to the computer startup

2: Download smitFraudfix ( http://siri.urz.fre..audFix.zip )

Restart your computer in safe mode, then run smmitFraudfix, and follow th prompts.
Clean the registry when prompted.
WAIT FOR THE COMPUTER TO RESTART!!! I cannot stress this enough. Wait for the computer to do its thing. it is part of the cleaning process.

3: Go to the start menu, click run. Type regedit.
Go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
2006-10-04, 21:45:26
anonymous from Australia  
then edit 'explorer.exe c:\.........ibm.exe' down to explorer.exe.


PROBLEM FIXED !
2006-10-15, 22:55:10
anonymous from India  
Thanks! I found reference to IBM00001.exe in the system.ini file. Now the problems gone. Keep up the good work.
You are on page 9 of 11, other pages: 1 2 3 6 7 8 [9] 10 11

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: