DelphiFAQ Home Search:

Removed Spysheriff, now error message 'ibm0001.exe not found'

 

comments151 comments. Current rating: 5 stars (33 votes). Leave comments and/ or rate it.

Question:

Your article on Spysheriff is very helpful, however when booting I still get the message ibm00001.exe not found. Any suggestions?

Answer:

It is unclear if this ibm0001.exe is really related with Spysheriff. When my machine was infected with Spysheriff, I did not have this file on my hard disk.
However, after some research it has been found that they appear to be related. Maybe there are different versions of Spysheriff or different degrees of infestation.

This file is either in the root folder (c:\) or for example here:

c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Other files involved are:
ibm00001.dll
ibm00001.exe
ibm00002.dll
kernels64.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe


If you boot in safe mode and delete this file or if you delete it using a tool which will delete it right at boot time, then you still will have a reference in the registry to this file.

(Look at the registry by starting REGEDIT.EXE from the Run box.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This branch has an entry named 'Shell' which should simply say 'explorer.exe'.

In case of an infestation, it will have the ibm0001.exe (or ..) as an argument after explorer.exe, e.g. like this:
  • Shell: explorer.exe "c:\ibm00001.exe"
  • Shell: explorer.exe 'c:\Windows\System32\kernels64.exe'

Modify this registry entry back to 'explorer.exe' only. and delete the file kernels64.exe which may be located either in c:\ or in c:\Windows\System32\

Update:
As described in the comments section, there may be a LOT of spaces between the word 'explorer.exe' and the argument. If you just briefly view the entry, then you will not see the argument. Make sure to edit the value.
Alternatively you can also search the registry for occurences of the term 'ibm000'.

Note:

If you cannot find the reference in the registry, do not forget to check in your file 'system.ini' as reported by an anonymous user in the comment section. In his case, Explorer.exe is starting with ibm00001.exe as a paramater passed through the system.ini. (This may depend on the various Windows versions.)

  1. Open file SYSTEM.INI with NOTEPAD and press F3 to find it:
    shell=explorer.exe ibm00001.exe
  2. Delete the 'ibm00001.exe' here.
  3. Then reboot and it should be good.
Here's a screenshot, thanks to the anonymous poster:


Content-type: text/html

Comments:

You are on page 10 of 11, other pages: 1 2 3 7 8 9 [10] 11
2007-01-30, 15:21:16
anonymous from United States  
I had spysheriff awhile back and I uninstalled it but I still can't alter my desktop background, occasionally when the computer is shutting off the image I had there pops up just before windows begins to shut off. How can I alter my background image again?
2007-02-01, 10:28:57
anonymous from United States  
thankssssssss
2007-02-06, 23:01:59
anonymous  
rating
i have been facing problems with The IBM0001.dll/exe files...a message saying ibm0001.exe not found 'did pop up once....Does this problem has to do anything with my Internet Dial-up settings....everytime I try to connect to my ISP....
it gives an error saying
'Invalid Username and Password'.....

I tried deleting all connections and created a new connection , however the problem still persists....
Please tell me what is causing this problem and how to get rid of it?
Regards..
2007-02-11, 18:29:12
anonymous from Switzerland  
I've got in c:\WINDOWS only a system.ini file that contains very few text. Seems quite strange as i know that system.ini should actually manage the boot-process. This is what it contains:

; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=app850.FON
EGA80WOA.FON=EGA80850.FON
EGA40WOA.FON=EGA40850.FON
CGA80WOA.FON=CGA80850.FON
CGA40WOA.FON=CGA40850.FON

No 'shell=explorer.exe' or something... i tried to F3-search this string, but no success. On the other hand, there is a log-file (named setupapi.log) which prooves that following happened:

#-199 Executing 'C:\WINDOWS\explorer.exe' with command line: explorer.exe (lots of spaces...) 'C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe'
2007-03-13, 13:49:07
anonymous from United States  
Yahoo antispy now will fix the frozen background image problem caused by spy sherriff. Best of all you don't have to edit your registry manualy. This program is free with yahoo tool bar and can be deleted after the problem is fixed if you don't want it. http://toolbar.yahoo.com/
2007-04-29, 19:36:49
[hidden] from United States  
I hate spysheriff and i think it is dumb and will call it'the dumbix of the world' and spysheriff is invalid in the world and the people who made it are evil.


Keywords:
2008-10-29, 23:12:56
anonymous from United States  
rating
i deleted the program with no interference
2009-02-13, 07:32:10
niklabh@yahoo.com from India  
rating
yaar kamaal ho gaya apka faq padhkar maine 2 year purana error message
'windows cannot find 'regsvr.exe' please cheack the name and try again' hata diya
2012-12-19, 00:03:20
anonymous from China  
<a href=' http://www.wonderfu..>ibeats earphones</a> is characterized by its solid housing,sllyjfdibeats balanced sound quality and purest sound producing. Monster Ibeats have Solid metal housing resists vibrations for purest sound without sonic side effects ControlTalk on-cable mic for convenient hands-free calling with iPhones and smartphones ControlTalk track seeking capabilities without touching your iPod or music phone. This <a href=' http://www.wonderfu..>ibeats earphones</a> unlike ordinary in-ear headphones,ibeats earphones are constructed from solid metal housing.With the <a href=' http://www.hotmusic..'>beats by dre mixr</a>, you can freely enjoy the beautiful music without being disturbed by the outside noise.We supply all kinds of beautiful Monster <a href=' http://www.wonderfu..'>Beats by dre</a>, such as ibeats earphones,<a href=' http://www.wonderfu..l'>solo hd bluetooth</a>,<a href=' http://www.hotmusic..'>beats studio headphones</a> and <a href=' http://www.hotmusic..>purple beats by dre</a>
2013-12-04, 16:35:48
ryanrogues2003 from United States  
rating
to tina,
go to this forum and read the answer: http://www.delphifa..1014.shtml
2013-12-05, 07:44:14
anonymous  
https://www.youtube.com/watch?v=QLmHspEL8ms
2013-12-05, 07:44:16
anonymous  
https://www.youtube.com/watch?v=QLmHspEL8ms
2015-02-01, 00:16:12
anonymous from Branson, United States  
It's posts like this that make surfing so much plaseure
2015-02-01, 05:21:31
anonymous from San Antonio, United States  
Stellar work there evyoerne. I'll keep on reading.
2015-02-21, 00:49:30
anonymous from Indonesia  
Saya haturkan banyak terima kasih, karnah aki COKENG membantu memberikan solusi,,,kini saya udah lepas dari kendala yg saya alami kemaren, dan angka yg aki berikan sangat tepat, hanya sekali ini saya main togel...Buat kamu yg pengen menang togel....bisa hub: Ki Cokeng di: +6285394330318. terima kasih.
You are on page 10 of 11, other pages: 1 2 3 7 8 9 [10] 11

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: