DelphiFAQ Home Search:

Removed Spysheriff, now error message 'ibm0001.exe not found'

 

comments152 comments. Current rating: 5 stars (33 votes). Leave comments and/ or rate it.

Question:

Your article on Spysheriff is very helpful, however when booting I still get the message ibm00001.exe not found. Any suggestions?

Answer:

It is unclear if this ibm0001.exe is really related with Spysheriff. When my machine was infected with Spysheriff, I did not have this file on my hard disk.
However, after some research it has been found that they appear to be related. Maybe there are different versions of Spysheriff or different degrees of infestation.

This file is either in the root folder (c:\) or for example here:

c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Other files involved are:
ibm00001.dll
ibm00001.exe
ibm00002.dll
kernels64.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe


If you boot in safe mode and delete this file or if you delete it using a tool which will delete it right at boot time, then you still will have a reference in the registry to this file.

(Look at the registry by starting REGEDIT.EXE from the Run box.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This branch has an entry named 'Shell' which should simply say 'explorer.exe'.

In case of an infestation, it will have the ibm0001.exe (or ..) as an argument after explorer.exe, e.g. like this:
  • Shell: explorer.exe "c:\ibm00001.exe"
  • Shell: explorer.exe 'c:\Windows\System32\kernels64.exe'

Modify this registry entry back to 'explorer.exe' only. and delete the file kernels64.exe which may be located either in c:\ or in c:\Windows\System32\

Update:
As described in the comments section, there may be a LOT of spaces between the word 'explorer.exe' and the argument. If you just briefly view the entry, then you will not see the argument. Make sure to edit the value.
Alternatively you can also search the registry for occurences of the term 'ibm000'.

Note:

If you cannot find the reference in the registry, do not forget to check in your file 'system.ini' as reported by an anonymous user in the comment section. In his case, Explorer.exe is starting with ibm00001.exe as a paramater passed through the system.ini. (This may depend on the various Windows versions.)

  1. Open file SYSTEM.INI with NOTEPAD and press F3 to find it:
    shell=explorer.exe ibm00001.exe
  2. Delete the 'ibm00001.exe' here.
  3. Then reboot and it should be good.
Here's a screenshot, thanks to the anonymous poster:


Content-type: text/html

Comments:

You are on page 11 of 11, other pages: 1 2 3 8 9 10 [11]
2015-02-21, 22:18:51
anonymous from Indonesia  
Saya haturkan banyak terima kasih, karnah KI COKENG membantu memberikan solusi,,,kini saya udah lepas dari kendala yg saya alami kemaren, dan angka yg aki berikan sangat tepat, hanya sekali ini saya main togel...Buat kamu yg pengen menang togel....bisa hub: Ki Cokeng di: +6285394330318. terima kasih.
2017-07-22, 15:02:29
anonymous from Indonesia  
Ass,,,Saya Ibu Fatimah Di Singapore - Saya Mengutarakan Kalau Saya Menang Togel Lagi,Itu Atas Bantuan NYAI RONGGENG Terimah Kasih Banyak Yaa NYAI YAng Telah Memberikan Angka Jitu Nya Kepada Saya Yaitu 6053 Dan Alhamdulillah Berhasil,Berkat Bantuan NYAI Saya Sudah Bisa Membahagiakan Kedua Orang Tua Saya,Bahkan Semua Hutang-Hutang Saya Bersama Hutan Kedua Orang Tua Saya Semuanya Pada Lunas Dan Bahkan Saya Juga Sudah Bisa Membuka Usaha Kecil-Kecilan,Bagi Anda Yg Ingin Seperti Saya Silahkan Hub Nomor NYAI RONGGENG Di : 0821 8948 1547,,Karena Cuma Angka Ghoib NYAI RONGGENG Saja Yg Memberikan Bukti YAng Lain Maa Cuma Menghabiskan Uang Saja,Nomor Ritual NYAI RONGGENG Memang Selalu Tepat Dan TerBukti.;';';';'
You are on page 11 of 11, other pages: 1 2 3 8 9 10 [11]

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: