This site is temporarily down. Please come back. Content-type: text/html; charset=utf-8 Removed Spysheriff, now error message 'ibm0001.exe not found'
DelphiFAQ Home Search:

Removed Spysheriff, now error message 'ibm0001.exe not found'


comments143 comments. Current rating: 5 stars (32 votes). Leave comments and/ or rate it.


Your article on Spysheriff is very helpful, however when booting I still get the message ibm00001.exe not found. Any suggestions?


It is unclear if this ibm0001.exe is really related with Spysheriff. When my machine was infected with Spysheriff, I did not have this file on my hard disk.
However, after some research it has been found that they appear to be related. Maybe there are different versions of Spysheriff or different degrees of infestation.

This file is either in the root folder (c:\) or for example here:

c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

Other files involved are:

If you boot in safe mode and delete this file or if you delete it using a tool which will delete it right at boot time, then you still will have a reference in the registry to this file.

(Look at the registry by starting REGEDIT.EXE from the Run box.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This branch has an entry named 'Shell' which should simply say 'explorer.exe'.

In case of an infestation, it will have the ibm0001.exe (or ..) as an argument after explorer.exe, e.g. like this:
  • Shell: explorer.exe "c:\ibm00001.exe"
  • Shell: explorer.exe 'c:\Windows\System32\kernels64.exe'

Modify this registry entry back to 'explorer.exe' only. and delete the file kernels64.exe which may be located either in c:\ or in c:\Windows\System32\

As described in the comments section, there may be a LOT of spaces between the word 'explorer.exe' and the argument. If you just briefly view the entry, then you will not see the argument. Make sure to edit the value.
Alternatively you can also search the registry for occurences of the term 'ibm000'.


If you cannot find the reference in the registry, do not forget to check in your file 'system.ini' as reported by an anonymous user in the comment section. In his case, Explorer.exe is starting with ibm00001.exe as a paramater passed through the system.ini. (This may depend on the various Windows versions.)

  1. Open file SYSTEM.INI with NOTEPAD and press F3 to find it:
    shell=explorer.exe ibm00001.exe
  2. Delete the 'ibm00001.exe' here.
  3. Then reboot and it should be good.
Here's a screenshot, thanks to the anonymous poster:

Content-type: text/html


You are on page 4 of 10, other pages: 1 2 3 [4] 5 6 7 8 9 10
2005-12-27, 07:14:08
anonymous from Bulgaria  
some times the 'explorer.exe ibm0001.exe' confuse you. you may not see it on screen area, move right to see it
2005-12-27, 07:46:44
Chris from Venezuela  
i've already fix that but the background still equal... but now it's all cool...

Let me tell you what happen... Yesterday after i fix all the problems i ran the norton live update... it said that needed restart the pc, and later the pc said that ocurred an error in 'Nmain.dll' (i think).. and the pc shutdown... well ok, i thought it was part of the restart of the pc needed for norton... BUT the Windows don't work anymore!!!!... started the pc but Windows dont work... well i almost cryed cuz the Thesis of the UNiversity of my bro was only in the pc... and my bro came and install the windows xp again and it repaired...

i still don't know what caused the colapse in windows...
The 4 actions i did before that happen were:
1.HKEY_CURRENT_USER\ Software\Microsoft\ Windows\CurrentVersion\ Policies\system
click the 'system' folder

2. erased the file C:\NTDETECT.COM (i think it's here where i screwed it up) i find him suspycious and that why i erased... LOL

3. erased the file in C:\document and settings\user account\application data\intall.dat (other source)

4. Ran the live update... and the error Nmain.dll happen.

that's all people... someone tell me when i messed up wrong...

in others account of windows (my brother's, my mom's) still the popups... in my acc dont happen anymore i copied the direction of the popups and in the internet explorer went to TOOLS, then Internet options or settings idk what the hell say (my pc is in spanish), Privacy and then Sites... i add the sites of the popups and press BLOCK... i dont have it anymore... =) but when i scroll down on my internet explorer its moves slowly like 'Lag' what can i do to fix this?...

and what program recommends to block the popups, and other things?????

Thanks a lot... Sry for my bad english, i do my best... I talk spanish...
2005-12-27, 08:52:32
anonymous from United States  
An excellent program to use is RegSeeker i think its freeware. Anyway you just type in ibm000 and it will find all the related entries in the registry, then you just need to delete it!
2005-12-27, 09:19:20 from United Kingdom  
Sorry to take up more time but I am worried that I may actually have spyware on my computer, in addition to the false warnings put out by spysheriff. I have a yellow triangle containing an exclmation mark, in my taskbar. If anyone has had the same thing and got rid of it, please tell me.

My othere problem is that the 'Warning' wallpaper keeps reappearing. I delete it every time from the control panel.
2005-12-27, 10:25:20
anonymous from United States  
My webpage defaults to secure.32 - even if I reset it in internet options... Help
2005-12-27, 11:18:06
anonymous from United States  
agree with Anonymous above: this happened immediately after downloading 2006 Norton Anti Virus! Being a newbie...I am so stumped: What and where is regedit??
2005-12-27, 12:57:18
anonymous from United States  
I'm using WINDOWS XP SP2. I fixed all of my spysherrif woes by using the lateset versions of Miscrosoft Antispyware, Ad Aware and Norton. To get rid of the annoying screen I used the tip by anonumous above dated 12/2HKEY_CURRENT_USER\ software\microsoft\windows\currentversion\pn\policies\system and deleted the 'wallpaper' file in the right panel.

Those of you who have endless email problems or pop-ups might have gotten more than just spysherrif. I had the endless email and I had to reload the operating system to get rid of it. DON'T save anything on cd's before you reload the op system. Just bite the bullet.
My other worm was named W32.spybot.worm by symantac. They have pages on the stuff and how to get rid of it via the registry keys. None worked for me. Apparently there are lots of variations of the W32. It gets instructions by going to an internet site. Besides the email, it's also a keylogger so change your passwords after you're in the clear.
2005-12-27, 14:09:31
SNIPER from United States  
Well, I got rid of most of it, I went in the registry and delted all the ibm and all the paytime.exe I could find, but I couldent find my system.ini so i dont know if that ibm line is in there or not :\
2005-12-27, 14:45:57
kelsie from United States  
'My webpage defaults to secure.32 - even if I reset it in internet options... Help'

So does mine. I've done everything it says to do here, and everything else is fine, except this. Any ideas?
2005-12-27, 15:45:23
Peter (Admin) from United States  
To Kelsie:

Here is some information how to get rid of this secure32.html:
2005-12-27, 16:59:07
Chris... from Venezuela  
CçHi... help please... my pc now it turn off without no reason.. plz check this... tell me what to do...

Logfile of HijackThis v1.99.1
Scan saved at 06:54:38 p.m., on 27/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\mobile PhoneTools\WatchDog.exe
C:\Archivos de programa\Sync Manager\agent\syncagent.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Archivos comunes\PCSuite\DataLayer\DataLayer.exe
C:\Archivos de programa\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
C:\Archivos de programa\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Archivos de programa\NavExcel Search Toolbar\NavExcelBar.dll (file missing)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [EPSON Stylus C63 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4C1.EXE /P23 'EPSON Stylus C63 Series' /O5 'LPT1:' /M 'Stylus C63'
O4 - HKLM\..\Run: [ccApp] 'C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe'
O4 - HKLM\..\Run: [WinampAgent] 'C:\Archivos de programa\Winamp3\winampa.exe'
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Sys Tray] C:\WINDOWS\system32\Sys Tray.exe
O4 - HKLM\..\Run: [ntvdscm] C:\WINDOWS\system32\ntvdscm.exe
O4 - HKLM\..\Run: [WatchDog] C:\Archivos de programa\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Synchronization Agent] C:\Archivos de programa\Sync Manager\agent\syncagent.exe
O4 - HKLM\..\Run: [TkBellExe] 'C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe' -osboot
O4 - HKLM\..\Run: [QuickTime Task] 'C:\Archivos de programa\QuickTime\qttask.exe' -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\Archivos de programa\Archivos comunes\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Archivos de programa\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe 'C:\Archivos de programa\Acceleration Software\Anti-Virus\sstsmon.dll',VerifyStatus
O4 - HKLM\..\Run: [webscan] 'C:\Archivos de programa\Acceleration Software\Anti-Virus\stopsignav.exe' -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Shell] 'C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Folders\ibm00001.exe'
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [WhenUSave] 'C:\Archivos de programa\Save\Save.exe'
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O12 - Plugin for .mp3: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) -
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) -
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalc../
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemeta..ntrol.CAB
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - 'C:\ARCHIV~1\MSNMES~1\msgrapp.dll' (file missing)
O20 - Winlogon Notify: ntvdscm - ntvdscm.dll (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\en66l1js1.dll
O20 - Winlogon Notify: Sys Tray - Sys Tray.dll (file missing)
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe

2005-12-27, 18:32:21 from Canada  
Thanks for the help, I was continually getting a message stating that it could not find the IBM0001.exe file.
Your suggestion suggestion to check the registry was bang on.
I had checked the resistry first, but found nothing. On your suggestion, I checked the Shell: explorer.exe in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon again but the screen showed nothing.

The cultprit was there, just shifted way off the screen with leading blanks (sneaky little devil).
Just thought I'd say thanks and give you the heads up on the leading blanks.

Merry Christmas & Happy New Year from the Great White North (Ottawa, Canada)
2005-12-27, 19:33:17
SNIPER from United States  
hmm I dont knwo what the hell im doing wrong, I followed all the steps, although I couldent find the system.ini and I dont think I had this Shell: explorer.exe 'c:\ibm00001.exe' since the one I found only had explorer

and now when I hit ctrl alt delete I see about 10 iexplore running, and once every few hours my virus scanner will come up saying I have a virus and ill always delete it.

and also once every while ill get a porn popup. what the hell did I do wrong?

someone please explain, this is really messing up my system :\
2005-12-27, 19:41:25
SNIPER from United States  
Here is what im getting on my Virus scanner



Any help would be greatly apreciated
2005-12-27, 23:39:32
Mitch from United States  
I too had a run in with spy sherrif just tonight.
I work in tech support for a major pharma company, and most of what we do is cookie cutter support...
In this instance, however, I got permission to cut loose a little bit and was still unable to resolve the issue...
Here's as short a summary as I can give:
1. Our field laptops that we support connect to an intranet using a VPN software
2. That software works fairly well but is tied into Internet Explorer
3. For us to connect remotely, they have to be in the VPN
4. If Internet Explorer has 'work offline' checked, the VPN software won't connect. You can ping internet sites, but can't access them. You can't open IE (even using admin privelages) because it tries to route to c:\secure32.html, gives a message saying the file doesn't exist, and then closes out. And yes, the default homepage was, in fact, changed to secure32.html

So, now we're in a pickle. While I can go regdiving if I can connect, I can't walk the user through it - they don't have access to admin stuff. I can't get them connected so I can do it because they can't connect...
Does anyone know another way to 'turn off' the work offline switch in IE without having to open IE OR do anything that a normal power user in XP can't do? (reg privelage is gone, as is the ability to install any 3rd party software or run executables)

As you can see, the 'lockdown' of our system puts me in quite a jam. We wound up having to replace a couple of user's laptops because of it. Anyone have any thoughts? Also, has anyone found out anything about where this spysherrif COMES from?

Thanks, in advance! Please e-mail responses to, as I don't generally monitor this board.
Thanks again!
You are on page 4 of 10, other pages: 1 2 3 [4] 5 6 7 8 9 10



NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: