Solved

netbt issue after virus removal

Posted on 2011-09-26
13
1,455 Views
Last Modified: 2012-05-12
I found a pc on our network with a virus (windows xp).  After removing said virus and seeing the damage I noticed it could no longer connect to the network (stuck at limited to no connection).  Checking event log I found DHCP could not start due to a nonexistant dependancy (netbt).  After looking around I found a microsoft article saying to fix it you can remove the netbt dependancy from the regedit by editing the dhcp registry.

After removing the dependacy I booted up to find internet,  exchange server and so on working correctly however network drives were unable to connect.  Looking at the event log I found the following

Error: 7003
The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT

Anyone have any suggestions on how I can restore network operations to reach the proper drives?  I assume netbt was deleted or hidden due to the virus but not sure.
0
Comment
Question by:Overtonp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601600
Reset the TCP\IP stack see if that helps

http://support.microsoft.com/kb/317518
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 36601601
Hello, what virus(es) did you find and clean?
0
 
LVL 30

Accepted Solution

by:
flubbster earned 250 total points
ID: 36601696
Copy netbt.sys from a working PC and copy it to c:\windows\system32\drivers

It should not be located anywhere else. There is a known virus that places a copy of netbt.sys in the c:\windows\system32 folder.

So, make sure that there is a good copy in the drivers folder. Once you do this, you can actually put the dependancy back on the DHCP reg entry.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 250 total points
ID: 36601753
If this key doesn't exist on the machine, export it from a known good working one, and reboot.... If it restores your problems, add it back to the DHCP dependency (along with AFD)......

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT
and
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBT\0000

If the Installed NICs are different you might need to update these subkeys under here for the interfaces....

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces
0
 

Author Comment

by:Overtonp
ID: 36602061
I readded netbt to dependency list and copied a working netbt driver to registry and system folder.

It restored email, internet and so on however network drives are still unavailble.

Heres an application log.

Userenv
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 36602238
Do you have a Gb NIC, in that case, you may have to disable media sensing as described here.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36602543
What's the error if you map manually?

I would run MalwareBytes and TDSSKiller as a followup, to make sure you are verified clean.....
0
 

Author Comment

by:Overtonp
ID: 36708909
Here's the actual error.
1058
Userenv

NT AUTHORITY\SYSTEM

Windows cannot access the file gpt.ini for GPO CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=samcotech,DC=com. The file must be present at the location <\\samcotech.com\sysvol\samcotech.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>. (The network location cannot be reached. For information about network troubleshooting, see Windows Help. ). Group Policy processing aborted.

I'll run another virus check to make sure everything is gone.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 36709141
Take a look at this when you can. Look at the last post. It seems virtually identical to what you are seeing. Same error code also.

From that post, it may be a corrupted policy that needs to be removed.

http://www.petri.co.il/forums/showthread.php?t=24870
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36714392
{6AC1786C-016F-11D2-945F-00C04fB984F9}

Does this Policy exist in GPMC still?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36714399
"Here's the actual error."

That should not be an error from mapping a drive....

\\samcotech.com\sysvol\samcotech.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini

You cannot brose to this location in Explorer?
0
 

Author Comment

by:Overtonp
ID: 36948574
Fixed after using a winsock repair program after readding the netbt driver.  Thanks
0
 

Author Closing Comment

by:Overtonp
ID: 36948587
only part of the issue fix explained.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question