Solved

netbt issue after virus removal

Posted on 2011-09-26
13
1,445 Views
Last Modified: 2012-05-12
I found a pc on our network with a virus (windows xp).  After removing said virus and seeing the damage I noticed it could no longer connect to the network (stuck at limited to no connection).  Checking event log I found DHCP could not start due to a nonexistant dependancy (netbt).  After looking around I found a microsoft article saying to fix it you can remove the netbt dependancy from the regedit by editing the dhcp registry.

After removing the dependacy I booted up to find internet,  exchange server and so on working correctly however network drives were unable to connect.  Looking at the event log I found the following

Error: 7003
The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT

Anyone have any suggestions on how I can restore network operations to reach the proper drives?  I assume netbt was deleted or hidden due to the virus but not sure.
0
Comment
Question by:Overtonp
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601600
Reset the TCP\IP stack see if that helps

http://support.microsoft.com/kb/317518
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 36601601
Hello, what virus(es) did you find and clean?
0
 
LVL 30

Accepted Solution

by:
flubbster earned 250 total points
ID: 36601696
Copy netbt.sys from a working PC and copy it to c:\windows\system32\drivers

It should not be located anywhere else. There is a known virus that places a copy of netbt.sys in the c:\windows\system32 folder.

So, make sure that there is a good copy in the drivers folder. Once you do this, you can actually put the dependancy back on the DHCP reg entry.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 250 total points
ID: 36601753
If this key doesn't exist on the machine, export it from a known good working one, and reboot.... If it restores your problems, add it back to the DHCP dependency (along with AFD)......

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT
and
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBT\0000

If the Installed NICs are different you might need to update these subkeys under here for the interfaces....

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces
0
 

Author Comment

by:Overtonp
ID: 36602061
I readded netbt to dependency list and copied a working netbt driver to registry and system folder.

It restored email, internet and so on however network drives are still unavailble.

Heres an application log.

Userenv
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 36602238
Do you have a Gb NIC, in that case, you may have to disable media sensing as described here.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 66

Expert Comment

by:johnb6767
ID: 36602543
What's the error if you map manually?

I would run MalwareBytes and TDSSKiller as a followup, to make sure you are verified clean.....
0
 

Author Comment

by:Overtonp
ID: 36708909
Here's the actual error.
1058
Userenv

NT AUTHORITY\SYSTEM

Windows cannot access the file gpt.ini for GPO CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=samcotech,DC=com. The file must be present at the location <\\samcotech.com\sysvol\samcotech.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>. (The network location cannot be reached. For information about network troubleshooting, see Windows Help. ). Group Policy processing aborted.

I'll run another virus check to make sure everything is gone.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 36709141
Take a look at this when you can. Look at the last post. It seems virtually identical to what you are seeing. Same error code also.

From that post, it may be a corrupted policy that needs to be removed.

http://www.petri.co.il/forums/showthread.php?t=24870
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36714392
{6AC1786C-016F-11D2-945F-00C04fB984F9}

Does this Policy exist in GPMC still?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36714399
"Here's the actual error."

That should not be an error from mapping a drive....

\\samcotech.com\sysvol\samcotech.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini

You cannot brose to this location in Explorer?
0
 

Author Comment

by:Overtonp
ID: 36948574
Fixed after using a winsock repair program after readding the netbt driver.  Thanks
0
 

Author Closing Comment

by:Overtonp
ID: 36948587
only part of the issue fix explained.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now