?
Solved

netbt issue after virus removal

Posted on 2011-09-26
13
Medium Priority
?
1,461 Views
Last Modified: 2012-05-12
I found a pc on our network with a virus (windows xp).  After removing said virus and seeing the damage I noticed it could no longer connect to the network (stuck at limited to no connection).  Checking event log I found DHCP could not start due to a nonexistant dependancy (netbt).  After looking around I found a microsoft article saying to fix it you can remove the netbt dependancy from the regedit by editing the dhcp registry.

After removing the dependacy I booted up to find internet,  exchange server and so on working correctly however network drives were unable to connect.  Looking at the event log I found the following

Error: 7003
The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT

Anyone have any suggestions on how I can restore network operations to reach the proper drives?  I assume netbt was deleted or hidden due to the virus but not sure.
0
Comment
Question by:Overtonp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601600
Reset the TCP\IP stack see if that helps

http://support.microsoft.com/kb/317518
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 36601601
Hello, what virus(es) did you find and clean?
0
 
LVL 30

Accepted Solution

by:
flubbster earned 750 total points
ID: 36601696
Copy netbt.sys from a working PC and copy it to c:\windows\system32\drivers

It should not be located anywhere else. There is a known virus that places a copy of netbt.sys in the c:\windows\system32 folder.

So, make sure that there is a good copy in the drivers folder. Once you do this, you can actually put the dependancy back on the DHCP reg entry.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 750 total points
ID: 36601753
If this key doesn't exist on the machine, export it from a known good working one, and reboot.... If it restores your problems, add it back to the DHCP dependency (along with AFD)......

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT
and
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBT\0000

If the Installed NICs are different you might need to update these subkeys under here for the interfaces....

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces
0
 

Author Comment

by:Overtonp
ID: 36602061
I readded netbt to dependency list and copied a working netbt driver to registry and system folder.

It restored email, internet and so on however network drives are still unavailble.

Heres an application log.

Userenv
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 36602238
Do you have a Gb NIC, in that case, you may have to disable media sensing as described here.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36602543
What's the error if you map manually?

I would run MalwareBytes and TDSSKiller as a followup, to make sure you are verified clean.....
0
 

Author Comment

by:Overtonp
ID: 36708909
Here's the actual error.
1058
Userenv

NT AUTHORITY\SYSTEM

Windows cannot access the file gpt.ini for GPO CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=samcotech,DC=com. The file must be present at the location <\\samcotech.com\sysvol\samcotech.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>. (The network location cannot be reached. For information about network troubleshooting, see Windows Help. ). Group Policy processing aborted.

I'll run another virus check to make sure everything is gone.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 36709141
Take a look at this when you can. Look at the last post. It seems virtually identical to what you are seeing. Same error code also.

From that post, it may be a corrupted policy that needs to be removed.

http://www.petri.co.il/forums/showthread.php?t=24870
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36714392
{6AC1786C-016F-11D2-945F-00C04fB984F9}

Does this Policy exist in GPMC still?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36714399
"Here's the actual error."

That should not be an error from mapping a drive....

\\samcotech.com\sysvol\samcotech.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini

You cannot brose to this location in Explorer?
0
 

Author Comment

by:Overtonp
ID: 36948574
Fixed after using a winsock repair program after readding the netbt driver.  Thanks
0
 

Author Closing Comment

by:Overtonp
ID: 36948587
only part of the issue fix explained.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question