Solved

netbt issue after virus removal

Posted on 2011-09-26
13
1,447 Views
Last Modified: 2012-05-12
I found a pc on our network with a virus (windows xp).  After removing said virus and seeing the damage I noticed it could no longer connect to the network (stuck at limited to no connection).  Checking event log I found DHCP could not start due to a nonexistant dependancy (netbt).  After looking around I found a microsoft article saying to fix it you can remove the netbt dependancy from the regedit by editing the dhcp registry.

After removing the dependacy I booted up to find internet,  exchange server and so on working correctly however network drives were unable to connect.  Looking at the event log I found the following

Error: 7003
The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT

Anyone have any suggestions on how I can restore network operations to reach the proper drives?  I assume netbt was deleted or hidden due to the virus but not sure.
0
Comment
Question by:Overtonp
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36601600
Reset the TCP\IP stack see if that helps

http://support.microsoft.com/kb/317518
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 36601601
Hello, what virus(es) did you find and clean?
0
 
LVL 30

Accepted Solution

by:
flubbster earned 250 total points
ID: 36601696
Copy netbt.sys from a working PC and copy it to c:\windows\system32\drivers

It should not be located anywhere else. There is a known virus that places a copy of netbt.sys in the c:\windows\system32 folder.

So, make sure that there is a good copy in the drivers folder. Once you do this, you can actually put the dependancy back on the DHCP reg entry.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 250 total points
ID: 36601753
If this key doesn't exist on the machine, export it from a known good working one, and reboot.... If it restores your problems, add it back to the DHCP dependency (along with AFD)......

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT
and
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBT\0000

If the Installed NICs are different you might need to update these subkeys under here for the interfaces....

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces
0
 

Author Comment

by:Overtonp
ID: 36602061
I readded netbt to dependency list and copied a working netbt driver to registry and system folder.

It restored email, internet and so on however network drives are still unavailble.

Heres an application log.

Userenv
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 36602238
Do you have a Gb NIC, in that case, you may have to disable media sensing as described here.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 66

Expert Comment

by:johnb6767
ID: 36602543
What's the error if you map manually?

I would run MalwareBytes and TDSSKiller as a followup, to make sure you are verified clean.....
0
 

Author Comment

by:Overtonp
ID: 36708909
Here's the actual error.
1058
Userenv

NT AUTHORITY\SYSTEM

Windows cannot access the file gpt.ini for GPO CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=samcotech,DC=com. The file must be present at the location <\\samcotech.com\sysvol\samcotech.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>. (The network location cannot be reached. For information about network troubleshooting, see Windows Help. ). Group Policy processing aborted.

I'll run another virus check to make sure everything is gone.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 36709141
Take a look at this when you can. Look at the last post. It seems virtually identical to what you are seeing. Same error code also.

From that post, it may be a corrupted policy that needs to be removed.

http://www.petri.co.il/forums/showthread.php?t=24870
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36714392
{6AC1786C-016F-11D2-945F-00C04fB984F9}

Does this Policy exist in GPMC still?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36714399
"Here's the actual error."

That should not be an error from mapping a drive....

\\samcotech.com\sysvol\samcotech.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini

You cannot brose to this location in Explorer?
0
 

Author Comment

by:Overtonp
ID: 36948574
Fixed after using a winsock repair program after readding the netbt driver.  Thanks
0
 

Author Closing Comment

by:Overtonp
ID: 36948587
only part of the issue fix explained.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now