I mounted the hard drive to a computer with Microsoft Forefront and started a full scan which found many virus's. I just auto checked remove on all of them and rebooted into safe mode. After I had booted into safe mode to run malwarebytes only to find the machine couldn't connect to the network.
"DHCP" Service wouldn't start because of missing dependency.
While not not sure what virus cased it started looking at DHCP Dependencies: Tcpip, Afd, NetBT.
I wish I could say it was then I noticed that the NetBT service was missing entirely from the machine at this point. But can not as instead I started digging to AFD service. After no luck even remotely messing with AFD I noticed that NetBT didn't even exist any more. It was gone.
"C:\Windows\system32\drivers\netbt.sys" was missing as well.
Searching Google for how to re-install NetBT was at best unhelpful. I found many posts talking about settings and file restore. But no posts on how to completely restore the service if it was gone.
As such here's how I did it.
- Obtain and place a copy of "C:\Windows\system32\drivers\netbt.sys" in that path. If its missing and no local backup exists you can download the correct service pack the machine is running and extract the service pack and then from the i386 folder. It will be named netbt.sy_ so copy it and then rename it to netbt.sys.
- I exported the Registry service for NetBT from another machine running Windows XP Service Pack 3 and imported into the machine to replace the missing NetBT service.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT
- In case you don't easily have a machine around to create the Registry keys for NetBT Serivce here's a link to what I created.
- Download Link: NetBT Service.reg
- Reboot the machine.
- Open Start, Run, then cmd to launch a command window and enter the following as a single command line.
- Reset WinSock entries to Defaults: netsh winsock reset catalog
- Reset TCP/IP Stack entires to Defaults: netsh int ip reset c:\reset.log
After the first reboot after adding the NetBT Service Registy keys the DHCP service will most likely work but your not done yet as no interfaces are associated with NetBT. So you'll be able to connect to websites but not access network share's and other odd behavior, Be sure to the the Netsh commands. you can test if their working by the following.
- Running "nbtstat -R" returned.
- NetBT is not bound to any devices
Also be sure to give the c:\reset.log a look and then delete it.
Here is the start of the contents of mine.
reset SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
old REG_MULTI_SZ =
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain
deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20DB6511-09CD-4E79-AC81-B5A083ECA316}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20DB6511-09CD-4E79-AC81-B5A083ECA316}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20DB6511-09CD-4E79-AC81-B5A083ECA316}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20DB6511-09CD-4E79-AC81-B5A083ECA316}\IpAutoconfigurationSeed
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20DB6511-09CD-4E79-AC81-B5A083ECA316}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20DB6511-09CD-4E79-AC81-B5A083ECA316}\TcpAllowedPorts
old REG_MULTI_SZ =
0
.......................................................
Thank you so much!!! After hours of trying to solve my issue, your step by step saved me!
ReplyDeleteWorked for me after removing zero access rootkit, and running combofix, this got me back on the net, thanks
ReplyDeleteWOW, good job! Worked perfect for me!
ReplyDeleteMan i can not tell you how thankful I am for this. (spec the dL for the netbt reg file) Took me forever to figure out what was wrong and even longer to find this site. THANKS!
ReplyDeletethanks a lot man! u saved me a lot of time! thanks from berlin!
ReplyDeleteThank you so much. I've been working on trying to fix my internet woes for four and a half hours. I finally found this and was able to fix it in no time. Thanks again!
ReplyDeleteGreat write up thanks -- havent done it yet but will Tomorrow -- I'd come to the same conclusion and was looking for confirmation it should work.
ReplyDeleteOne thing --This machine is running XP SP 2 will the SP3 file work?
If not any thoughts on where to get one?
I'll be calling around tomorrow to see if anyone I know is running XP SP2 --wish me luck..
Bob
just wanted to say thanks... had the same problem and needed the registry key to force the netbt loading
ReplyDeleteTHX !!
Wonderful :-)
ReplyDeleteI assume as it's a problem we're all having within a couple of weeks, I assume it's one of the current round of nasties is replacing the original file. V glad to have the fix, thanks.
Hey Chris,
ReplyDeleteGreat post! Can you do a similar post for a Windows 7 machine having the same problem?
Dude,
ReplyDeleteYou are the bomb. Thanks.
TCB
Thanks a million for the work you did. Great job with the walk through!!!
ReplyDeleteMichael
Another satisfied user in the UK East Midlands - thanks, Tony
ReplyDeleteThank you for this information. Saved me a lot of digging. Customer is back online!
ReplyDeleteYOU ARE A LEGEND!
ReplyDeletei have searched for hours on Google and Microsoft and everything else and tried a hundred things.
Then i found this - did what you said - and im back up online!
Im very greatful. If your ever in Perth, WA i will repay you (with food)! :-)
THANKS for the great advice and for taking the time to post! I spent hours working this problem ... I had already found and replaced an infected netBT.sys, but needed your "extra steps" to make it all work. MANY THANKS!!! -QCR
ReplyDeleteCHRIS – MY HERO!! Your sills and your time put into this resolution, on top of the FACT you put it out here in a worry free lay out (that reg file was above and beyond) – Well lets just say I can not express enough how much I appreciate it..
ReplyDeleteI'll join the chorus - incredibly useful post, I'm only upset it took me 3 hours to find it. Thanks a million.
ReplyDeleteYou are a life saver! Thanks for sharing the info. -- nram
ReplyDeleteThumbs up dude, this helped me after MSSE deleted a trojan and took out NetBT with it.
ReplyDeleteMicrosoft - killing their own OS now...great...just great.
Yet another aussie thanks you from the bottom of his heart. After 5 hours of searching, I found your blog, and was back on the net in 5 minutes! Why you aren't in the top 10 searches of 2011 I'll never know! Thanks again.
ReplyDeleteIt's all been said before but props. Back to google to +1 this.
ReplyDeleteHi Chris,
ReplyDeleteThank you SO much for this article. I have seen this infection so much lately and with the netbt service being disabled, this came in s very timely manner. It just took many of us this long to find it! Thanks again!
Great help.
ReplyDeleteHad this problem occur after Malware Bytes seemingly deleted the NETBT service.
Great walkthrough!!!!!
Great article!! I had been working for 2 days on this. Still having a problem with local network name resolution on that machine, though. Thanks for all your hard work!
ReplyDeleteHey, I was having the exact same problem. However, it was AVG that whacked out my registry. I found the registry entry in my virus vault and did a restore. Fixed the problem. Would not have gone there without clues from here. THANKS MILLIONS!,
ReplyDeleteKen S.
Thank you for the fantastic article! This did the trick and allowed me to reconnect to my Windows Home Server printers and shared folders!
ReplyDeleteHi! I have the exact same problem, except I am not sure what to do exactly. I'm not very tech-savvy. I tried to download that NetBT Service.reg file but it turns out to be in mp3 format, opened using Windows Media Player, and didn't work. Can you give me step by step instructions on what exactly to do? Thank you so much! Really hope you can help!
ReplyDeleteTHANKS!
ReplyDeleteI am a Mac user, just helping a non-computer-savvy friend overcome a virus infestation. I am a Windows novice. So once I figured out where and what the $!%& the registry is, your fix worked like a charm. Many thanks!
-Alan
THANK you VERY VERY much. this is again very helpfull.
ReplyDeleteI got this NETBT problem after some virus infections and installing a other virus scanner with a firewall wich didn.t work properly.
Again thanks
Regards,
Henk
I have had several computer that had this problem after removing Win32/sirefef infecion. Before I always just told customer that windows needed reinstalled...
ReplyDeleteBut you ROCK
you are a hero and should be a legend!
THANK YOU
Thanks a million. Removed the zeroaccess rootkit and you guessed it..... up and running fine now.
ReplyDeleteMerci (THANKS) from france!!
ReplyDeletenetwork problem (don't share acces) after deleting netbt.sys by KAV resolve wth this howtow
Thanks for the netbt.sys tip. The recovery procedure worked perfect!
ReplyDeleteGlad I found this page. Had an old XP box that picked up an icky infection and the NetBT reg entry ended up getting deleted (by malware or by the programs used to remove it). Your reg entry dl (and the netsh commands) really helped.
ReplyDeleteAnd, in case anyone else runs into similar problems...
I had a bit of trouble with the netsh commands at first ("The procedure entry point MigrateWinsockConfiguration could not be located in dynamic link library MSWSOCK.dll"). Turns out there was a rootkit still hiding on the machine. TDSSKiller cleared it up (I think :insert spooky music here:) and seems to have restored the correct dll. The commands worked fine and I believe the system is finally back in order.
Anyway, thanks for taking the time to share your knowledge - people like you make the Net a better place!
Thank You - true expert how to. A note to follow up: After performing the netsh business, restart, then delete the nic device and rescan for hardware changes, then re-install sp3.
ReplyDeleteI also wanted to express my thanks to you for writing this because it got me 2/3 of the way home. After I installed the reg key and executed the netsh commands, I had to reinstall the NIC driver. Great work on this!!!!
ReplyDeleteWOW! Thank you so much! I've been working on this silly machine for 2 days now and after using 5 different tools to clean the zeroaccess rootkit infection, I thought I was in the clear...until I tried to access my network drives. Then came across your step-by-step here and voila! I'm working again! You sir are a true master and are so thoughtful to share your experience to prevent the headaches of others! Thank you, thank you, THANK YOU!
ReplyDelete- Beth ;)
gracias me has salvado la vida.
ReplyDeletehttp://www.indaloweb.es
Sensational!! As a few of the posters have had, i was infected with the rootkit zero access. Finally got rid of it but it had stuffed up my network.
ReplyDeleteI got the internet back but it took this excellent blog to get back my home network. Cheers.
BTW my machine is running Windows 7, so it works for that too. Not just XP. Thanks again
DeleteThank you for this recovery procedure. I have today the same trouble with not working DHCP after removing the Trojan horse TR/Rootkit.Gen [TR/Sirefef.BP.1] with a Avira Recovery CD. After using your steps now work fine. Thanks again!
ReplyDeleteSir:
ReplyDeleteThank you very much for posting this article. I had spent many, many hours wrestling with the consequences of that nasty R/Sirefef.BP.1 and your terrific article proved to be the fix I needed. Thank you so much. I searched your site but saw no vehicle for donations so I have taken the liberty of utilizing the donation at the wine section of Trader Joe's.
Cheers! *clink*
(If you do setup a donation vehicle please let me know)
Thank you for the fix. You really started my day off in the right direction!!!
ReplyDeleteMy idol:
ReplyDeleteThanks to you I have got glory, so that, I don´t know what can I say:
THANKS A LOT FROM SPAIN.
After hours of failed attempts, I knew I needed to reinstall netbios but could'nt figure out how.
ReplyDeleteYou saved me from a complete XP reinstall.
I think I owe you a beer.
Thanks so much
Tom
I don't get how everyone has resolved their issue, when the file he has to download is a sound file!??! am i missing something? I've been working on my friends computer for a month now and need to get this finished asap! i have the problem listed here as well as IPSec reg key missing/doesn't exist,local host is blocked and it seems my firewall is partly open as the log states it checks out ok,but shared access service is not running. tcpip is ok just not running. I believe this happened due to microsofts system itself, after all the research i have put into rebuilding my friends machine, I have come to find out microsoft made their own software/hardware set up to have the certificates expire and things go haywire causing the system to go rogue! which is why we are all getting viruses and trojans, etc.. only thing is i have like 4 other systems of my own to work on regarding this! Any tips on how to get this done for good would be great as it has only seemed to be one thing after another..sigh. thanks in advance!
ReplyDeleteThe file you download ("NetBT Service.reg") is really just a text file of registry entries and should not being opened by and audio player. If you run the command “regedit” manually you can go to file import and select the "NetBT Service.reg" file.
DeleteYou all probably want to fix the file associations on that machine as well, most likely others may be incorrect as well.
FYI, the file you are providing is named and downloads as "NetBT.reg.mp3" Although registry editor can import the file if one selects "all files" is would be easier if the file itself did not have the .mp3 extension.
Deletecool thanks
ReplyDeleteJust fixed my friend's computer with this. Very straightforward and easy. Thanks a bunch.
ReplyDeleteWorks!!!!!
ReplyDeleteHI Chris,
ReplyDeleteLet me echo the thanks from others on this thread. After many hours working on my daughter's computer you have returned my sanity. I now know how to screw up someone else's life if the sh!@ my off. Thanks
This one could run & run! I was groping towards the solution (I'd already extracted netbt.sys and I was pondering the registry) but thanks a ton for sharing your neat pulling-together of the strands.
ReplyDeleteOne thing: I found your solution (via Google!) using the affected machine after manually entering the TCP/IP info [into the connection's properties]. Of course, as that cannot help anyone until they can read this, it could be a gotcha!
Thanks again!
Thanks, After hours of trying things I found your info and it worked just fine. THank You Kindly!
ReplyDeleteMuchas gracias!!!! Llevaba ya unas horas y no daba con la tecla.
ReplyDeleteThank you for posting this. One more thing.. I could not see other PCs and their shares by name. In the TCP/IP properties (of my network adapter) on Advanced.. dialog and the WINS tab I enabled NetBIOS over TCP/IP. After this I could see shares on other PCs.
ReplyDeleteSuper Thanks!!! Really helpful procedure!!!
ReplyDeleteThank YOU!!!!!!
ReplyDeleteMy issue as well. Thank You!
ReplyDeleteThank you for your posting - helped me resolve my issues after removing a few trojans...
ReplyDeleteMany thanks Chris - I successfully resolved a laptop network issue following the removal of Trojan virus/NetBT.sys infected. Thumb up !
ReplyDeleteHey, thank you very much. This is one fix that works, and is explained clearly and in enough detail to make implementation successful! Thanks especially for the .REG file!
ReplyDeleteThanks a lot, including the registry patch file was genius
ReplyDeleteooohay! Just wanted to count me on the statistcs! It worked for me too! Thank you very much! :)
ReplyDeletePS: For those who went all through it and it didn't work, don't forget to reboot your system after running both codes on cmd!
As the others said, thank you so much!!!!.
ReplyDeleteMany many many Thanks!!!!! I finally found you! You are my hero!
ReplyDeleteI spent hours yesterday getting rid of a virus off the PC so I was a bit upset this morning when I had this error. I came across your site while hunting around so with nothing to lose I gave it a go, and it worked beautifully. You are a treasure. Sincere thanks to you.
ReplyDeleteChris, Thanks for the work you have done. I followed your instructions, but when I tried "nbtstat -n" the response was "Fail to access NetBt driver -- NetBT may not be loaded". This is really beating me up. Can you help? The background is, I am trying to gain access to the internet via Firefox. My internet connection is not working. The device manager states all adapter are working fine. All of this started because of malware and spyware on my computer. Please help, James.
ReplyDeleteYou Da king!!!! Thank you soooo much!! :D
ReplyDeleteChris, after trying many, many, other fixes, this did the trick! Great work - clear, concise, (though a little scary). Thanks for your help! And thanks to all those who help others by posting their work on the web. Much appreciated. Don
ReplyDeleteHoly cow, man, I can't describe how thankful I'm for this article.... after almost 2 days finally success. I owe you few cold beers, bro. Thanks!!!
ReplyDeleteI have got no words, man... Thank you very much from Spain!!!
ReplyDeleteThanks for this very helpful post! I can't tell you how many hours I spent trying to fix this issue before I found your article..
ReplyDeleteYou certainly saved me from certain death (or at least a serious headache). Thanks a lot!
ReplyDeleteUseful guide
ReplyDelete