Wednesday, November 2, 2011

How to reinstall NetBT Service on Windows XP

Recently a past boss asked me to look at a laptop running Windows XP Service Pack 3 that he had issues with virus's and malware. The user's is an older gentalman and really didn't want Windows 7 or his machine rebuilt. While I'm not normally a desktop tech any more I was happy to help. Figuring it'd only take a hour; I doomed my self to complicated problem with out an easy fix.

I mounted the hard drive to a computer with Microsoft Forefront and started a full scan which found many virus's. I just auto checked remove on all of them and rebooted into safe mode. After I had booted into safe mode to run malwarebytes only to find the machine couldn't connect to the network.

"DHCP" Service wouldn't start because of missing dependency.

While not not sure what virus cased it started looking at DHCP Dependencies: Tcpip, Afd, NetBT.

I wish I could say it was then I noticed that the NetBT service was missing entirely from the machine at this point. But can not as instead I started digging to AFD service. After no luck even remotely messing with AFD I noticed that NetBT didn't even exist any more. It was gone.

"C:\Windows\system32\drivers\netbt.sys" was missing as well.

Searching Google for how to re-install NetBT was at best unhelpful. I found many posts talking about settings and file restore. But no posts on how to completely restore the service if it was gone.

As such here's how I did it.
  • Obtain  and place a copy of "C:\Windows\system32\drivers\netbt.sys" in that path. If its missing and no local backup exists you can download the correct service pack the machine is running and extract the service pack and then from the i386 folder. It will be named netbt.sy_ so copy it and then rename it to netbt.sys.
  • I exported the Registry service for NetBT from another machine running Windows XP Service Pack 3 and imported into the machine to replace the missing NetBT service.
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT



    • In case you don't easily have a machine around to create the Registry keys for NetBT Serivce here's a link to what I created.
    • Download Link: NetBT Service.reg
  • Reboot the machine.
  • Open Start, Run, then  cmd to launch a command window and enter the following as a single command line.
    • Reset WinSock entries to Defaults: netsh winsock reset catalog
    • Reset TCP/IP Stack entires to Defaults: netsh int ip reset c:\reset.log
After the first reboot after adding the NetBT Service Registy keys the DHCP service will most likely work but your not done yet as no interfaces are associated with NetBT. So you'll be able to connect to websites but not access network share's and other odd behavior, Be sure to the the Netsh commands.  you can test if their working by the following.
  • Running "nbtstat -R" returned.
    • NetBT is not bound to any devices
Also be sure to give the c:\reset.log a look and then delete it.

Here is the start of the contents of mine. 

reset   SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
            old REG_MULTI_SZ =
                SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
                SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20DB6511-09CD-4E79-AC81-B5A083ECA316}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20DB6511-09CD-4E79-AC81-B5A083ECA316}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20DB6511-09CD-4E79-AC81-B5A083ECA316}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20DB6511-09CD-4E79-AC81-B5A083ECA316}\IpAutoconfigurationSeed
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20DB6511-09CD-4E79-AC81-B5A083ECA316}\RawIpAllowedProtocols
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20DB6511-09CD-4E79-AC81-B5A083ECA316}\TcpAllowedPorts
            old REG_MULTI_SZ =
                0
.......................................................

78 comments:

  1. Thank you so much!!! After hours of trying to solve my issue, your step by step saved me!

    ReplyDelete
  2. Worked for me after removing zero access rootkit, and running combofix, this got me back on the net, thanks

    ReplyDelete
  3. WOW, good job! Worked perfect for me!

    ReplyDelete
  4. Man i can not tell you how thankful I am for this. (spec the dL for the netbt reg file) Took me forever to figure out what was wrong and even longer to find this site. THANKS!

    ReplyDelete
  5. thanks a lot man! u saved me a lot of time! thanks from berlin!

    ReplyDelete
  6. Thank you so much. I've been working on trying to fix my internet woes for four and a half hours. I finally found this and was able to fix it in no time. Thanks again!

    ReplyDelete
  7. Great write up thanks -- havent done it yet but will Tomorrow -- I'd come to the same conclusion and was looking for confirmation it should work.

    One thing --This machine is running XP SP 2 will the SP3 file work?
    If not any thoughts on where to get one?
    I'll be calling around tomorrow to see if anyone I know is running XP SP2 --wish me luck..
    Bob

    ReplyDelete
  8. just wanted to say thanks... had the same problem and needed the registry key to force the netbt loading
    THX !!

    ReplyDelete
  9. Wonderful :-)

    I assume as it's a problem we're all having within a couple of weeks, I assume it's one of the current round of nasties is replacing the original file. V glad to have the fix, thanks.

    ReplyDelete
  10. Hey Chris,

    Great post! Can you do a similar post for a Windows 7 machine having the same problem?

    ReplyDelete
  11. Dude,

    You are the bomb. Thanks.

    TCB

    ReplyDelete
  12. Thanks a million for the work you did. Great job with the walk through!!!

    Michael

    ReplyDelete
  13. Another satisfied user in the UK East Midlands - thanks, Tony

    ReplyDelete
  14. It worked!!! Thank you for your help

    ReplyDelete
  15. Thank you for this information. Saved me a lot of digging. Customer is back online!

    ReplyDelete
  16. YOU ARE A LEGEND!

    i have searched for hours on Google and Microsoft and everything else and tried a hundred things.
    Then i found this - did what you said - and im back up online!
    Im very greatful. If your ever in Perth, WA i will repay you (with food)! :-)

    ReplyDelete
  17. THANKS for the great advice and for taking the time to post! I spent hours working this problem ... I had already found and replaced an infected netBT.sys, but needed your "extra steps" to make it all work. MANY THANKS!!! -QCR

    ReplyDelete
  18. CHRIS – MY HERO!! Your sills and your time put into this resolution, on top of the FACT you put it out here in a worry free lay out (that reg file was above and beyond) – Well lets just say I can not express enough how much I appreciate it..

    ReplyDelete
  19. I'll join the chorus - incredibly useful post, I'm only upset it took me 3 hours to find it. Thanks a million.

    ReplyDelete
  20. You are a life saver! Thanks for sharing the info. -- nram

    ReplyDelete
  21. Thumbs up dude, this helped me after MSSE deleted a trojan and took out NetBT with it.

    Microsoft - killing their own OS now...great...just great.

    ReplyDelete
  22. Yet another aussie thanks you from the bottom of his heart. After 5 hours of searching, I found your blog, and was back on the net in 5 minutes! Why you aren't in the top 10 searches of 2011 I'll never know! Thanks again.

    ReplyDelete
  23. It's all been said before but props. Back to google to +1 this.

    ReplyDelete
  24. Hi Chris,

    Thank you SO much for this article. I have seen this infection so much lately and with the netbt service being disabled, this came in s very timely manner. It just took many of us this long to find it! Thanks again!

    ReplyDelete
  25. Great help.

    Had this problem occur after Malware Bytes seemingly deleted the NETBT service.

    Great walkthrough!!!!!

    ReplyDelete
  26. Great article!! I had been working for 2 days on this. Still having a problem with local network name resolution on that machine, though. Thanks for all your hard work!

    ReplyDelete
  27. Hey, I was having the exact same problem. However, it was AVG that whacked out my registry. I found the registry entry in my virus vault and did a restore. Fixed the problem. Would not have gone there without clues from here. THANKS MILLIONS!,
    Ken S.

    ReplyDelete
  28. Thank you for the fantastic article! This did the trick and allowed me to reconnect to my Windows Home Server printers and shared folders!

    ReplyDelete
  29. Hi! I have the exact same problem, except I am not sure what to do exactly. I'm not very tech-savvy. I tried to download that NetBT Service.reg file but it turns out to be in mp3 format, opened using Windows Media Player, and didn't work. Can you give me step by step instructions on what exactly to do? Thank you so much! Really hope you can help!

    ReplyDelete
  30. THANKS!
    I am a Mac user, just helping a non-computer-savvy friend overcome a virus infestation. I am a Windows novice. So once I figured out where and what the $!%& the registry is, your fix worked like a charm. Many thanks!
    -Alan

    ReplyDelete
  31. THANK you VERY VERY much. this is again very helpfull.
    I got this NETBT problem after some virus infections and installing a other virus scanner with a firewall wich didn.t work properly.
    Again thanks
    Regards,
    Henk

    ReplyDelete
  32. I have had several computer that had this problem after removing Win32/sirefef infecion. Before I always just told customer that windows needed reinstalled...
    But you ROCK
    you are a hero and should be a legend!
    THANK YOU

    ReplyDelete
  33. Thanks a million. Removed the zeroaccess rootkit and you guessed it..... up and running fine now.

    ReplyDelete
  34. Merci (THANKS) from france!!
    network problem (don't share acces) after deleting netbt.sys by KAV resolve wth this howtow

    ReplyDelete
  35. Thanks for the netbt.sys tip. The recovery procedure worked perfect!

    ReplyDelete
  36. Glad I found this page. Had an old XP box that picked up an icky infection and the NetBT reg entry ended up getting deleted (by malware or by the programs used to remove it). Your reg entry dl (and the netsh commands) really helped.

    And, in case anyone else runs into similar problems...

    I had a bit of trouble with the netsh commands at first ("The procedure entry point MigrateWinsockConfiguration could not be located in dynamic link library MSWSOCK.dll"). Turns out there was a rootkit still hiding on the machine. TDSSKiller cleared it up (I think :insert spooky music here:) and seems to have restored the correct dll. The commands worked fine and I believe the system is finally back in order.

    Anyway, thanks for taking the time to share your knowledge - people like you make the Net a better place!

    ReplyDelete
  37. Thank You - true expert how to. A note to follow up: After performing the netsh business, restart, then delete the nic device and rescan for hardware changes, then re-install sp3.

    ReplyDelete
  38. I also wanted to express my thanks to you for writing this because it got me 2/3 of the way home. After I installed the reg key and executed the netsh commands, I had to reinstall the NIC driver. Great work on this!!!!

    ReplyDelete
  39. WOW! Thank you so much! I've been working on this silly machine for 2 days now and after using 5 different tools to clean the zeroaccess rootkit infection, I thought I was in the clear...until I tried to access my network drives. Then came across your step-by-step here and voila! I'm working again! You sir are a true master and are so thoughtful to share your experience to prevent the headaches of others! Thank you, thank you, THANK YOU!
    - Beth ;)

    ReplyDelete
  40. gracias me has salvado la vida.
    http://www.indaloweb.es

    ReplyDelete
  41. Sensational!! As a few of the posters have had, i was infected with the rootkit zero access. Finally got rid of it but it had stuffed up my network.
    I got the internet back but it took this excellent blog to get back my home network. Cheers.

    ReplyDelete
    Replies
    1. BTW my machine is running Windows 7, so it works for that too. Not just XP. Thanks again

      Delete
  42. Thank you for this recovery procedure. I have today the same trouble with not working DHCP after removing the Trojan horse TR/Rootkit.Gen [TR/Sirefef.BP.1] with a Avira Recovery CD. After using your steps now work fine. Thanks again!

    ReplyDelete
  43. Sir:
    Thank you very much for posting this article. I had spent many, many hours wrestling with the consequences of that nasty R/Sirefef.BP.1 and your terrific article proved to be the fix I needed. Thank you so much. I searched your site but saw no vehicle for donations so I have taken the liberty of utilizing the donation at the wine section of Trader Joe's.
    Cheers! *clink*

    (If you do setup a donation vehicle please let me know)

    ReplyDelete
  44. Thank you for the fix. You really started my day off in the right direction!!!

    ReplyDelete
  45. My idol:

    Thanks to you I have got glory, so that, I don´t know what can I say:

    THANKS A LOT FROM SPAIN.

    ReplyDelete
  46. After hours of failed attempts, I knew I needed to reinstall netbios but could'nt figure out how.
    You saved me from a complete XP reinstall.

    I think I owe you a beer.

    Thanks so much
    Tom

    ReplyDelete
  47. I don't get how everyone has resolved their issue, when the file he has to download is a sound file!??! am i missing something? I've been working on my friends computer for a month now and need to get this finished asap! i have the problem listed here as well as IPSec reg key missing/doesn't exist,local host is blocked and it seems my firewall is partly open as the log states it checks out ok,but shared access service is not running. tcpip is ok just not running. I believe this happened due to microsofts system itself, after all the research i have put into rebuilding my friends machine, I have come to find out microsoft made their own software/hardware set up to have the certificates expire and things go haywire causing the system to go rogue! which is why we are all getting viruses and trojans, etc.. only thing is i have like 4 other systems of my own to work on regarding this! Any tips on how to get this done for good would be great as it has only seemed to be one thing after another..sigh. thanks in advance!

    ReplyDelete
    Replies
    1. The file you download ("NetBT Service.reg") is really just a text file of registry entries and should not being opened by and audio player. If you run the command “regedit” manually you can go to file import and select the "NetBT Service.reg" file.

      You all probably want to fix the file associations on that machine as well, most likely others may be incorrect as well.

      Delete
    2. FYI, the file you are providing is named and downloads as "NetBT.reg.mp3" Although registry editor can import the file if one selects "all files" is would be easier if the file itself did not have the .mp3 extension.

      Delete
  48. Just fixed my friend's computer with this. Very straightforward and easy. Thanks a bunch.

    ReplyDelete
  49. HI Chris,
    Let me echo the thanks from others on this thread. After many hours working on my daughter's computer you have returned my sanity. I now know how to screw up someone else's life if the sh!@ my off. Thanks

    ReplyDelete
  50. This one could run & run! I was groping towards the solution (I'd already extracted netbt.sys and I was pondering the registry) but thanks a ton for sharing your neat pulling-together of the strands.
    One thing: I found your solution (via Google!) using the affected machine after manually entering the TCP/IP info [into the connection's properties]. Of course, as that cannot help anyone until they can read this, it could be a gotcha!

    Thanks again!

    ReplyDelete
  51. Thanks, After hours of trying things I found your info and it worked just fine. THank You Kindly!

    ReplyDelete
  52. Muchas gracias!!!! Llevaba ya unas horas y no daba con la tecla.

    ReplyDelete
  53. Thank you for posting this. One more thing.. I could not see other PCs and their shares by name. In the TCP/IP properties (of my network adapter) on Advanced.. dialog and the WINS tab I enabled NetBIOS over TCP/IP. After this I could see shares on other PCs.

    ReplyDelete
  54. Super Thanks!!! Really helpful procedure!!!

    ReplyDelete
  55. Thank YOU!!!!!!

    ReplyDelete
  56. My issue as well. Thank You!

    ReplyDelete
  57. Thank you for your posting - helped me resolve my issues after removing a few trojans...

    ReplyDelete
  58. Many thanks Chris - I successfully resolved a laptop network issue following the removal of Trojan virus/NetBT.sys infected. Thumb up !

    ReplyDelete
  59. Hey, thank you very much. This is one fix that works, and is explained clearly and in enough detail to make implementation successful! Thanks especially for the .REG file!

    ReplyDelete
  60. Thanks a lot, including the registry patch file was genius

    ReplyDelete
  61. ooohay! Just wanted to count me on the statistcs! It worked for me too! Thank you very much! :)

    PS: For those who went all through it and it didn't work, don't forget to reboot your system after running both codes on cmd!

    ReplyDelete
  62. As the others said, thank you so much!!!!.

    ReplyDelete
  63. Many many many Thanks!!!!! I finally found you! You are my hero!

    ReplyDelete
  64. I spent hours yesterday getting rid of a virus off the PC so I was a bit upset this morning when I had this error. I came across your site while hunting around so with nothing to lose I gave it a go, and it worked beautifully. You are a treasure. Sincere thanks to you.

    ReplyDelete
  65. Chris, Thanks for the work you have done. I followed your instructions, but when I tried "nbtstat -n" the response was "Fail to access NetBt driver -- NetBT may not be loaded". This is really beating me up. Can you help? The background is, I am trying to gain access to the internet via Firefox. My internet connection is not working. The device manager states all adapter are working fine. All of this started because of malware and spyware on my computer. Please help, James.

    ReplyDelete
  66. You Da king!!!! Thank you soooo much!! :D

    ReplyDelete
  67. Chris, after trying many, many, other fixes, this did the trick! Great work - clear, concise, (though a little scary). Thanks for your help! And thanks to all those who help others by posting their work on the web. Much appreciated. Don

    ReplyDelete
  68. Holy cow, man, I can't describe how thankful I'm for this article.... after almost 2 days finally success. I owe you few cold beers, bro. Thanks!!!

    ReplyDelete
  69. I have got no words, man... Thank you very much from Spain!!!

    ReplyDelete
  70. Thanks for this very helpful post! I can't tell you how many hours I spent trying to fix this issue before I found your article..

    ReplyDelete
  71. You certainly saved me from certain death (or at least a serious headache). Thanks a lot!

    ReplyDelete

Please leave a comment; someone, anyone!