DNS/Master Browser/NetBT problems....

flyers16 · #1 April 27th, 2008, 03:33 PM

It started when I realized I was infected with Malware/Spyware. The machine has since been cleaned & all traces of the infection have been removed.

Now I’m not able to view this PC on my network, I have 3 machines on the Network that used to talk to each other, the infected one will not see the other 2 anymore….it know they’re there but can’t connect. I’m having a DNS/NIC card/netbt issue or a combination of several things.

I tried the registerdns but it doesn’t work, spits this error msg out (#4)

FLYESR16 (Vista Ult.) is the machine with the problem. 16FLYERS (XP) is machine #2……..and machine #3 (XP) is off now. Network card is an Intel PRO/1000 PL. I’ve bounced between assigning an IP & obtaining one automatically…..no change.

Here are the errors I receive that I’m certain are the problem, any chance anyone can make heads or tails of these? Any advice or help would be greatly appreciated.

thanks………

1.)
Log Name: System
Source: BROWSER
Date: 4/20/2008 5:41:51 PM
Event ID: 8032
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: FLYERS16
Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{2BE3D013-4252-4CB3-A3A7-CCCA0A521E07}. The backup browser is stopping.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="BROWSER" />
<EventID Qualifiers="49152">8032</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-04-20T21:41:51.000Z" />
<EventRecordID>59345</EventRecordID>
<Channel>System</Channel>
<Computer>FLYERS16</Computer>
<Security />
</System>
<EventData>
<Data>\Device\NetBT_Tcpip_{2BE3D013-4252-4CB3-A3A7-CCCA0A521E07}</Data>
<Binary>35000000</Binary>
</EventData>
</Event>

2.)
Log Name: System
Source: BROWSER
Date: 4/20/2008 5:40:09 PM
Event ID: 8021
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: FLYERS16
Description:
The browser service was unable to retrieve a list of servers from the browser master \\16FLYERS on the network \Device\NetBT_Tcpip_{2BE3D013-4252-4CB3-A3A7-CCCA0A521E07}.

Browser master: \\16FLYERS
Network: \Device\NetBT_Tcpip_{2BE3D013-4252-4CB3-A3A7-CCCA0A521E07}

This event may be caused by a temporary loss of network connectivity. If this message appears again, verify that the server is still connected to the network. The return code is in the Data text box.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="BROWSER" />
<EventID Qualifiers="32768">8021</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-04-20T21:40:09.000Z" />
<EventRecordID>59341</EventRecordID>
<Channel>System</Channel>
<Computer>FLYERS16</Computer>
<Security />
</System>
<EventData>
<Data>\\16FLYERS</Data>
<Data>\Device\NetBT_Tcpip_{2BE3D013-4252-4CB3-A3A7-CCCA0A521E07}</Data>
<Binary>35000000</Binary>
</EventData>
</Event>

3.)
Log Name: System
Source: netbt
Date: 4/19/2008 8:40:42 AM
Event ID: 4311
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: FLYERS16
Description:
Initialization failed because the driver device could not be created. Use the string "101111111111" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="netbt" />
<EventID Qualifiers="49152">4311</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-04-19T12:40:42.656Z" />
<EventRecordID>49748</EventRecordID>
<Channel>System</Channel>
<Computer>FLYERS16</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Data>101111111111</Data>
<Binary>000000000200320000000000D71000C0130100003B 0000C000000000000000000000000000000000</Binary>
</EventData>
</Event>

4.)
Log Name: System
Source: DnsApi
Date: 4/26/2008 8:11:44 AM
Event ID: 11150
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: FLYERS16
Description:
The system failed to register network adapter with settings:

Adapter Name : {2BE3D013-4252-4CB3-A3A7-CCCA0A521E07}
Host Name : FLYERS16
Adapter-specific Domain Suffix : hsda.pa.comcast.net
DNS Server list :
192.168.1.1
Sent update to server : <?>
IP Address(es) :
192.168.1.103

The cause of this DNS registration failure was because the DNS update request timed out after being sent to the specified DNS Server. This is probably because the authoritative DNS server for the name being updated is not running.

You can manually retry registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your network systems administrator to verify network conditions.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="DnsApi" />
<EventID Qualifiers="32768">11150</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-04-26T12:11:44.000Z" />
<EventRecordID>59977</EventRecordID>
<Channel>System</Channel>
<Computer>FLYERS16</Computer>
<Security />
</System>
<EventData>
<Data>{2BE3D013-4252-4CB3-A3A7-CCCA0A521E07}</Data>
<Data>FLYERS16</Data>
<Data>hsda.pa.comcast.net</Data>
<Data> 192.168.1.1</Data>
<Data><?></Data>
<Data>192.168.1.103</Data>
<Data>
</Data>
<Binary>B4050000</Binary>
</EventData>
</Event>

**z1p** · #2 April 30th, 2008, 04:04 AM

Hi flyers16 and welcome to CTH.

Interesting one you have here. Can you run ipconfig/all on the problem machine and post all the output back here? It will provide some insight to the basic setup you have.

Also, some hwat out of curiosity, can you ping 16flyers from flyer16?

Thanks
z1p

flyers16 · #3 April 30th, 2008, 09:32 PM

Hi Zip.....many thanks for the reply, yes....this one is tricky.

The problem machine can indeed ping both boxes, using the ip address & network name, this tells me DNS is working.....and not only can I see the problem machine from the other 2 working boxes, I can pass files back & forth.

I'm trying to figure out where the mac address is coming from referenced in the error log, can't seem to match that address anywhere on the problem machine, and the only mac address I can't seem to account for is the one for my bluetooth, don't know yet how to find the address for it.

I have yet to bounce the Intel nic card drivers.....mac address didn't match it & I didn't want to make things worse....but maybe the driver is corrupted ...obviously not sure, makes no sense it can't see the network now.

Below is my ipconfig /all output...........thanks again.

Windows IP Configuration

Host Name . . . . . . . . . . . . : FLYERS16
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsda.pa.comcast.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : hsda.pa.comcast.net
Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection
Physical Address. . . . . . . . . : 00-16-76-DB-BC-E6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8965:153a:ae04:a80e%7(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.103(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, April 28, 2008 12:56:22 PM
Lease Expires . . . . . . . . . . : Thursday, May 01, 2008 12:18:23 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 10:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e50:3034:21ac:3f57:fe98(Preferred)
Link-local IPv6 Address . . . . . : fe80::3034:21ac:3f57:fe98%9(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsda.pa.comcast.net
Description . . . . . . . . . . . : isatap.hsda.pa.comcast.net
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

**z1p** · #4 May 1st, 2008, 12:53 PM

It doesn't seem likely that the BT is affecting this and I don't think that is a MAC address, it could be GUID, but that doesn't even look right.

Let's try repairing your network stack and see if that helps. See Repairing the Winsock and TCP stack on XP on this page.

flyers16 · #5 May 2nd, 2008, 03:13 PM

Really thought this was going to fix it......guess it's because I know nothing about Winsock & my IPStack, but after reading that it could be corrupted by spyware, I was hoping this would do the trick.

The commands ( "netsh winsock reset catalog" & "netsh int ip reset ipreset.log, & netsh interface ip delete arpcache") ran just the way they were supposed to.....even received the message saying I need to reboot to complete the refresh (except for the ARP cmd).......but no change after both reboots, still can't see the network.

If I can locate my exact nic card driver I'll probably go ahead & uninstall/reinstall it....not sure what else to check......and I sure don't feel like reinstalling the O/S......