Author Topic: What does "Error 42125" mean?  (Read 26099 times)

0 Members and 1 Guest are viewing this topic.

TB303

  • Guest
What does "Error 42125" mean?
« on: June 27, 2005, 08:59:22 AM »
Hi people,

I'm using Avast home 4.1 - to try and clean my worm infected computer.
it keeps cleaning the worm and than it comes back...

I'm doing an offline (pre-boot) scan, and it just listed a bunch of files (appears to be my HP printer driver related) as "Error 42125".

What does it mean and should I be concerned about it?

thanks.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: What does "Error 42125" mean?
« Reply #1 on: June 27, 2005, 09:41:09 AM »
Hi TB303,

You can find the answer to your question regarding Error 42125 in this thread:

http://forum.avast.com/index.php?topic=13762.0

You will need to ensure that you have a firewall and that your operating system is up to date or the worm will keep coming back.

What is your operating system, and what is the version?

Are you protected by a firewall?

You could do a HijackThis scan and post the log file: this will give us the information we need and we can also check that your system is clean.

Instructions here:

http://www.bleepingcomputer.com/forums/tutorial42.html
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

TB303

  • Guest
Re: What does "Error 42125" mean?
« Reply #2 on: June 27, 2005, 09:54:49 AM »
Thanks very much mate.

I have an XP Sp1 system, with NO firewall.
I used to have Norton 2005 - and I thought it was updated (it was, maybe a weel ago).

I never really had a virus for over two years, than one day my wife sits down and says that my user is trying t send 300 mail messages (the virus) - Luckily, I didn't have outlook configured so it couldn't send it...

Anyway, the Norton said it's a Rootkit virus/worm and he couldn't fix it.
So I tried NOD32, and Avast - which so far seems the most competent.

but it still comes back.

I will do the Hijack this log and post it back here.

thanks for the quick rely!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: What does "Error 42125" mean?
« Reply #3 on: June 27, 2005, 10:43:13 AM »
Hi again TB303,

Having more than one anti-virus on your computer at the same time can cause conflicts and errors.

If you decide to stick with avast!, you will need to thoroughly remove the other two. Norton can be tricky to remove completely, but there are removal tools available from Symantec. A quick search of the forum should bring up more information and links.

Rootkits can be tricky.

The new Microsoft Malicious Software Removal Tool will remove some rootkits and many worms. Download it here:

http://www.microsoft.com/security/malwareremove/default.mspx

I would also like you to download the F-Secure rootkit detection tool, run a scan and report what it says:

http://www.f-secure.com/blacklight/

Please turn on the XP firewall straight away:

http://www.geocities.com/dontsurfinthenude/firetut.htm
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

TB303

  • Guest
Re: What does "Error 42125" mean?
« Reply #4 on: June 27, 2005, 11:09:41 AM »
Hi People,

Thanks for the suggestions!

I've booted again and Avast is running so I hope the virus is gone.
Just one troubling thing: I can't update my windows - whenever I point the Explorer to windowsupdate - and it just won't load the page.

If I try to surf elsewhere it works... Sadly it won't let me update windows through the Firefox... ;-))

Here is my HiJack this log file:

(Tried to post it, but it's too long, hope it is attached)

See if that means anything to you.

PS
Thanks for all the help so far!!

TB303

  • Guest
Re: What does "Error 42125" mean?
« Reply #5 on: June 27, 2005, 11:18:18 AM »
Quick update:

I ran both MSantispyware tool and F-Secure Rootkit, and none of them found anything suspicious.

1. I ran them in normal user mode, should I have done it in "Safe mode"?
2. The Internet Explorer still can't connect to Windows update,a  suspicios sign?

Thank for all the help!!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: What does "Error 42125" mean?
« Reply #6 on: June 27, 2005, 11:38:11 AM »
Hi TB303,

The HijackThis! log shows a worm infection.

It seems to an old worm (2002) so avast! should detect it.

Can you please make sure that you have updated avast!'s virus definitions and do a boot time scan?

Right click the avast! globe and select Start avast! Antivirus.

avast! will do a memory scan: if it finds a virus or worm in memory, it will prompt you to do a boot time scan: accept this and reboot.

If avast! doesn't find anything in memory, schedule a boot time scan. (Click the button at the top left of the avast! silver console and select Schedule boot time scan from the drop-down menu.)

If avast! detects a file called ntkrnl.exe, please delete it.

Full HijackThis! log file analysis will follow later today.

Please do not try to update until we have cleaned you computer: installing SP2 on top of malware can cause instability.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

TB303

  • Guest
Re: What does "Error 42125" mean?
« Reply #7 on: June 27, 2005, 01:09:13 PM »
Frank,

I've done several boot-time runs in Avast and it doesn't discover anything anymore.
I also made sure it is updated.

An old worm seems wierd as this computer was kept in top notch condition, I made sure the windows and NAV are updated...


PS
I by now managed to uninstall NAV and Avast works fine now.

So what should I do now?

thanks!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: What does "Error 42125" mean?
« Reply #8 on: June 27, 2005, 01:39:35 PM »
TB303,

According to HijackThis! you have a running process called ntkrnl.exe which is part of the worm CERVIVEC.A.

http://securityresponse.symantec.com/avcenter/venc/data/w32.cervivec.a@mm.html

It's curious that such an old worm would not be detected.

These are the removal instructions from Symantec.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the following value:

Kernel Loader         %Windows%\System32\ntkrnl.exe -LOADDRIVER=TRUE

5. Click Registry, and click Exit.
6. Shut down the computer, wait thirty seconds and then restart he computer.  (Do not skip this step).

Please follow this advice and report what you find.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

TB303

  • Guest
Re: What does "Error 42125" mean?
« Reply #9 on: June 27, 2005, 02:45:04 PM »
TB303,

According to HijackThis! you have a running process called ntkrnl.exe which is part of the worm CERVIVEC.A.

http://securityresponse.symantec.com/avcenter/venc/data/w32.cervivec.a@mm.html

It's curious that such an old worm would not be detected.

These are the removal instructions from Symantec.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the following value:

Kernel Loader         %Windows%\System32\ntkrnl.exe -LOADDRIVER=TRUE

5. Click Registry, and click Exit.
6. Shut down the computer, wait thirty seconds and then restart he computer.  (Do not skip this step).

Please follow this advice and report what you find.

Thanks for your suggestions,
I've followed them and couldn't find the value you've mentioned. In fact I've searched for: "ntkrnl.exe" and didn't find it in the whole registry...

Wierd, no?

I'll restart and try again, but I doubt it will show up.

I still can't access the windows update website, but other than that the computer looks and works normally (Avast runing all the time not detecting anything)

PS
ULTRA-MEGA thanks for all the help!!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: What does "Error 42125" mean?
« Reply #10 on: June 27, 2005, 02:53:41 PM »
TB303,

Please can you go to Jotti's virus scanner and submit the file:

c:\WINDOWS\system32\ntkrnl.exe

for analysis.

http://virusscan.jotti.org/

If you can find and upload the file, please copy and past the results here.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

TB303

  • Guest
Re: What does "Error 42125" mean?
« Reply #11 on: June 27, 2005, 04:03:33 PM »
Mate,
I searched for the file: ntkrnl.exe - and I can't find it.

Please find the attached Hijackthis updated log - it does not include ntkrnl.exe in it.

Also I've updated Avast again and ran a pre-boot scan - it found nothing except for a few files that generated: "Error 0XC0000022" - ?

ALso, I still can't access windowsupdate.microsoft.com - what can it possibly be?

thanks for all the help mate!

TB303

  • Guest
Re: What does "Error 42125" mean?
« Reply #12 on: June 27, 2005, 04:04:03 PM »
This time actually attached...

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: What does "Error 42125" mean?
« Reply #13 on: June 27, 2005, 04:27:22 PM »
Hi TB303,

No probs mate!

Quote
the error 0xC0000022 means the computer account's password is invalid

http://support.microsoft.com/default.aspx?scid=kb;EN-US;150518

Can you try going to:

Tools>Internet Options>Security>Internet 

in IE.

Make sure the security level is set to medium.

Can you update now? Are there any error messages?

     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

TB303

  • Guest
Re: What does "Error 42125" mean?
« Reply #14 on: June 27, 2005, 04:36:11 PM »
Mate,

I tried changing the security settins, it says custom settings, but I've resetted them to Medium and then even Low - it still won't update. every other site works well...

Actually except the online virus scanners I tried - maybe it related?

Doesn't give any error message (not even 404) - just remains blank.

Any ideas?