What does "Error 42125" mean?

Hi people,

I’m using Avast home 4.1 - to try and clean my worm infected computer.
it keeps cleaning the worm and than it comes back…

I’m doing an offline (pre-boot) scan, and it just listed a bunch of files (appears to be my HP printer driver related) as “Error 42125”.

What does it mean and should I be concerned about it?

thanks.

Hi TB303,

You can find the answer to your question regarding Error 42125 in this thread:

http://forum.avast.com/index.php?topic=13762.0

You will need to ensure that you have a firewall and that your operating system is up to date or the worm will keep coming back.

What is your operating system, and what is the version?

Are you protected by a firewall?

You could do a HijackThis scan and post the log file: this will give us the information we need and we can also check that your system is clean.

Instructions here:

http://www.bleepingcomputer.com/forums/tutorial42.html

Thanks very much mate.

I have an XP Sp1 system, with NO firewall.
I used to have Norton 2005 - and I thought it was updated (it was, maybe a weel ago).

I never really had a virus for over two years, than one day my wife sits down and says that my user is trying t send 300 mail messages (the virus) - Luckily, I didn’t have outlook configured so it couldn’t send it…

Anyway, the Norton said it’s a Rootkit virus/worm and he couldn’t fix it.
So I tried NOD32, and Avast - which so far seems the most competent.

but it still comes back.

I will do the Hijack this log and post it back here.

thanks for the quick rely!

Hi again TB303,

Having more than one anti-virus on your computer at the same time can cause conflicts and errors.

If you decide to stick with avast!, you will need to thoroughly remove the other two. Norton can be tricky to remove completely, but there are removal tools available from Symantec. A quick search of the forum should bring up more information and links.

Rootkits can be tricky.

The new Microsoft Malicious Software Removal Tool will remove some rootkits and many worms. Download it here:

http://www.microsoft.com/security/malwareremove/default.mspx

I would also like you to download the F-Secure rootkit detection tool, run a scan and report what it says:

http://www.f-secure.com/blacklight/

Please turn on the XP firewall straight away:

http://www.geocities.com/dontsurfinthenude/firetut.htm

Hi People,

Thanks for the suggestions!

I’ve booted again and Avast is running so I hope the virus is gone.
Just one troubling thing: I can’t update my windows - whenever I point the Explorer to windowsupdate - and it just won’t load the page.

If I try to surf elsewhere it works… Sadly it won’t let me update windows through the Firefox… ;-))

Here is my HiJack this log file:

(Tried to post it, but it’s too long, hope it is attached)

See if that means anything to you.

PS
Thanks for all the help so far!!

Quick update:

I ran both MSantispyware tool and F-Secure Rootkit, and none of them found anything suspicious.

  1. I ran them in normal user mode, should I have done it in “Safe mode”?
  2. The Internet Explorer still can’t connect to Windows update,a suspicios sign?

Thank for all the help!!

Hi TB303,

The HijackThis! log shows a worm infection.

It seems to an old worm (2002) so avast! should detect it.

Can you please make sure that you have updated avast!'s virus definitions and do a boot time scan?

Right click the avast! globe and select Start avast! Antivirus.

avast! will do a memory scan: if it finds a virus or worm in memory, it will prompt you to do a boot time scan: accept this and reboot.

If avast! doesn’t find anything in memory, schedule a boot time scan. (Click the button at the top left of the avast! silver console and select Schedule boot time scan from the drop-down menu.)

If avast! detects a file called ntkrnl.exe, please delete it.

Full HijackThis! log file analysis will follow later today.

Please do not try to update until we have cleaned you computer: installing SP2 on top of malware can cause instability.

Frank,

I’ve done several boot-time runs in Avast and it doesn’t discover anything anymore.
I also made sure it is updated.

An old worm seems wierd as this computer was kept in top notch condition, I made sure the windows and NAV are updated…

PS
I by now managed to uninstall NAV and Avast works fine now.

So what should I do now?

thanks!

TB303,

According to HijackThis! you have a running process called ntkrnl.exe which is part of the worm CERVIVEC.A.

http://securityresponse.symantec.com/avcenter/venc/data/w32.cervivec.a@mm.html

It’s curious that such an old worm would not be detected.

These are the removal instructions from Symantec.

  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  1. In the right pane, delete the following value:

Kernel Loader %Windows%\System32\ntkrnl.exe -LOADDRIVER=TRUE

  1. Click Registry, and click Exit.
  2. Shut down the computer, wait thirty seconds and then restart he computer. (Do not skip this step).

Please follow this advice and report what you find.

Thanks for your suggestions,
I’ve followed them and couldn’t find the value you’ve mentioned. In fact I’ve searched for: “ntkrnl.exe” and didn’t find it in the whole registry…

Wierd, no?

I’ll restart and try again, but I doubt it will show up.

I still can’t access the windows update website, but other than that the computer looks and works normally (Avast runing all the time not detecting anything)

PS
ULTRA-MEGA thanks for all the help!!

TB303,

Please can you go to Jotti’s virus scanner and submit the file:

c:\WINDOWS\system32\ntkrnl.exe

for analysis.

http://virusscan.jotti.org/

If you can find and upload the file, please copy and past the results here.

Mate,
I searched for the file: ntkrnl.exe - and I can’t find it.

Please find the attached Hijackthis updated log - it does not include ntkrnl.exe in it.

Also I’ve updated Avast again and ran a pre-boot scan - it found nothing except for a few files that generated: “Error 0XC0000022” - ?

ALso, I still can’t access windowsupdate.microsoft.com - what can it possibly be?

thanks for all the help mate!

This time actually attached…

Hi TB303,

No probs mate!

the error 0xC0000022 means the computer account's password is invalid

http://support.microsoft.com/default.aspx?scid=kb;EN-US;150518

Can you try going to:

Tools>Internet Options>Security>Internet

in IE.

Make sure the security level is set to medium.

Can you update now? Are there any error messages?

Mate,

I tried changing the security settins, it says custom settings, but I’ve resetted them to Medium and then even Low - it still won’t update. every other site works well…

Actually except the online virus scanners I tried - maybe it related?

Doesn’t give any error message (not even 404) - just remains blank.

Any ideas?

Just to ensure that Norton has completely gone could you run SymNRT.exe available here:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

I think I have found the real problem now.

Can you please run HijackThis! again and check the tick box for this entry:

O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe

Then click the fix it button.

You should be asked to reboot.

Upon rebooting, go to Start>Run and enter cmd

At the command prompt enter:

sc delete netbios helper service

This service is an adserver redirector and must be removed:

http://castlecops.com/o23list-201.html

Frank,
Thanks for the ideas…

In the mean time, I thought the computer was working properly, so I tried to turn off the ADSL’s connection firewall, thinking that might be blocking Windows update…

A second afterwards Avast started warning against “Msdirectx.sys” worm, after telling it to delete it it popped up again a second later. I disconected, re-instated the firewall, and started doing a pre-boot scan…

So I will try all those ideas the moment it finishes (so far it found one file and deleted it).

Many thanks for your help mate.

Do you work at Avast?

Thanks,
Me.

Good luck!

No, I don’t work for avast!

I just keep an eye on the forum and try to help anybody with a problem when I have some free time.

Damm,
Avast just finished doing the pre-boot scan - found one file, deleted it.
I booted again normally and there it was again!!!

This is driving me nuts.

I’ve booted into safe mode…