cluberti

Service pack 3 was released in April of 2008. The Conficker worm patch was MS08-067, from October 2008.

Considering your symptoms are classic Conficker worm symptoms, I'd say it would be best to do these (at least 4, possibly 6) things: Remove the computer from any network connections - it's an active aggressor in trying to infect other machines, removable media, etc. Pull the network plug! From another non-infected PC, download Microsoft's latest Malicious Software Removal Tool release Optional - from another non-infected PC, download the latest version of Microsoft Security Essentials and the latest definition files Again, from another non-infected PC, copy the MSRT (and MSE, if you downloaded it from the link above) to a USB key or burn to a CD (if you copy these files to a USB key, mark it read-only before you plug it into the affected PC or the USB key will become infected as well) Install and run the MSRT on the infected machine (still unplugged from any network connections) to clean the infection of the Conficker worm Optional - if you downloaded MSE and the latest definitions, install both MSE and the latest definitions to scan the machine for the existence of any other malware or virus activity - clean anything found. If anything is found, scan again (and again, and again) until the machine is listed as "clean". Once the machine is clean, enable the Windows firewall or any installed 3rd party firewall software (if it isn't enabled) and visit the Windows Update site to make sure you have all the latest service packs and patches for your OS (considering this was first patched back in October 2008, and you're infected, it sounds like you may have fallen behind).

Not entirely true - but probably not online, though, no. You would have to edit the registry with a bootable disc and set the service(s) to a start value of 4. A good way to kill it though is to uninstall it - that almost always works .

Well, then I have no idea . I've never had that happen to me before, but I'm not running diskpart on W2K3 anymore so it's possible you've found a bug. What's not likely is that if you found one they'd fix it unless you could repro it against 2008 or 2008 R2 .

Exactly my point - this is not one of those hotfixes you want to install unless you absolutely are having the issue the fix is meant to address.

You haven't run a select command on a volume - so it's hiding ALL fixed volumes. It's doing what you told it to do.

No, but the error message is "ERROR_UNEXP_NET_ERR", so getting a network trace of the failure would be a good start.

I'm assuming you're running these manually - after you SEL VOL 2, run LIST PART to see what partitions it thinks are on volume 2. I'm guessing it'll be all of them.

We're in the middle of a bit of database and site migration and maintenance, so things might be a little iffy for a bit. Hopefully when it's all done you'll find it was worth it .

APIs come from .dlls on the system - you'd probably have to port the entire Windows Help subsystem to WinPE to get the Desktop Helper APIs, as they're a part of Windows Help. I think you might be better off looking at something a bit more portable, unless you want to see this through via trial and error.

Running cmd files during setup requires careful planning, as the whole system isn't fully installed yet at places where you can accomplish this. It would be better to use $OEM$ folders and cmdlines or svcpack (again, as per the unattended guide) if you're worried about disc removal.

Yes, as will Windows 2000 in general, so there will be no more fixes for W2K, period.

The point was the fix was for specific hardware (mostly older Thinkpads), so unless you needed this one, it didn't make sense to actually install it. It gives you nothing.

Here's a question though - if you make a test image following the same steps as before, but use sysprep -mini -reseal -pnp to force a pnp reseal and reboot into mini setup and then reboot back into windows (don't capture it, just see what happens after sysprep), does it work? If so, the problem happens after you seal it (with ZEN) and I've heard of issues like this before with ZEN imaging, for what it's worth.

If the process has locked itself onto the system using a driver (like spysweeper does), the only way you could reliably kill it would be using the debugger. If they've disabled debugger attach from the system, the only way to do it would be to use a kernel debugger from another machine. One thing you can do, however, is to use device manager to set the spysweeper driver to a start value of "disabled" (or 4, in the registry) and see if that does it on the next boot. If I remember correctly, spysweeper was almost virus-like in keeping itself running, for which I dumped it years ago (not to mention it's a horrible performance hog on slower machines).

Hard to say what is happening from that mish mash of data without being able to interrogate memory, but I would say it's likely a driver issue or a bug that's been fixed since RTM. I would agree with MagicAndre, you should install SP2 and update your drivers for starters. If the issues continue, configure the system for a complete dump (with the requisite paging file size configured on the Windows volume) to get some real data about the issues.

First, welcome to the forums . Second, you say it reproduces with or without using sysprep, which would indicate the problem might be the imaging itself - how are these computers being imaged?

Just a wild guess, but what is the status of portfast on these switch ports? I've seen Cisco switches fail with similar errors before when portfast was disabled, but honestly if the driver is there and PXE works, it sounds like it could very well be a network config issue.

You don't really need it, although it is nice when it works. It takes three steps to accomplish this manually (using a Vista or Win7 host makes this a bit easier later on): 1. Clean, partition, format, and mark active the primary partition on the USB key (this should be obvious) via diskpart - FAT32 or NTFS, your choice 2. Create an /nt60 bootsector on the key via bootsect.exe 3. Copy the contents of the ISO to the USB key That's it. Bootable USB install key.

As always, please ATTACH (not paste) your lastsession.ini file.

You were banned for warez, please don't come back. Banned users who try to return are banned again immediately, no questions asked, no exceptions.

Correct - it would be far better to whitelist applications than to try and lock things down as they pop up.

No worries, but that's not quite what this is for. You might want to post a new topic in the Windows XP section for an XP profile issue.

Yeah, because notepad gives you access to explorer, the system32 directory contains the script host (amongst other things). I'd say, bad security already.

If you're using an account that exists on the remote W2K server, and you're sure it's good, you might want to get a network trace of the whole auth scheme - I'm guessing the W2K box is either using an auth scheme that's disabled by default on Win7, or you need to use .\<user> and <password> to print. If you save out a network trace somewhere we can look, perhaps we can help further. Otherwise, try connecting with .\<user> rather than machine\user or any other combo and see if it works.