slipstreaming xp sp3 in to wim image for cc4

[alextreadwell]

I have just moved jobs to a new school and they have bought cc4 and had RM install it on the servers for them but we have been installing the work stations. This week we have had a problem with a virus infecting the computers before they have a chance to install the antivirus package and get windows updates we are cleaning every computer and server disconnected from the net work and we think we have got rid of the virus but I want to slipstream sp3 in to the wim file on the server as it should help remove the vulnerability of the PC while installing has any one done this. I can find loads of info on making ISO with slipstreamed sp3 but nothing on wim files sorry for the lack of specific info as this has to be a quick post as I have more machines to scan and rebuild!!!

[computer_expert]

what i'd do is get a 'reference' PC to install XP/win updates/SP3/antivirus/firewall/other programs on, sysprep the machine, then capture the machine's image to the server and deploy that out to other stations.

as far as i know, its only vista (& higher OS) images that can have updates applied directly to the WIM image.

also, if you can, contact one of the mods to get the post moved to here (where you may get better answers) : http://www.edugeek.net/forums/o-s-deployment/

hope this helps

[PiqueABoo]

Will SP3 be enough e.g. stopping Conficker needs a post-SP3 KB.

There's no quick/easy answer to this... RM really need to sort out a fresher CC4 XP WIM image.

EDIT: Conficker turned out to be a bad example because the XP image in CC4 SR1 was created towards the end of Nov 2008 and *does* have KB959644 installed.

[Edu-IT]

How did they manage to get the virus if it's a new install?

Am I right in thinking that SP3 doesn't contain anything new, other than all the Windows updates which have been delivered since SP2?

[PiqueABoo]

How did they manage to get the virus if it's a new install?

Good question. I've updated my above response re. SR1 XPs so that's one obvious scenario out of the way.

[DMcCoy]

How did they manage to get the virus if it's a new install?

Am I right in thinking that SP3 doesn't contain anything new, other than all the Windows updates which have been delivered since SP2?

It has a lot of changes, including completely different Wireless and Wired authentication services along with a NAP client.

[Michael]

This week we have had a problem with a virus infecting the computers before they have a chance to install the antivirus package and get windows updates

Are you sure the virus isn't on the image itself? Microsoft released their patch towards the end of October 2008. There are also variants of the virus as described here. There's a patch available for XP SP2 and XP SP3.

As a precautionary measure I would disconnect the internet at router level so your machines can be imaged and patched safely. If you still have problems then there could well be a problem with your image.

[PiqueABoo]

The OP didn't say which virus it was (I mentioned Conficker as an example only).

CC4: The XP image is a standard one created/shipped with the system by RM or updated via SRs, not created locally. We'd have certainly heard some noise by now if any of them contained a known virus.

[Michael]

Thanks for clarifying this. It would be interesting to see what virus(es) are infecting the machines. I still think there's a possibility the image could contain the virus.

[alextreadwell]

yes it is conficker we are have disconnected internet unpluged all work stations patched and scanned servers and work stations disconnected form network. I'm going to reconnect every thing on tuesday is there any thing I have might need to do in addition to this I have tried a few machines and they have stayed virus free over night so its looking good as for how the virus got there I have no idea as it arrived before I did thanks for the info

[kmount]

It depends which few you've attached to the network, if the infection is only in a certain area which is still isolated you won't know until you reconnect them.

My personal advice would be to just flatten the lot of them with a reinstall after you're absolutely certain the servers are patched up and clean.

I can dig you out a script you can run if you reconnect everything and the infection continues; it will check an ip range and report back any potentially infected machines.

[PiqueABoo]

Umm.. for this IIRC you should make sure:

0) Scanners e.g. McAfees say all machines active on the network are clear.

1) None of your admin passwords are in the Conficker list.

2) Machines you are about to connect to the network have:
a) KB958644 installed
b) Working up-to-date AV

3) Don't log on to an infected machine as Admin when it's connected to the network. (Points 1 & 2 should stop any other machine being "got" but it's prudent).

Also obtain and get CC4 SR1 installed so you have an XM WIM build image with KB958644 integrated into it.