msupdatemon.exe causing connectivity problem

I have just formatted my computer and installed sp2 plus all critical
updates. Also I have installed the newest drivers for my hardware.

However exactly after I install service pack 2, the MS Update Monitor
(msupdatemon.exe), which runs at startup, tries to establish connection to
various servers. However these connections do not succeed so they stay as
SYN_SENT connections (through netstat). After a while the system reaches the
security limit for such connections (Event 4226 through event viewer) and my
browsing capabilities are gone.

I tried uninstalling sp2, and reinstaling it, didn't work... Reformatted and
did everything again, didn't work? In fact I checked with my friends computer
(who has xp, with sp2 installed, he doesn't even have a msupdatemon.exe file
in the computer. I have norton antivirus and did scans of my harddrive, no
viruses... even when I google msupdatemon.exe nothing comes up. So I'm really
bummed cause Microsoft has *no* documentation of this program and it's
causing my internet. (I manually have to end the process each time it's run
to continue browsing)

-Cinar

Hey Cinar,

Is "msupdatemon.exe" present when you first install the OS?

What servers is it trying to connect to?

Have you installed any 3rd party applications before installing SP2?


************************************************** *************************
**
Craig
Microsoft Setup Team

Search our Knowledge Base at http://support.microsoft.com/default.aspx

Travel to the Windows 2003 Homepage @
http://www.microsoft.com/windowsserver2003/default.mspx

Visit the Windows 2000 Homepage @
http://www.microsoft.com/windows2000/default.asp

See the Windows NT Homepage @
http://www.microsoft.com/ntserver/

NOTE: Please reply to the newsgroup and not directly to me. This allows
others to add to and benefit from these threads and also helps to ensure a
more timely response. Thank you!

This posting is provided "AS IS" without warranty either expressed or
implied, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose.

The views and opinions expressed in this newsgroup posting are mine and do
not necessarily express or reflect the views and / or opinions of
Microsoft.
************************************************** *************************
***

Hi Craig,

msupdatemon isn't present when i just install windows xp. However it gets
installed right after I update to sp2. I don't install anything before I
update to sp2. What I basically did was exactly, format my drive, install
windows xp, when windows first runs internet is working, so I went to the
windows update site and installed all critical updates. And when I install
sp2 then the msupdatemon problem starts.

I'm a student in a university, so I am connected to the internet through the
campus network. The servers it's trying to connect to are on-campus IPs,
however they're not pingable (which makes sense since msupdatemon gets
SYN_SENT connections). I don't recognize the IPs otherwise. Our campus
network doesn't use proxies, so I have no proxies setup in my connections.

-Cinar

""Craig"" wrote:

> Hey Cinar,
>
> Is "msupdatemon.exe" present when you first install the OS?
>
> What servers is it trying to connect to?
>
> Have you installed any 3rd party applications before installing SP2?
>
>
> ************************************************** *************************
> **
> Craig
> Microsoft Setup Team
>
> Search our Knowledge Base at http://support.microsoft.com/default.aspx
>
> Travel to the Windows 2003 Homepage @
> http://www.microsoft.com/windowsserver2003/default.mspx
>
> Visit the Windows 2000 Homepage @
> http://www.microsoft.com/windows2000/default.asp
>
> See the Windows NT Homepage @
> http://www.microsoft.com/ntserver/
>
> NOTE: Please reply to the newsgroup and not directly to me. This allows
> others to add to and benefit from these threads and also helps to ensure a
> more timely response. Thank you!
>
> This posting is provided "AS IS" without warranty either expressed or
> implied, including, but not limited to, the implied warranties of
> merchantability or fitness for a particular purpose.
>
> The views and opinions expressed in this newsgroup posting are mine and do
> not necessarily express or reflect the views and / or opinions of
> Microsoft.
> ************************************************** *************************
> ***

Can you try this as a test:

1. Create 2 partitions on your local drive.
- one for the OS and the other for storage space.
- Install Windows XP without the network connection, remove the cable from
the machine

2. Download SP2 from:

http://www.microsoft.com/downloads/d...9DBE-3B8E-4F30
-8245-9E368D3CDB5A&displaylang=en
- save that on to the 2nd partition

3. Install SP2 (don't plug in the network cable)

Did that file come back?

I want to exclude the possibility that this file is being picked up from
the network.

It's highly suspicous that this .EXE is trying to contact your local
servers rather than going out to the internet.

Have you contacted your local technical support about this?

Can they assist with reading the packets being sent from your machine?

This file is not a Microsoft file.


************************************************** *************************
**
Craig
Microsoft Setup Team

Search our Knowledge Base at http://support.microsoft.com/default.aspx

Travel to the Windows 2003 Homepage @
http://www.microsoft.com/windowsserver2003/default.mspx

Visit the Windows 2000 Homepage @
http://www.microsoft.com/windows2000/default.asp

See the Windows NT Homepage @
http://www.microsoft.com/ntserver/

NOTE: Please reply to the newsgroup and not directly to me. This allows
others to add to and benefit from these threads and also helps to ensure a
more timely response. Thank you!

This posting is provided "AS IS" without warranty either expressed or
implied, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose.

The views and opinions expressed in this newsgroup posting are mine and do
not necessarily express or reflect the views and / or opinions of
Microsoft.
************************************************** *************************
***

I finally figured it out.

I was thinking that msupdatemon was a temporary SP2 file that should've been
removed after the install was complete, that's why I never suspected a worm.
However after some thought, I deleted the file and all registry entries
associated with it, rebooted and everything seemed to work. I did full system
scan, and it didn't find anything.

Then this morning when the scheduled scan was going on, apparently it found
two temporary windows update files infected with w32.spybot.worm and deleted
them. Now I think my system is clean and safe.

The problem was that the worm would get in my computer between the time
frame (which is about 10minutes) installing XP and SP2. So the only way to
avoid being infected after a format - reinstall would be to disconnect the
computer from the internet and intall sp2 from a CD,

Thanks alot for you help,
-Cinar

""Craig"" wrote:

> Can you try this as a test:
>
> 1. Create 2 partitions on your local drive.
> - one for the OS and the other for storage space.
> - Install Windows XP without the network connection, remove the cable from
> the machine
>
> 2. Download SP2 from:
>
> http://www.microsoft.com/downloads/d...9DBE-3B8E-4F30
> -8245-9E368D3CDB5A&displaylang=en
> - save that on to the 2nd partition
>
> 3. Install SP2 (don't plug in the network cable)
>
> Did that file come back?
>
> I want to exclude the possibility that this file is being picked up from
> the network.
>
> It's highly suspicous that this .EXE is trying to contact your local
> servers rather than going out to the internet.
>
> Have you contacted your local technical support about this?
>
> Can they assist with reading the packets being sent from your machine?
>
> This file is not a Microsoft file.
>
>
> ************************************************** *************************
> **
> Craig
> Microsoft Setup Team
>
> Search our Knowledge Base at http://support.microsoft.com/default.aspx
>
> Travel to the Windows 2003 Homepage @
> http://www.microsoft.com/windowsserver2003/default.mspx
>
> Visit the Windows 2000 Homepage @
> http://www.microsoft.com/windows2000/default.asp
>
> See the Windows NT Homepage @
> http://www.microsoft.com/ntserver/
>
> NOTE: Please reply to the newsgroup and not directly to me. This allows
> others to add to and benefit from these threads and also helps to ensure a
> more timely response. Thank you!
>
> This posting is provided "AS IS" without warranty either expressed or
> implied, including, but not limited to, the implied warranties of
> merchantability or fitness for a particular purpose.
>
> The views and opinions expressed in this newsgroup posting are mine and do
> not necessarily express or reflect the views and / or opinions of
> Microsoft.
> ************************************************** *************************
> ***