I just got an RPC attack. How do I know? First of all, the System process was taking up tons of CPU power. I terminated all of the svchost.exe processes, and then an alert popped up. One that said that Windows needed to shut down. One that gave me a 60-second countdown and specified something about the RPC system as the reason for the shutdown.

If Windows really needed to shut down, there wouldn't have been a 60-second timer. It would've just shut down. I tried to get shutdown.exe running with the abort option, but it was lagging and I didn't manage to type it in time.

Right now I'm trying to do a spyware scan... enable the Windows firewall and such.
I have a question, though. Does anyone know anything about the folder, "C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e"?
The name seems really suspicious to me, but the contents seem to be legit enough.

I should probably get SP2 installed, huh?

You have to be careful with ending all of the svchost.exe threads. I have tried ending all of them before, and there is one of them that is system critical. I got the same exact "Windows will shutdown in 60 seconds" timer before when I tried ending all of them.

This has nothing to do with spyware, though. HOWEVER, your system being really slow is probably a good sign that somethings gone wrong. I would recommend scanning with several different spyware scanners. Some excellent ones are Ad-aware, Spybot Search and Destroy, Webroot Spy Sweeper, and Microsoft AntiSpyware to name a few.



My suggestion would be to install ALL the patches windowsupdate.com has to offer, SP2 included and everything else.

I would also not rely on Window's internal firewall as it has been shown to be swiss cheese in terms of security. I would highly recommend a free alterative: Zone Alarm

I have found it is quite a good setup, and it is quite sensitive to any suspicious incoming or exiting traffic.


hmm, I have a similar file on my computer: "C:\WINDOWS\SoftwareDistribution\Download\a79bcfc22f1d4c15ae4840c3d535bd203a0a7506"

Opening it in Wordpad gives a text document starting with:

"LICENSE TERMS FOR MICROSOFT SOFTWARE
MICROSOFT WINDOWS MALICIOUS SOFTWARE REMOVAL TOOL

THESE LICENSE TERMS ARE AN AGREEMENT BETWEEN MICROSOFT CORPORATION (OR, IF APPLICABLE BASED....."

Seems like this folder is definitally microsoft-made, and not from spyware (although the nameing of the file is a bit wierd).

Just my two cents.

I know that the svchost.exe processes are important system processes, but I've managed to end all of them before with no adverse effects. I'm pretty sure I did anyways. Well, in any case, I did it again, this time with shutdown.exe ready. I got rid of the process, canceled the shutdown, and stuff kept working. The GUI blinked for a second, and the networking manager died (heh), but otherwise everything worked.



After doing everything I've described, enabling the firewall and doing the spyware scan (which found nothing), everything was back to normal. The System process went back to taking almost no CPU resources.



Good to know.


-----Edit-----

That shutdown message came from the remote shutdown tool. I'm pretty sure that its usage is a good indicator of someone maliciously messing with your computer.
http://support.microsoft.com/default.aspx?...;317371&sd=tech

The sixty seconds to shutdown sounds like a strain of Blaster or MyDoom to me (can't remember which one).

There must be a lot of malware that uses the remote shutdown tool. It's so easy. All you have to do is run shutdown.exe from a command line. That's it.

www.pchelpforum.com, for all of your computer help needs .

</ plug>

If you terminate services.exe, the shutdown prompt also appears.