Jump to content

chameleon svchost.exe - why is this needed

gkdunlap
 Share

Recommended Posts

gkdunlap

gkdunlap

Posted
Posted

I have a svchost that runs high on CPU on a Win 7 - 64bit.  I read this article about searching for svchost.exe from the start . When I do the search find one under system32 and one under "C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon" .  What is this for?  I can't rename it. No virus tools pick it up.  Looks suspicious. 

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Greetings and welcome :)

You can rename it as long as you have administrative privileges although it is not recommended. As for why it's there and why it's needed, that's because many forms of malware these days will block or allow processes based on their names, and svchost.exe (an essential system process) is one of those names which is frequently allowed to run. This enables Malwarebytes Chameleon to be used to bypass such infections in order to get itself, and thus Malwarebytes Anti-Malware, running in order to remove the infection(s) from the system.

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

The objective of malware is to run its payload on one's infected computer as long as possible.

 

To effect this, malware will perform various "self preservation" techniques.  One is to set a local policy to disable the Task Manager so one can not "kill" a malicious process.  Another is to have a laundry list of anti malware program and/or utility names and while the malicious software is running, it will block the execution of these software programs and/or utilities.

 

To thwart this kind of activity, one can rename an anti malware program and/or utility to a common name that the malware wants to run such as "IEXPLORE.EXE" which is the executable for Internet Explorer.  Others may also block the execution of any EXE files.  Then one can rename an anti malware program and/or utility to have a .COM executable extension.  For example many will have in their list "Process Explorer" by Sysinternals (a division of Microsoft).  One can copy the file utility from "procexp.exe" to something inane such as "dave.com" and then execute "dave.com".

 

Malwarebytes has created a set of alternative names to help thwart this kind of malicious software self preservation activity and it is called "Chameleon".

Link to post
Share on other sites
  • Staff
shadowwar

shadowwar

Posted
  • Staff
Posted

One Thing to add. This svchost does not run in memory. Only time it runs is when u execute chameleon. This is not your problem with memory usage as it doesnt normally run.

 

The microsoft Svchost.exe in sysdir is just the parent process. U need to figure out what is running underneath it that is causing the memory issue. U can use process explorer to help figure this out. Or visit our computer help subforum.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.