I have a svchost that runs high on CPU on a Win 7 - 64bit. I read this article about searching for svchost.exe from the start . When I do the search find one under system32 and one under "C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon" . What is this for? I can't rename it. No virus tools pick it up. Looks suspicious.
chameleon svchost.exe - why is this neededchameleon svchost.exe
Posted 22 July 2013 - 03:16 PM
You can rename it as long as you have administrative privileges although it is not recommended. As for why it's there and why it's needed, that's because many forms of malware these days will block or allow processes based on their names, and svchost.exe (an essential system process) is one of those names which is frequently allowed to run. This enables Malwarebytes Chameleon to be used to bypass such infections in order to get itself, and thus Malwarebytes Anti-Malware, running in order to remove the infection(s) from the system.
Posted 22 July 2013 - 03:56 PM
The objective of malware is to run its payload on one's infected computer as long as possible.
To effect this, malware will perform various "self preservation" techniques. One is to set a local policy to disable the Task Manager so one can not "kill" a malicious process. Another is to have a laundry list of anti malware program and/or utility names and while the malicious software is running, it will block the execution of these software programs and/or utilities.
To thwart this kind of activity, one can rename an anti malware program and/or utility to a common name that the malware wants to run such as "IEXPLORE.EXE" which is the executable for Internet Explorer. Others may also block the execution of any EXE files. Then one can rename an anti malware program and/or utility to have a .COM executable extension. For example many will have in their list "Process Explorer" by Sysinternals (a division of Microsoft). One can copy the file utility from "procexp.exe" to something inane such as "dave.com" and then execute "dave.com".
Malwarebytes has created a set of alternative names to help thwart this kind of malicious software self preservation activity and it is called "Chameleon".
Posted 22 July 2013 - 05:05 PM
One Thing to add. This svchost does not run in memory. Only time it runs is when u execute chameleon. This is not your problem with memory usage as it doesnt normally run.
The microsoft Svchost.exe in sysdir is just the parent process. U need to figure out what is running underneath it that is causing the memory issue. U can use process explorer to help figure this out. Or visit our computer help subforum.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users