Shell&ServicesEngine 3.0.3 Malware

For a while now, I have this weird malware program on my computer which keeps reinstalling itself every once in awhile. It shows up in the installed programs list as Shell&ServicesEngine 3.0.3. It causes various problems on my computer such as hiding the buttons bar on StackExchange sites, blocking some applications from accessing the Internet and it also sometimes closes my Google Chrome. The later it might try to steal my passwords since it's required to close the browser before reading the passwords file. Due to Google's weak security, it's possible to retrieve the passwords programmatically on the same machine.

It can be uninstalled manually but surprise, it doesn't stay that way and keeps coming back. I already installed AVAST!, Avira and ran MalwareBytes but they didn't succeed in removing or detecting the malware. On the Internet I also didn't find anything useful regarding this junk application. What should I try to get rid of it? Just the weird problems and this weird application visible under Control Panel\Programs\Programs and Features are a clear indication that something isn't right.

I think I figured out the location of the application:
C:\Windows\Shell&ServicesEngine_09122015182218

Also its task name is NetworkAnalyserService. It also ran another process called Netman. After terminating both, the issues causes are temporarily gone (the buttons bar for example loads again).

BullyWiiPlaza

Posted 2015-12-09T17:35:01.447

Reputation: 498

your Chrome password link is 2 years old and the problem was remedied – schroeder – 2015-12-09T17:49:32.270

2Unfortunately, we aren't tech support or a virus removal forum. I'm not sure who to direct you to. – schroeder – 2015-12-09T17:50:33.060

Are you sure that there is malware? This could al be explained by a faulty network driver. – schroeder – 2015-12-09T17:53:09.727

@schroeder: It comes with an uninstaller but odd enough but when I do uninstall it, it comes back later and only causes problems. This behavior is very virus-like. Serious programs shouldn't resist from being uninstalled. The Chrome issue still exists, external applications can view the passwords in Chrome. Check out ChromePass to see what I mean. – BullyWiiPlaza – 2015-12-09T17:56:57.567

The problem described in the link is no longer relevant, I did not say that there were no issues. Regardless, this is not the right forum for this question. – schroeder – 2015-12-09T18:04:53.180

Possible duplicate of How do I deal with a compromised server?

– None – 2015-12-10T07:17:05.517

Answers

I finally managed to get rid of this malware by using RegScanner and deleting ALL registry keys containing the String Shell&ServicesEngine as well as uninstalling the program and deleting the Windows Service entries for it. Finally rebooted the machine.

BullyWiiPlaza

Posted 2015-12-09T17:35:01.447

Reputation: 498

Yesterday i encountered the same problem, and i got it fixed like this,

[Don't run the default uninstall option provideded in the Shell&ServicesEngine_* package, it wont work]

open a command prompt with admin rights, run the following commands one by one. (not sure if the service names will be same for you, but im sure it will be of theShell&ServicesEngine* pattern. you can confirm the services names in "services" hit win+r and execute services.msc command)

sc stop "Shell&ServicesEngine14012016000932"
sc delete "Shell&ServicesEngine14012016000932"
sc stop "Shell&ServicesEngine14012016000932_updater_service"
sc delete "Shell&ServicesEngine14012016000932_updater_service"

and then delete the Shell&ServicesEngine_* folder under C:\Windows\

Shell&ServicesEngine 3.0.3 will still be listed in the installed programs list, because the registry entries are still there.

Use RegScanner to find and delete entries with the String Shell&ServicesEngine (dont do this step without deleting the Shell&ServicesEngine_* folder under C:\Windows\)

Do an sfc /SCANNOW on an admin level command prompt after doing all the above (will take a few minutes to finish). and restart windows.

I hope this helped.

light93

Posted 2015-12-09T17:35:01.447

Reputation: 101

-1

Following the steps in (great!) BullyWiiPlaza's answer, I also had to do this:

Delete WinServicejp.exe file and its whole directory C:\Windows\SysWOW64\updtSer (contains also WinServicejp.exe.config file)

Long story:

As it turned out, I got infected from software called JpgToPdf. I realized that from examining the process Shell&ServicesEngine (and others mentioned in OP). But killing these processes, deleting executables and clearing registry did not help. After restart, Shell&ServicesEngine 3.0.3 was back.

Then, using TCPView, I noticed some packets being send from WinServejp.exe. In the same directory there was WinServejp.exe.config file in which I found URL to www.hahomedia.com/soft/txt/jpgtopdf.txt - this text file spoiled itself with strings 'Shell&ServicesEngine' and 'JpgToPdfSetup' together.

So I decided it is safe to declare WinServicejp.exe malware (undetected in Kaspersky, ESET, some anti-malwares and non-existent in internet search so far) and deleted it. I did not encounter any problems nor suspitious behaviour on my Windows machine since then.

Trasnemi

Posted 2015-12-09T17:35:01.447

Reputation: 1

I also found another approach that worked which was running SpyHunter and letting it remove everything it found. It's not a free application though but it worked for removing Shell&ServicesEngine permanently – BullyWiiPlaza – 2016-01-06T15:33:44.147