psnsong.exe won't go

Discussion in 'Windows 7 Software' started by julio99, Feb 17, 2012.

  1. julio99

    julio99 Senior Member

    Joined:
    Aug 12, 2010
    Messages:
    209
    Likes Received:
    2
    psnsong.exe is starting up with my machine on every startup and I can't even find it to get rid of it. It would appear that it's related to Windows Live Messenger as some sort of plug-in for Media Player 12 to show what I'm playing on WMP 12. I don't have windows live messenger and I went to WMP12 and looked at plug-ins/background and it's nowhere to be found. I disabled it in Proccess Explorer and deleted it in Proccess Explorer and killed it as a startup entry and it still comes back at startup. What am I to do. The path for this is:C:\Users\Randyboy99\AppData\Local\Temp\System. Funny thing is ther is "empty folder" when you go to said path.
     
  2. patcooke

    patcooke Microsoft MVP
    Staff Member Premium Supporter Microsoft MVP

    Joined:
    May 16, 2010
    Messages:
    5,455
    Likes Received:
    268
    Get a free copy of autoruns from here:

    Autoruns for Windows

    Gives a comprehensive control of startups. You can either check/uncheck an item to enable/disable it or delete it completely from startup.
     
  3. julio99

    julio99 Senior Member

    Joined:
    Aug 12, 2010
    Messages:
    209
    Likes Received:
    2
    Of course I tried this. I've tried so many things I'm still trying to get caught up typing. It keeps coming back using autoruns. I even disabled the entries in the registry.
     
  4. Saltgrass

    Saltgrass Excellent Member
    Microsoft Community Contributor

    Joined:
    Oct 16, 2009
    Messages:
    15,157
    Likes Received:
    393
    You are probably going to have to go with Process Monitor and set it to watch the boot. Maybe it will show where the entries are being recreated.

    Where in the registry does Autoruns show the entries to be located? And you are running it as Admin?
     
  5. julio99

    julio99 Senior Member

    Joined:
    Aug 12, 2010
    Messages:
    209
    Likes Received:
    2
    When I ran Autoruns I found it in the Registry and deleted it, but after the reboot it came back,, so I had a friend over and he said that I should get rid of al my old restore points before I deleted it again. i didn't see the point in that but I followed the instructions and ure enough it worked after I got rid of the restore points first and the redid the scan through the registry and deleted out of autoruns. Have you ever heard of deleting old restore points before getting rid of Malware entries. By the way, malware was found in an MBAM scan and quarantined but somehow it seemed to get loose or it had found itself off into another entry before I finally killed it.
     
    #5 julio99, Feb 17, 2012
    Last edited: Feb 17, 2012
  6. Tefinho

    Tefinho New Member

    Joined:
    Feb 20, 2012
    Messages:
    2
    Likes Received:
    0
    Today I've discovered that I've got this nasty psnsong.exe (and it's partner file sqmapi.exe).
    How I discovered ? I tried to reply an email and my brazilian ABNT2 keyboard wasn't working.
    Thinked about a keylogger and the psnsong.exe and sqmapi.exe showed on the running process.
    Tried without success to exclude on registry. Killing them don't work as it started again.
    Find the location of psnsong.exe on the registry using regedit.
    Here's the guide to get rid of this malware:
    0. Deinstall Angry Birds Rio (more on this on the end of text...)
    1. Restart Windows in Security Mode
    2. Open Regedit (or Autoruns) and exclude the psnsong.exe entry on the Run (it's easier to use the autoruns)
    3. Open a CMD window
    4. Go to the malware folder (the folder and files are hidden)
    cd \Users\your_username\AppData\Local\Temp\System
    dir (nothing appears)
    dir /ah (there are)
    attrib -R -A -S -H -I *.*
    dir (voilá!)
    del *.*
    cd ..
    attrib -R -A -S -H -I System
    del System

    Then, just for precaution, I've recreated that System folder and copied a normal executable file (notepad.exe) as psnsong.exe and sqmapi.exe
    My idea is if there was an appointment to restart/recreate those malware it would fail as would already be the files there.

    The source of this malware was Angry Birds Rio downloaded using torrent.
    Learned (again) this lesson... piracy is one of the highest malware sources.

    Don't forget to deinstall the malware source first!
     
  7. smcbride

    smcbride New Member

    Joined:
    Apr 19, 2012
    Messages:
    2
    Likes Received:
    0
    Yeah I've had this trojan for a while along with sqmapi.exe and lssas.exe. I tried removing it from the start up menu by going to system config but it kept coming back and as some of you said you can't just kill it cause it will just start up again :/. I finally got rid of it though (no help from webroot -.-). All you need to do is rename the folder ...\AppData\Local\Temp\System to something like \AppData\Local\Temp\System1 so that it won't be able to boot. After that stop psnsong.exe, sqmapi.exe, lssas.exe (If you don't have the last two or last one just stop psnsong.exe). Then delete the folder and it will finally let you. Just clear your recycle bin and remove it from the start up program and you should be fine. Hope it helped ^.^
     
    #7 smcbride, Apr 19, 2012
    Last edited: Apr 19, 2012
  8. AmaMizu6

    AmaMizu6 New Member

    Joined:
    May 30, 2012
    Messages:
    2
    Likes Received:
    0
    I had this same problem...

    1. Open up Task Manager.. (ctrl+alt+del)
    2. Find the name... psnsong.exe or sqmapi.exe
    3. Left click and scroll down to properties
    4. Go to security
    5. Under this tab there should be a box labeled "Group or user names:" You can select SYSTEM first (Because you'll do the others right after)
    6. Underneath that box, there should be another one called permissions for ...such and such... there should also be a button that says "Edit". Click that button and choose DENY for all six boxes.
    7. Press apply, and then do the same thing for the other names underneath "Groups or user names:"

    This got ride of the [sqmapi.exe] psnsong.exe because I had the box continuously pop up, and then it disappeared off the screen.

    Good Luck :)
     

Share This Page

Loading...