psnsong.exe won't go

julio99

Senior Member
#1
psnsong.exe is starting up with my machine on every startup and I can't even find it to get rid of it. It would appear that it's related to Windows Live Messenger as some sort of plug-in for Media Player 12 to show what I'm playing on WMP 12. I don't have windows live messenger and I went to WMP12 and looked at plug-ins/background and it's nowhere to be found. I disabled it in Proccess Explorer and deleted it in Proccess Explorer and killed it as a startup entry and it still comes back at startup. What am I to do. The path for this is:C:\Users\Randyboy99\AppData\Local\Temp\System. Funny thing is ther is "empty folder" when you go to said path.
 


patcooke

Microsoft MVP
Staff member
Premium Supporter
Microsoft MVP
#2
Get a free copy of autoruns from here:

Autoruns for Windows

Gives a comprehensive control of startups. You can either check/uncheck an item to enable/disable it or delete it completely from startup.
 


julio99

Senior Member
#3
Get a free copy of autoruns from here:

Autoruns for Windows

Gives a comprehensive control of startups. You can either check/uncheck an item to enable/disable it or delete it completely from startup.
Of course I tried this. I've tried so many things I'm still trying to get caught up typing. It keeps coming back using autoruns. I even disabled the entries in the registry.
 


Saltgrass

Excellent Member
Microsoft Community Contributor
#4
You are probably going to have to go with Process Monitor and set it to watch the boot. Maybe it will show where the entries are being recreated.

Where in the registry does Autoruns show the entries to be located? And you are running it as Admin?
 


julio99

Senior Member
#5
When I ran Autoruns I found it in the Registry and deleted it, but after the reboot it came back,, so I had a friend over and he said that I should get rid of al my old restore points before I deleted it again. i didn't see the point in that but I followed the instructions and ure enough it worked after I got rid of the restore points first and the redid the scan through the registry and deleted out of autoruns. Have you ever heard of deleting old restore points before getting rid of Malware entries. By the way, malware was found in an MBAM scan and quarantined but somehow it seemed to get loose or it had found itself off into another entry before I finally killed it.
 


Last edited:
#6
Today I've discovered that I've got this nasty psnsong.exe (and it's partner file sqmapi.exe).
How I discovered ? I tried to reply an email and my brazilian ABNT2 keyboard wasn't working.
Thinked about a keylogger and the psnsong.exe and sqmapi.exe showed on the running process.
Tried without success to exclude on registry. Killing them don't work as it started again.
Find the location of psnsong.exe on the registry using regedit.
Here's the guide to get rid of this malware:
0. Deinstall Angry Birds Rio (more on this on the end of text...)
1. Restart Windows in Security Mode
2. Open Regedit (or Autoruns) and exclude the psnsong.exe entry on the Run (it's easier to use the autoruns)
3. Open a CMD window
4. Go to the malware folder (the folder and files are hidden)
cd \Users\your_username\AppData\Local\Temp\System
dir (nothing appears)
dir /ah (there are)
attrib -R -A -S -H -I *.*
dir (voilá!)
del *.*
cd ..
attrib -R -A -S -H -I System
del System

Then, just for precaution, I've recreated that System folder and copied a normal executable file (notepad.exe) as psnsong.exe and sqmapi.exe
My idea is if there was an appointment to restart/recreate those malware it would fail as would already be the files there.

The source of this malware was Angry Birds Rio downloaded using torrent.
Learned (again) this lesson... piracy is one of the highest malware sources.

Don't forget to deinstall the malware source first!
 


#7
Yeah I've had this trojan for a while along with sqmapi.exe and lssas.exe. I tried removing it from the start up menu by going to system config but it kept coming back and as some of you said you can't just kill it cause it will just start up again :/. I finally got rid of it though (no help from webroot -.-). All you need to do is rename the folder ...\AppData\Local\Temp\System to something like \AppData\Local\Temp\System1 so that it won't be able to boot. After that stop psnsong.exe, sqmapi.exe, lssas.exe (If you don't have the last two or last one just stop psnsong.exe). Then delete the folder and it will finally let you. Just clear your recycle bin and remove it from the start up program and you should be fine. Hope it helped ^.^
 


Last edited:
#8
I had this same problem...

1. Open up Task Manager.. (ctrl+alt+del)
2. Find the name... psnsong.exe or sqmapi.exe
3. Left click and scroll down to properties
4. Go to security
5. Under this tab there should be a box labeled "Group or user names:" You can select SYSTEM first (Because you'll do the others right after)
6. Underneath that box, there should be another one called permissions for ...such and such... there should also be a button that says "Edit". Click that button and choose DENY for all six boxes.
7. Press apply, and then do the same thing for the other names underneath "Groups or user names:"

This got ride of the [sqmapi.exe] psnsong.exe because I had the box continuously pop up, and then it disappeared off the screen.

Good Luck :)
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.