psnsong.exe has to be a nasty

Discussion in 'malware problems & news' started by julio99, Feb 17, 2012.

Thread Status:
Not open for further replies.
  1. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    psnsong.exe is starting up with my machine on every startup and I can't even find it to get rid of it. It would appear that it's related to Windows Live Messenger as some sort of plug-in for Media Player 12 to show what I'm playing on WMP 12. I don't have windows live messenger and I went to WMP12 and looked at plug-ins/background and it's nowhere to be found. I disabled it in Proccess Explorer and deleted it in Proccess Explorer and killed it as a startup entry and it still comes back at startup. What am I to do. The path for this is:C:\Users\Randyboy99\AppData\Local\Temp\System. Funny thing is ther is "empty folder" when you go to said path.
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, can upload to https://www.virustotal.com & see what they say. Do NOT post the FULL results, as it's not allowed, just if it's detected or not. Please save the www link you get after it's finished scanning, & PM it to me.

    Then try to locate & delete it in Safe Mode & or try a System Restore.
     
  3. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    The only place it's located is in the Task Manager. When I clicked properties it takes me to the path where the exe is supposed to be but it's empty. Can I add it to Virustotal from the TM? If so tell me how please.
     
  4. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    408
    Location:
    romania
  5. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,980
    Location:
    U.S.A.
    julio99, have you tried the suggestion given to you here: psnsong.exe won't go to disable/delete psnsong.exe?
     
  6. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    Yes I posted there.
     
  7. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
  8. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    I'm going to install this as Tipo told if this is going to get along with ESET Nod 32 AV5. What do you think?
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Unfortunately no you can't.

    Have you tried trying to locate it in Safe Mode ? Do a Windows search for psnsong.exe If you can then right click on it cut & paste it to your desktop, then ...

    Sure install it & if you've located it as above, or some other way, follow the insrtuctions to upload it. ESET shouldn't blink, if it does just allow it.
     
  10. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    When I ran Autoruns I found it in the registry and deleted it, but after the reboot it came back,, so I had a friend over and he said that I should get rid of all my old restore points before I deleted it again. i didn't see the point in that but I followed the instructions and sure enough it worked after I got rid of the restore points first and the redid the scan through the registry and deleted out of autoruns. Have you ever heard of deleting old restore points before getting rid of Malware entries. By the way, malware was found in an MBAM scan and quarantined but somehow it seemed to get loose or it had found itself off into another entry before I finally killed it.
    This is finally how I got rid of this stupid thing. Machine seems to finally be clean again.
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Glad you got it sorted :thumb: Did you upload it to Virustotal ? If so ?

    Yes, but normally you would go back to a time before the incident & restore, then delete ALL the SR points & set a new one.

    Pity MBAM "appeared" not to deal with it ! VT should have identified it though, if not or you didn't upload it, we might not know what you had.

    It might not have been a nasty :D

    psnsong.exe - http://systemexplorer.net/filereviews.php?fid=6203031
     
  12. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    408
    Location:
    romania
    no problem at all. this is just an utility from virustotal website.
     
  13. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    I went and searched it down first thing. I knew it was a WMP12 plug in. First thing the post in Google told me was to go to WMP12 and options/Background and delete the plug in if it's there. The post said it had some thing to do with I Tunes and that is what first caught my attention, because I don't have I Tunes installed. Irregardless, at the time I was unaware that I could upload a running process to virus total, but it's installed now, so if more trouble arrives I'll be ready. Yes I was surprised that MBAM was unable to deal with it. That is a good Security application. It is gone now even though I'm not exactly sure how that was accomplished. Have you ever heard of an AV like MBAM by the name of "Emsisoft" I run it off of a Flash drive and it seems to catch a lot of stuff that ESET misses. I have a feeling most of them are FP's, but you should try it sometime and let me know what you think. I was advised of it on PC World.
    Another thing about "psnsong.exe" It has Windows Live Messenger attached to it too which red-flagged me because the only Windows Live app I have is the mail. All other Microsoft Security Essentials and Windows Live Apps are gone off of my machine.
     
    Last edited: Feb 19, 2012
  14. Tefinho

    Tefinho Registered Member

    Joined:
    Feb 20, 2012
    Posts:
    1
    Location:
    Brazil
    Today I've discovered that I've got this nasty psnsong.exe (and it's partner file sqmapi.exe).
    How I discovered ? I tried to reply an email and my brazilian ABNT2 keyboard wasn't working.
    Thinked about a keylogger and the psnsong.exe and sqmapi.exe showed on the running process.
    Tried without success to exclude on registry. Killing them don't work as it started again.
    Find the location of psnsong.exe on the registry using regedit.
    Here's the guide to get rid of this malware:
    0. Deinstall Angry Birds Rio (more on this on the end of text...)
    1. Restart Windows in Security Mode
    2. Open Regedit (or Autoruns) and exclude the psnsong.exe entry on the Run (it's easier to use the autoruns)
    3. Open a CMD window
    4. Go to the malware folder (the folder and files are hidden)
    cd \Users\your_username\AppData\Local\Temp\System
    dir (nothing appears)
    dir /ah (there are)
    attrib -R -A -S -H -I *.*
    dir (voilá!)
    del *.*
    cd ..
    attrib -R -A -S -H -I System
    del System

    Then, just for precaution, I've recreated that System folder and copied a normal executable file (notepad.exe) as psnsong.exe and sqmapi.exe
    My idea is if there was an appointment to restart/recreate those malware it would fail as would already be the files there.

    The source of this malware was Angry Birds Rio downloaded using torrent.
    Learned (again) this lesson... piracy is one of the highest malware sources.

    Don't forget to deinstall the malware source first!
     
  15. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    ^Next time, play your cracked games in a sandbox :) jk. I've also noticed even legitimate agrybirds rio game would like to access physical memory. Now, a cracked one would definitely be a nasty. But it is fun to watch it in a sandbox, with Classical HIPS and under Shadow defender. Then watched the bundled malware do its stuff, debugging, modifying other process, code injections, hiding its files, etc, while you enjoy playing the game. And with a reboot, it's gone.
     
    Last edited: Feb 20, 2012
Loading...
Thread Status:
Not open for further replies.