I am having issues with my computer. I'll give as many details as possible:
I was looking into my computer running slowly recently. I had experienced many blue screen crashes, lagging, my Antivirus having a lot of errors, etc. I did some poking around online and remembered that I had this issue several years ago that required a clean re-install of windows 7. I did some looking around on my computer after windows explorer crashed and my desktop background disappeared, replaced with a 7601 error telling me my windows isn't genuine. I found out several things rather quickly:
-my Windows media player has a link/dropdown menu inside it that says 'Bing' with an obviously fake windows symbol
-looking at the System Information reveals that the Product ID is incorrect and doesn't match what is on my tower(I bought the computer legally years ago). Changing it to the correct product ID doesn't work-it changes back.
-there are two items in task manager that don't have information, cannot open folder location, and are-after researching-supposed to be important files ran by the computer but they are run by the user on the computer. These are Winlogon.exe and csrss.exe
-csrss.exe and csrss.exe.mui files seem to be multiplying since the last time I looked for them manually(2 days ago). There is one copy in system32 folder, which I am told is legitimate, and there are a few backups, but there are multiple others in the winsxs folder, SysWOW64 locations, etc, which I have been told do not belong there and to consider them trojans.
-all of the files related to the virus have the same 'created' date- 7/13/2009 --which makes no sense as I ran the reinstall in 2014, and all other files reflect this.
-SAM has the wrong ID numbers attached to it and don't match anything I've looked up online.
-the corrupted/virus-related files are deep in the system, connected to very important files necessary to run the computer.
I have done hours of research on this issue and thought I finally found help here: https://malwaretips.com/blogs/remove-csrss-exe/
However, I have gotten down to the 4th step, and ran into some issues. First, the only things coming up on any malware scans have been tracking cookies. Secondly, at the 4th step, I downloaded the program, but it wouldn't let me install the program without restarting before the setup could happen. That seemed strange to me so I deleted the file downloaded and asked the website for help, but they have not gotten back to me.
Today I woke up and when I got on and checked the task manager, there was a new process running called conhost.exe. I learned from this site that it is a mining program that uses the CPU of a computer(a problem I have been also having).
I just ran all the malware programs I have in safe mode, and they all came up clear. I ran Malwarebytes, HitmanPRO, Rkill, AVG. 'No Threats'
I am at the end of my rope. I have a lot I want to back up: word docs, photos, art, etc, but I am worried that something from the last time I re-installed reinfected my computer and I can't afford to lose everything. I would prefer to fix this without having to reinstall. But if I did have to, how can I back up my stuff if something in them is what is causing my computer to get reinfected?
Any help would be very appreciated! Thanks!
I will provide pictures to show what issues I am having.
its the csrss.jpg 96.79KB 0 downloads
this is taskmgr.jpg 188.43KB 0 downloads
directory services SAM 16962 incorrect.jpg 103.84KB 0 downloads
WMP looks like a virus.jpg 65.31KB 0 downloads
Edited by hamluis, 29 November 2017 - 05:56 PM.
Moved from Win 7 to Am I Infected - Hamluis.