Virustotal: c:\windows\system32\userinit.exe Unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\axhyrhmw REG: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\axhyrhmw HKU\S-1-5-21-1450707365-3114357019-3030383042-1000\...\Run: [Windscribe] => C:\Program Files\Windscribe\Windscribe.exe [10601064 2017-05-09] (Windscribe Limited) C:\Program Files\Windscribe HKLM\...\Winlogon: [Userinit] c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe unlock: c:\program files\microsoft\desktoplayer.exe c:\program files\microsoft\desktoplayer.exe mkdir c:\program files\microsoft\desktoplayer.exe S3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [23040 2016-04-21] (The OpenVPN Project) R3 tapwindscribe0901; C:\Windows\System32\DRIVERS\tapwindscribe0901.sys [41976 2017-04-21] (The OpenVPN Project) U3 axhyrhmw; C:\Windows\system32\Drivers\axhyrhmw.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder) MSCONFIG\Services: doyyloadrwyownloadpr => 2 Task: {A8041C4C-67DD-4348-9665-E1543B0AC3E4} - System32\Tasks\{FEC9547F-F20B-4A03-B4C2-D86D6BB9C500} => C:\Windows\system32\pcalua.exe -a "C:\Users\lenovo\Downloads\Tally ERP 9 Release 5.3.1 with Crack-easy to Activate-2016\setup.exe" -d "C:\Users\lenovo\Downloads\Tally ERP 9 Release 5.3.1 with Crack-easy to Activate-2016" C:\Users\lenovo\Downloads\Tally ERP 9 Release 5.3.1 with Crack-easy to Activate-2016 Task: {83DC7922-CE46-4FAE-9A55-A34520C0A075} - System32\Tasks\Driver Booster SkipUAC (lenovo) => C:\Program Files\IObit\Driver Booster\5.0.3\DriverBooster.exe Task: C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1450707365-3114357019-3030383042-1000Core.job => C:\Users\lenovo\AppData\Local\Dropbox\Update\DropboxUpdate.exe Task: C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1450707365-3114357019-3030383042-1000UA.job => C:\Users\lenovo\AppData\Local\Dropbox\Update\DropboxUpdate.exe Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1450707365-3114357019-3030383042-1000Core.job => C:\Users\lenovo\AppData\Local\Facebook\Update\FacebookUpdate.exe Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1450707365-3114357019-3030383042-1000UA.job => C:\Users\lenovo\AppData\Local\Facebook\Update\FacebookUpdate.exe Hosts: EmptyTemp: CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"