Is that a typo or does it really say thomas]appdata?
If it's real then that's probably why you are getting two logons. Probably a typo from when we made the folder.
We made a folder with the name ct.exe and it's possible that zemana is triggering on the folder. If it's a folder then leave it.
Can you just delete 1 & 2?
4 & 5 are our old friends and FRST says they have undone our good work.
"Dataup" => service was unlocked. <===== ATTENTION"drmkpro64" => service was unlocked. <===== ATTENTION
"windowsmanagementservice" => service was unlocked. <===== ATTENTION
So may come back with a reboot unless you go back in to regedit and take ownership again. I think there is something running that we can't see. Let's see if GMER will run:
Disconnect from the Internet and close all running programs.Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")Allow the driver to load if asked.You may be prompted to scan immediately if it detects rootkit activity.If you are prompted to scan your system click "No", save the log and post back the results.If not prompted, click the "Rootkit/Malware" tab.On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.Select all drives that are connected to your system to be scanned.Click the Scan button to begin. (Please be patient as it can take some time to complete)When the scan is finished, click Save to save the scan results to your Desktop.Save the file as Results.log and copy/paste the contents in your next reply.Exit the program and re-enable all active protection when done.
It might also help if you have a USB drive with FRST on it and can run it at the next boot per the instruction I gave you.