wscript.exe infected shortcut virus

[zrex030]

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\10 deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\LauncherM1400 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\StatusAutoRunM1400 deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\QuickScanner deleted successfully.
C:\Program Files (x86)\Defender Pro Quick Scanner\quickscan.exe moved successfully.
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Prevedi sa Di recnikom\ deleted successfully.
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Translate with Di dictionary\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Prevedi sa Di recnikom\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Translate with Di dictionary\ not found.
C:\ProgramData\DP45977C.lfl moved successfully.
========== FILES ==========
C:\Program Files (x86)\Defender Pro Quick Scanner folder moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Dragan
->Temp folder emptied: 5323716 bytes
->Temporary Internet Files folder emptied: 4944845 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 21349860 bytes
->Google Chrome cache emptied: 396238817 bytes
->Flash cache emptied: 726 bytes
 
User: Public
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 441982 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 408,00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 02252014_222312

Files\Folders moved on Reboot...
File move failed. C:\Users\Dragan\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
File move failed. C:\Users\Dragan\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scheduled to be moved on reboot.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\Low\SkypeClickToCall\Logs\AutoUpdateSvc.log scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

[zrex030]

and it happen'd again,after otl reboot,my system couldnt start normally and I needed to reboot  again,and it again started startup repair,witch was unsucssesfull so I needed to skip it next time.I want full explenation what are you fixing because im starting to think we are not making any progress,instead like going downwards...

[essexboy]

Nothing was removed that should affect your startup in any way....


A proxy was reset and an attempt made to remove the fake AV windows defender pro and that was it

What error do you get when you try to restart ?

[zrex030]

windows couldnt start correctly , three types of save mod,try repairs(or smt) and start windows normally,I tried repairs,done nothing,after another reboot started normally

[essexboy]

OK lets use another programme

Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from. 
  
• Please copy and paste log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
  

[zrex030]

Here are log files

[essexboy]

I have a feeling it is Iobit trying to replace the data that we are trying to remove

Download the attached fixlist.txt to the same location as FRST
Run FRST and press FIX
On completion reboot and let me know what problems you are experiencing

[zrex030]

should i uninstall iObit first?

[essexboy]

No lets see if my surmise was correct

[zrex030]

fixlog

[essexboy]

What problems are you experiencing now as that seemed to take

[zrex030]

blank blue screen in skype window,and some other time when i booted pc again saied that windows couldnt startup and that it needs repair but I skip'd it beacause it doesnt repairs anything(expirience from past attempts) ,but this last startup error did not occur after FRST64 fix reboot,it happend later

[essexboy]

As a trial temporarily uninstall Iobit and then try a few reboots

[zrex030]

all of its products?

[essexboy]

Yes please, save any licence files first though