Safyway.blogspot Remover (VirusRemoval.vbs, sujin.com.np)

Safyway.blogspot is a trojan which try to connect to the Internet as soon as it runs in your system. His goal is to invite you to visiting its owner web site, safyway.blogspot.com.
This virus deactivate the task manager and the Windows registry tools.

The virus stores two files in all your USB device:

• autorun.inf
• VirusRemoval.vbs

Each time you try to open our explore your USB device, the file autorun.inf launch the application VirusRemoval.vbs which in his turn parameter your system so that it is launched to each starting of Windows.

The virus puts too two files in your system directory:

• <System>\VirusRemoval.vbs
• <System>\wscript.exe

The virus replaces explorer.exe in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
VirusRemoval.vbs

The right value is :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe

Replace also that of UseInit in the same key:
Userinit
VirusRemoval.vbs

The right value is:
C:\WINDOWS\system32\userinit.exe,

The virus change too Internet Explorer's parameter:
Software\Microsoft\Internet Explorer\Main

Replace the value of the start page with " http://www.safyway.blogspot.com/"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Start Page
http://www.safyway.blogspot.com/
This value will be replaced by the patch in google.net-studio.org but you can always replace it in Internet explore's option.

The virus replace too the value of
Window Title
to sujin.com.np

This virus runs automatically each time you open or explore a partition, it is preferable to download the patch and unpack it on the desktop, reboot your machine in Safe Mode and run the patch, always in safe mode.
Insert all your USB keys when you launch the patch so that they are disinfected.

Instruction on how to restart your computer in safe mode.