Before starting, I would like to say thx to all who have had their time to visit this journal.
This will take a lil bit long to read, so once again I would like to say thanks to you who want to read this all patiently, and I hope you'll give me the best advice to solve these problems.

Ok, lemme tell my problemsets :


1 - my computer's antivirus was outdated. really, I just have a dial-up connection and won't stand for updating virus database. so, I give up for any removal with antivirus. I need help from you all if you can give me advice to remove those problem i'll mention manually.


2 - FYI, I've got this all detected manually. because those files were too weird being in my computers, especially the system32 folder. Uh, with my less knowledges of computer safety and security systems T^T....


3 - after I ran hijackthis, i found malcious programs related to (from googling and the log file) : W32/Azero.a!****** (random numbers, based on the new varians, i think), TSPY_ONLINE.FOK (from trend-micro definition), and Banwarum.


4 - [EDIT] ok, banwarum was deleted. hope it won't back again. (fiuh....)


5 - w32/Azero.a added maxtrox.txt (I detect it from my local antivirus), desktop.sysm (I detected it from registry, default startup value. strange enough to be there), and CommandPrompt.sysm, Applications Data folder(This folder seemed to appear with name "Application Data", and the real Application Data was disguised as "Network Settings" folder. I've checked it with command prompt, and yeah it was appeard with "Application(no 's' data" folder) with strange subfolders in it, random applications sized 83 KB with 3-4 random alphabets titled (Always run when my computer starts, detected by Process Explorer, but strangely it isn't found on startup logs), and several annoying values in CLSID (the value "SafeBoot" on controlSet refered to "CommandPrompt.sys" instead of "cmd.exe". always changed back when it was deleted and refreshed T^T) and many etc. things I hadn't discovered.
Because I didn't know which was the main file of the virus, so i couldn't delete it, and they were always regenerated when my comp restarted. (oh yeah, all worms always do that, right?)

Oh, I also checked for the strings found in the programs created by this worm. I found a path refered to..... system.vbp? can someone tell me what that thingie stands for?


6 - TSPY_ONLINE.FOK was.... a trojan-but-spyware-alike. I saw in several spyware blogs that it came from.... china? i mean, its origin was from china. I detected this when inspecting system32, and found several .dll files with similar size and strange names, and when I was about to delete it, it locked up. I found they were locked (used, i mean) by explorer.exe, and when I unlocked it, it'll lock up again. woah, it even weren't able to be deleted by hijackthis. it'd always regenerate and i couldn't find the parent file. stuck with this. I've googled and find nothing for the manual removal. T^T
It is also said that this trojan will d/l other chinese trojans when using iexplore.... and i'm currently using firefox. is that will give effects to when browsing with firefox?

svchost.exe(s) on my comp always try to access hundreds unwanted ports (considered as trojan-dowloading ports) when it gets connected to internet. then so does the winlogon.exe. they'll open hundreds of connections at the same time to different ports, closed, connected, listening, and closed again in loop. while my comp isn't connected, svchosts still try to connect there, unlimeted tries.

even with manual or applications, values on BHO, shellexecutehooks, and another CLSIDs will be regenerated after they're all deleted. even the file can't be deleted, because its parent is locked by explorer. woah, i'm stuck here.


7 - winlogon.exe will try the same thing, until it'll get message "winlogon.exe - application error" couldn't write in blalala whatsoever and need to close. WTH?! i just ignore that message. of course my comp will restart if it's closed, right? once i click ok to terminate the program, all programs run below winlogon.exe will be closed too, and automatically restarts the comp.

*ya iyalah, lha wong winlogon.exe vital, secara yg jlnin seluruh runtime process vital kan dia.....*

why do i ignore that msg? because, in this current situation, booting is a difficult try. when i normally boot the comp, it'll always restart before it enters the welcome screen. when i try reboot it, it won't boot (blank screen allllll the way). How do i enter it? choosing last known good configuration, and hoping i can pass the boot process successfully. it depends on luck, FYI. i have to try several time until I succeed. I couldn't help but ignore the winlogon error message, because if it restarts It'll be hard to log in again. poor winlogon...

If it's not success, the last way i have is restoring last backup of registry files with booting my miniPE windowsXP first (uh, emergency Windows XP live CD T^T), and the result? i can safely boot my comp it, but the values including virus values are back too. uhuhuh....
and if i shutdown it, it'll go the same way back just like when the registry isn't backed up yet. luck chances to enter the welcome screen and safely boot is so small, you know....

8 - The last way on my mind : renaming msvbvm60.dll. yeah, the most effective way to make all VB-programmed programs stops working. maybe Azero stops, but after i delete it they'll regenerate again. and that chinese trojan? huh, they still suck as well = =;;


T^T Hufff. *typing this makes me tired enough*

These problems bothers me a lot. It's soooo complicated to be solved.
the main point is I NEED HELP. uh, i'm begging your help to recover 'em with manual way. because using any programs won't be effective for my comp. trust me.
but if you know a better recovery program, let me know it, ok?

the last, i apologize for my super bad, crappy english. i type this without even realizing and correcting once again, because i feel i have stomachache now.

CMIIW for informations above. really, I need help. comment here, or send me a note, or if you become symphatic w/ me you can email me at lein_wizard@yahoo.com or add me at your YM.
Azero is a low-risk, while that chinese trojan is classified as a medium-risk malware. even so they can be harmful someday. honestly, this is my first time get failed removing worms manually. because I experienced myself removing worms without antiviruses, except for disinfect files .
and because of that, I really really NEED your help, you kind people. especially for the advanced one.....

--lein.