Recently I face a worm infection problem in my customer computer. Actually this is not the first case I see, since this worm had been discovered few months ago.
The name I listed is base on Symantec Corporation definition. Please have a look on this worm's explaination and how it is working.

W32.Rontokbro.U@mm (http://securityresponse.symantec.com/avcenter/venc/data/w32.rontokbro.u@mm.html)

It is working like this: It is able to close or minimize any anti virus-related softwares. It also can close any Windows dialogue boxes that are either active or inactive. And 1 more impoertant thing, in the softwares list, it has HijackThis! That's mean we cannot use HijackThis since it has shut off ability. We can neither go to Registry Tools because it had altered the setting since your computer infected with this worm.

I ever tried use Local Network to scan the worm from other computer with anti virus program. It had succeeded twice out of ten computers.

Every experts, need helps here... :(

You can rename HijackThis and use it that way... For example Malware.exe...

For the Registry issues, you can either download a different Registry tool or use whatever special program has been developed to fight this one... I know of at least one tool that would probably take it out pretty quickly...

Wow, why I never thought to rename HijackThis program? But it is still working after I rename it doesn't it? I found that I can use Bart's PE with Kaspersky AV plug in. It's work and take it through easily. Thank you Budfred for giving me the idea in renaming HijackThis. I shall post the log file of the infected computer next time so that I can know which option I should put it a check. Thanks and sorry for my behaviour before... :(

You can even name it to a different extension, as long as that extension is executable...com is one such extension.

Now I'm servicing a computer with this worm infection. And now realized that I really cannot open HiJackThis!! Even I rename it or change its extension. It will be restarted if I open any program that are listed in the list. (shown in the Symantec's virus solution above)
What else can I do now?

Since you know what it is, is there some reason that you can't run Symantec's fix??

Have you tried HJT in Safe Mode and renamed??

What other tools have you tried??

Symantec tools only prior to their own product. The computer cannot be reinstall its AV because of the reason of the worm infection. I neither can uninstall nor install a new AV for it, due to the worm's ability in restarting the machine. Currently it is using Norton AV 2004 with out of subscription service from Symantec(expired).
I had tried run HiJackThis in Normal Mode and Safe Mode, both of them cannot work. It's the same if I had changed its name and extension.
Is there any onther 'manual' way to delete it? Or reformat is the only choice for it?

The Symantec site tells you pretty specifically what is affected and what the Registry changes are so you can go through and manually delete the infection...

If I can enter Registry Tools it'll become much more easier for sure. The worm series have the ability to block anyone to go into Registry Tools, Folder Options, Task Manager and your system folder. It's pretty strong and can be described unmovable worm despite reformat (from other technicians in this area) :p . So I wonder the experts here can solve it or not. I put a pretty high expectation to you all since I know this forum, especially Budfred and mjc. :)

http://www.sarc.com//avcenter/venc/data/w32.rontokbro.u@mm.html

Symantec says the removal is easy?

Symantec also has issued a Tool to open Regedit in case the worm blocks it:
http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.html

Yes, it's easy if you have Symantec AV product in your OS. They all their way regarding to their product, which means we'll be harder to remove those virus if we didn't use Symantec products.
Now the problem is:
It is able to close or minimize any anti virus-related softwares. It also can close any Windows dialogue boxes that are either active or inactive.
Here why it is going so far...

From the removal instructions:
Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.
Also with any worm, you want to have the PC removed from the Internet or LAN.

It's the same in Safe Mode...
I used to run it with another pc with LAN. I can delete all except the infected files in system 32. If I proceed to Safe Mode, I can't use LAN...

You mention not being able to install a proper AV, have you tried using ClamWin or Stinger tools to stop the worm enough to gain control?
You copy the files on a clean PC and write-protect it. Run in SAFE mode.
Stinger (http://vil.nai.com/vil/stinger/)

Noted from writeup at Sophos, it modifies your HOST files to prevent you from being able to get help from AV vendors.

Trend Micro has a tool to remove this one:
http://uk.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=2&VName=WORM_RONTKBR.GEN

PortableClamWin can be run from a USB drive OR burned to a CD...no way to change that once it's burned.

Stinger should be able to be run from a CD too...

That Symantec reset tool can be run from the CD.

WOW!! It's cool! I'll take it a try. Thanks PrntRhd. :)

Just repeating a key item:
Also with any worm, you want to have the PC removed from the Internet or LAN
Worms are simply computer code, and can be killed if you take the proper approach and use the correct tools.
If you do not take the proper approach worms can hide and re-infect. You will also have to scan ALL the PCs on your LAN, remove any worm remnants one by one, get protection on them and finally return them to the LAN.

There are also other Registry editors that might work:

Registrar Lite:
http://www.resplendence.com/reglite

and others...

I just found this solution out from Trend Micro. Have a LOOK (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBRONTOK%2EAC&VSect=Sn) everybody :)
With Process Explore, we'll get rid of it easier. Even other viruses or spyware can be stop. Am I right?