最近感染木马病毒Trojan.DL.Agent.dlo，特征如下：
1.发现异常文件D:\WINNT\system32\DLMon.dll，用瑞星17.57.12杀毒告之成功，但是文件仍旧存在，手动清除不了；
2.安全模式下找不到DLMon.dll，也杀不出毒来，DOS下未试；
3.浏览器自动定时弹出网页http://%1/，右键点击网页属性显示地址为res://D:\WINNT\System32\shdoclc.dll/navcancl.htm#http://%1/；
4.注册表发现两项可疑键值：
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager下PendingFileRenameOperations值为\??\D:\WINNT\system32\DLMON.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager下名称与数值同上；
5.用autoruns保存日志如下：
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run           

+ Disc Detector    Disc Detector    Creative Technology Ltd.    d:\program files\creative\sharedll\ctnotify.exe

+ Gainward    EXPERTool : Display Control Panel    Gainward Co.    d:\winnt\tbpanel.exe

+ NvCplDaemon    NVIDIA Taskbar Utility Library    NVIDIA Corporation    d:\winnt\system32\nvqtwk.dll

+ nwiz            d:\winnt\system32\nwiz.exe

+ RavMon    RavMon Rising realtime monitor     Beijing Rising Technology Co., Ltd.    d:\program files\rising\rav\ravmon.exe

+ RavTimer    RavTimer    Beijing Rising Technology Co., Ltd.    d:\program files\rising\rav\ravtimer.exe

+ RfwMain    Rising Personal FireWall Main Program    Beijing Rising Technology Corporation Limited    d:\program files\rising\rfw\rfwmain.exe

D:\Documents and Settings\Administrator\「开始」菜单\程序\启动           

+ 腾讯QQ.lnk    QQ    TENCENT    d:\program files\tencent\qq\qq.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run           

+ helperdll            d:\winnt\system32\drivers\pupw.sys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad           

+ SysTrays            d:\winnt\system32\dlmain.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved           

+ RISING    Rising Shell Ext Module    Beijing Rising Technology Co., Ltd.    d:\winnt\system32\ravext.dll

+ Shell Extensions for RealOne Player    RealPlayer Shell Extensions    RealNetworks, Inc.    d:\program files\real\realone player\rpshell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects           

+ AcroIEHlprObj Class    AcroIEHelper Module        d:\program files\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx

+ DownloadValue Class    DownloadStart Module        d:\winnt\system32\winhtp.dll

+ IeCatch2 Class    jccatch Module    Amaze Soft    d:\program files\flashget\jccatch.dll

+ ltmenu Class    menu Module    北京莲塘软件技术有限公司    c:\program files\ltucx\1002\c0.dll

+ QQBrowserHelperObject Class    QQIEHelper Module    深圳市腾讯计算机系统有限公司    d:\program files\tencent\qq\qqiehelper.dll

+ URLMonitor Class    HAP    Henbang    d:\winnt\system32\hap.dll

+ Wbho Class            File not found: D:\WINNT\system32\Usign.dll

+ {90AAA4FC-24DC-40DE-A9B5-D92B23C8F777}            File not found: D:\WINNT\System32\bbiaa.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar           

+ FlashGet Bar    FlashGet IE Bar    Amaze Soft    d:\program files\flashget\fgiebar.dll

HKLM\System\CurrentControlSet\Services           

+ Creative Service for CDROM Access    Creative Service for CDROM Access    Creative Technology Ltd    d:\winnt\system32\ctsvccda.exe

+ ll_reg            File not found: Task688.dll

+ Microsoft    NetWork  FireWall  Services            File not found: Net_Services.exe

+ Microsoft NetWork FireWall Services            File not found: NetServices.exe

+ NetMeeting Remote Desktop (RPC) Sharing            File not found: Task688.dll

+ NVSvc    NVIDIA Driver Helper Service, Version 27.50    NVIDIA Corporation    d:\winnt\system32\nvsvc32.exe

+ PPPoEService            d:\program files\cnc\cncbbn\app\pppoeservice.exe

+ RfwService    Rising Personal Firewall Service    Beijing Rising Technology Corporation Limited    d:\program files\rising\rfw\rfwsrv.exe

+ RsCCenter    CCenter    rising    d:\program files\rising\rav\ccenter.exe

+ RsRavMon    RavMon    Beijing Rising Technology Co., Ltd.    d:\program files\rising\rav\ravmond.exe

HKLM\System\CurrentControlSet\Services           

+ BaseTDI    basetdi    Rising    d:\winnt\system32\drivers\basetdi.sys

+ dmio    NT Disk Manager I/O Driver    VERITAS Software Corp.    d:\winnt\system32\drivers\dmio.sys

+ dmload    NT Disk Manager Startup Driver    VERITAS Software Corp.    d:\winnt\system32\drivers\dmload.sys

+ ExpScaner    ExpScan.sys        d:\program files\rising\rav\expscan.sys

+ FETNDIS    NDIS 5.0 miniport driver    D-Link                                  d:\winnt\system32\drivers\dlkfet5b.sys

+ HookCont    TDI HOOK Driver    Rising tech Co. ltd    d:\program files\rising\rav\hookcont.sys

+ HookReg            d:\program files\rising\rav\hookreg.sys

+ HookSys        瑞星    d:\program files\rising\rav\hooksys.sys

+ New0            d:\winnt\system32\new.sys

+ npkcrypt    nProtect KeyCrypt Driver    INCA Internet Co., Ltd.    d:\program files\tencent\qq\npkcrypt.sys

+ NTSTAP1    NTS TAP Kernel Driver for NT    Network TeleSystems, Inc.    d:\program files\cnc\cncbbn\app\ntstap1.sys

+ nv    NVIDIA Compatible Windows 2000 Miniport Driver, Version 27.50     NVIDIA Corporation    d:\winnt\system32\drivers\nv4_mini.sys

+ pfc    Padus(R) ASPI Shell    Padus, Inc.    d:\winnt\system32\drivers\pfc.sys

+ PfModNT    PCI/ISA Device Info. Service    Creative Technology Ltd.    d:\winnt\system32\pfmodnt.sys

+ Ptilink    Direct Parallel Link Driver    Parallel Technologies, Inc.    d:\winnt\system32\drivers\ptilink.sys

+ RsFwDrv    nt_fwdrv    Rising    d:\program files\rising\rfw\rsfwdrv.sys

+ sbpci    WDM Audio Miniport    Creative Technology Ltd.    d:\winnt\system32\drivers\sbpci.sys

+ TAPBIND    NTS TAPBIND Kernel Driver for NT    Network TeleSystems, Inc.    d:\program files\cnc\cncbbn\app\tapbind1.sys

+ viaagp    VIA NT AGP Filter    VIA Technologies, Inc.    d:\winnt\system32\drivers\viaagp1.sys

+ viaagp1    VIA NT AGP Filter    VIA Technologies, Inc.    d:\winnt\system32\drivers\viaagp1.sys

+ viafilter    VIA USB Filter Driver    VIA Technologies, Inc.    d:\winnt\system32\drivers\viausb.sys

+ viaide    VIA PCI IDE Bus Driver    VIA Technologies, Inc.    d:\winnt\system32\drivers\viaide.sys

+ VIAPFD    VIA PFD driver    VIA Technologies. Inc.    d:\winnt\system32\drivers\viapfd.sys

+ ZSMC301b    Video streaming and Capture Device Driver    VM    d:\winnt\system32\drivers\usbvm31b.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls           

+ KB5786852.LOG            File not found: KB5786852.LOG

请高手帮忙，怎样清除此病毒，多谢了！
（好象有一次瑞星报警KB5786852.LOG也是病毒并杀毒成功）
尝试上传DLMON.dll文件，无奈未能成功。

用HijackThis扫描日志如下：

HijackThis_zww汉化版扫描日志 V1.99.1
保存于      19:43:04, 日期 2005-12-9
操作系统：  Windows 2000 SP3 (WinNT 5.00.2195)
浏览器：    Internet Explorer v6.00 SP1 (6.00.2800.1106)

当前运行的进程：         
D:\WINNT\System32\smss.exe
D:\WINNT\system32\csrss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
d:\program files\rising\rfw\rfwsrv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\CTSvcCDA.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
d:\program files\rising\rfw\RfwMain.exe
D:\Program Files\Creative\ShareDLL\CtNotify.exe
D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
D:\PROGRA~1\RISING\RAV\RAVMON.EXE
D:\WINNT\TBPanel.exe
D:\Program Files\MSN Apps\Updater\01.03.0000.1005\zh-cn\msnappau.exe
D:\WINNT\system32\internat.exe
D:\Program Files\Tencent\QQ\QQ.exe
D:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\Program Files\Tencent\QQ\TIMPlatform.exe
D:\WINNT\System32\nvsvc32.exe
D:\PROGRA~1\CNC\CNCBBN\app\pppoeservice.exe
D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
D:\WINNT\system32\MSTask.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\MsPMSPSv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Tencent\TT\TTraveler.exe
D:\Program Files\HijackThis1991zww.exe

F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3D898C55-74CC-4B7C-B5F1-45913F368388} - D:\WINNT\system32\mewin.dll (file missing)
O2 - BHO: URLMonitor Class - {3ED9FFDA-79DB-4B2D-99B7-16EA3C4A3A92} - D:\WINNT\system32\hap.dll
O2 - BHO: Wbho Class - {40E3A34A-3282-41F8-AD2C-051BAB96AD4A} - D:\WINNT\system32\Usign.dll (file missing)
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: DownloadValue Class - {616D4040-5712-4F0F-BCF1-5C6420A99E14} - D:\WINNT\system32\winhtp.dll
O2 - BHO: ltmenu Class - {78C21EFD-53BA-406C-AF1A-33A38ABD3958} - C:\Program Files\LtUcx\1002\c0.dll
O2 - BHO: (no name) - {90AAA4FC-24DC-40DE-A9B5-D92B23C8F777} - D:\WINNT\System32\bbiaa.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-cn\msntb.dll
O2 - BHO: URL Handler - {CAE05C12-C151-11D4-9B88-0000B4C2C1C0} - D:\WINNT\System32\regsvr32.exe
O3 - IE工具栏增项: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - IE工具栏增项: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - IE工具栏增项: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-cn\msntb.dll
O3 - IE工具栏增项: BitCometBar - {3F1ABCDB-A875-46c1-8345-B72A4567E486} - D:\Program Files\BitComet\BitCometBar\BitCometBar0.1.dll
O4 - 启动项HKLM\\Run: [Synchronization Manager] mobsync.exe /logon
O4 - 启动项HKLM\\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - 启动项HKLM\\Run: [nwiz] nwiz.exe /install
O4 - 启动项HKLM\\Run: [Disc Detector] D:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - 启动项HKLM\\Run: [RavTimer] D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - 启动项HKLM\\Run: [RavMon] D:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - 启动项HKLM\\Run: [Gainward] D:\WINNT\TBPanel.exe /A
O4 - 启动项HKLM\\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.03.0000.1005\zh-cn\msnappau.exe"
O4 - 启动项HKLM\\Run: [RfwMain] "D:\Program Files\rising\Rfw\rfwmain.exe" -Startup
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Startup: 腾讯QQ.lnk = D:\Program Files\Tencent\QQ\QQ.exe
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O12 - IE插件，支持文件类型.spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2EA6D939-4445-43F1-A12B-8CB3DDA8B855} (V2 Control) - http://www.bluesky.cn/download/v2_53.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/212c0b4f4026fb816b05/netzip/RdxIE601_cn.cab
O16 - DPF: {6EC14D77-72E0-436D-8C04-3BEE5D75B2F1} - http://vchat.xaonline.com/roomui/videoocx.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {ABA7CC7F-019D-47DB-A0D2-B3C2B3AC1B44} (Fc2Boot Class) - http://h5.kele8.com/onet/ActiveX/fc2boot.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BA0F088C-72C1-475A-92F8-42391DEF6961} (Blueskyvoice Control) - http://www.bluesky.cn/download/blueskyvoice_26.cab
O16 - DPF: {C0C13879-6A17-429E-80F1-60B23FC1F720} (FcBoot Class) - http://211.93.80.143/game/system/activex/fcboot.cab
O16 - DPF: {DA984A6D-508E-11D6-AA49-0050FF3C628D} (Ravonline) - http://download.rising.com.cn/ravkill/rsonline.cab
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/Ver2005/OL2005.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Filter: text/html - {6D57D03F-C260-4197-A97F-22F1ADF25565} - D:\WINNT\System32\bbiaa.dll
O18 - Filter: text/plain - {6D57D03F-C260-4197-A97F-22F1ADF25565} - D:\WINNT\System32\bbiaa.dll
O20 - AppInit_DLLs: KB5786852.LOG
O21 - SSODL: SysTrays - {590498A3-4131-4D8F-BA4B-36791A9803B1} - D:\WINNT\system32\DLMain.dll
O23 - NT 服务: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINNT\System32\CTSvcCDA.exe
O23 - NT 服务: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - NT 服务: ll_reg - Unknown owner - Rundll32.exe (file missing)
O23 - NT 服务: Microsoft    NetWork  FireWall  Services - Unknown owner - Net_Services.exe (file missing)
O23 - NT 服务: Microsoft NetWork FireWall Services - Unknown owner - NetServices.exe (file missing)
O23 - NT 服务: NetMeeting Remote Desktop (RPC) Sharing - Unknown owner - Rundll32.exe (file missing)
O23 - NT 服务: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINNT\System32\nvsvc32.exe
O23 - NT 服务: PPPoE Service (PPPoEService) - Unknown owner - D:\PROGRA~1\CNC\CNCBBN\app\pppoeservice.exe
O23 - NT 服务: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - d:\program files\rising\rfw\rfwsrv.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - rising - D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe

有高手帮助么，多谢了！

呵呵，怎么修复啊，是用兔子吗？
四项里第一项跟声卡有关，第二项跟显卡有关，三四项我也觉得奇怪。
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager下PendingFileRenameOperations
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager下PendingFileRenameOperations我曾经删过，可是重启后又有了。

感谢baohe，按照回复修复4项023NT服务，DLLMON.dll文件自动消失了，注册表2项也不用删除而自动消失了，重新全盘杀了一遍毒，未发现有毒出现。再观察一段时间。
再问一下：修复4项023NT服务之后，出现备份文件夹，是否可以将其删除掉？扫描日志里还有其它项标有(file missing)是否也将其修复？
十分感谢baohe！
to nanxin：
下这个工具：http://forum.ikaka.com/download.asp?id=6979243，下载之后打开扫描系统，看是否有和我一样的症状，如有用上述方法修复，如果没有把日志帖上来，请专家们帮助解决！
可以看这个使用方法：
http://it.rising.com.cn/newSite/Channels/Safety/SafetyResourse/Safe_Foundation/200408/03-144516227.htm
http://it.rising.com.cn/newSite/Channels/Safety/SafetyResourse/Safe_Foundation/200408/03-160816228.htm

多谢！