i found a new startup location may be you know it.
may be it is related to GDI+

i cad a trojan dopper its name was:~[numbers].exe in my user folder in documents and settings.
and it was in registery in two locations
local machine\*\*services\ie updater\[somthing like image path]
local machine\*\*services\internet explorer updater\[somthing like image path]=executeable.exe.

there was a buffer overflow as i understand.
it crushed and downloaded a trojan.
and tried to execute it but my antivirus denied it.

Hello,

ieupdater (Microsoft IE Updater) (http://www.castlecops.com/o23list-2340.html)

Added by an unidentified TROJAN! of the Sdbot family. Note: This worm\trojan is located in C:\Documents and Settings\user name\Local Settings\Temp

Glad your Anti Virus Program caught it. :) If you have files to submit, send them zipped to:
detections(AT)spybot.info (Replace AT with @)

Regards.