AxFreePorn Disconnects me

After a couple hours I get disconnected by AxFreePorn and it shows up on my network conncections and dials it. I have located most of it is contained in windows/temp folder but it seems to keep coming back. Ive tried Avast and adaware scans in the folder and nothing came up with them in. After I delete them its better for a while but it keeps coming back. What can I do to completely get rid of it?

Hi Matty - Welcome to the forum.

There’s little information about AxFreePorn. It appears to have rootkit ability making it hard to remove.

Open an explorer window and click Tools>Folder Options>View. Under Hidden Files and Folders make sure Show Hidden Files and Folders is checked. Also make sure Hide Extensions For Known File Types and Hide Protected Operating System Files are not checked.

Now scan with the free version of A-Squared, putting in quarantine anything found

http://www.emsisoft.com/en/software/download/

If that does not locate the problem scan with F-Secure Blacklight too

http://www.f-secure.com/blacklight/

When you post the results of those scans please also let us know what operating system and what firewall you have. More detail about the symptoms would also be helpful. How do you know its AxFreePorn?

Hi Matty,

Her is the specific Spy Axe removal instructions: http://www.spywareremove.com/removeSpy_Axe.html

polonus

I have Windows Xp home and AxFreePorn picture comes up on my desktop, AxFreePorn written as one of my dialup connections and has a number to call, and has pictures come up in Windows/Temp that have a different name like abc123 and this is a file that runs it I think abc123.pid, and I have the protect my internet connection firewall checked. I have internet options under tools but not folder options.

Is that the Windows Firewall? If so please install Comodo or Zone Alarm (both are free)

http://www.personalfirewall.comodo.com/

http://www.zonealarm.com/store/content/company/products/znalm/freeDownload.jsp

After installing carefully review anything wanting an internet connection.

Also, clean your temp files with CleanUp

http://www.stevengould.org/software/cleanup/

Sorry - I should have explained better.

Click Start>My Computer. Use the Tool button at the top of that window.

I downloaded Comodo and it seems to stop it from loading and disconnecting me. Ive noticed this Perflib_Perfdata_67c dat file keeps making new ones with a different number after a while in the windows/temp folder. I can delete all of them except for 1 every time because it says its being used by another program. The date on that one is the day Im on the computer. I downloaded a couple different clean up programs but it gives me a error about the size is different when I try to open it. I scanned with A-Squared and the scan found these

C:\WINDOWS\system32\rlls.dll detected: Trace.File.RelevantKnowledge
C:\WINDOWS\system32\rlvknlg.exe detected: Trace.File.RevelantKnowledge
KEY_LOCAL_MACHINE\SOFTWARE\Policies → {645FF040-5081-101B-9F08-00AA002F954E} detected: Trace.Registry.Command Service
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Policies → {6BF52A52-394A-11D3-B153-00C04F79FAA6} detected: Trace.Registry.Command Service
C:\Documents and Settings\Matt\Cookies\matt@2o7[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Matt\Cookies\matt@advertising[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Matt\Cookies\matt@atdmt[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Matt\Cookies\matt@mediaplex[1].txt detected: Trace.TrackingCookie
C:\Program Files\America Online 7.0\WanMPSvc.exe detected: Heuristic.Dialer

Relavant Knowledge and Command Service both seem like adware, so possibly not the source of your problem.

And C:\Program Files\America Online 7.0\WanMPSvc.exe is a valid part of AOL, so if you use this service you may need to restore this.

Have you scanned with BlackLight yet? Please do so and post the results.

EDIT:

Upload Perflib_Perfdata_67c (or any variations you find in the same directory) to Virus Total and Jotti for analysis and post the results

http://www.virustotal.com/en/indexf.html

http://virusscan.jotti.org/

EDIT #2
I’m finding nothing definitive on Perflib_Perfdata_xxx other than the fact that it is very common. In fact, one of two computers I just checked has a version of this. Various explanations include orphaned temp files from improper shut downs and files left from Performance Monitor or ATI Video Controllers.

Go ahead and scan the file at the links I posted above, but don’t be surprised if nothing is found.

Then for sure run the BlackLight scan.

Hi Matty,

Because of RelevantKnowledge and other tracking cookies stealth methods, tracking cookies, even when installed without malicious reasons, may put your personal and financial information at risk. It is always a good idea to remove RelevantKnowledge and other tracking cookies.
Remove the following processes: relevantknowledge.exe & rk.exe
The removal instructions for command service can be found here:
http://www.spywareremove.com/removeCommand_Service.html

polonus

del it in safe mode ?

Polonus and I think differently about this. I favor automatic removal methods, when they work, because I see less chance to cause additional problems. Have you tried A-Squared or AVG Antispyware?

I don’t know the details of your situation but in Matty’s case I think there is a downloader we have yet to identify causing this adware to appear on his computer. I’m trying to focus on confirming the presence or absence of a downloader with a view toward its ultimate removal. The junk resulting from the downloader can be dealt with along the way with a general cleanup at the end of the process (unless something terribly malicious shows up).

Actually I am not differing in opinion with Mauserme, no way. The information above givenin this thread is only additional information to check after the automatic removal routines have been performed, so purely for verificational purposes. Automatic removal through an adequate scanner or a specific removal tool for a specific type of malware is almost always to be preferred over manual cleansing practices. But how often the victims of malware ask: “are we secure now, has the malware really been removed?” . For that reason I give the manual cleansing routine also whenever I can find this. Sometimes these manual cleaning routines ask for additional force like killbox, special settings like safe mode, etc. For these reasons and others I share Mauserme’s opinion.

polonus

Gosh, is that snearing Grumpy meant for me? :o

Well, yes, it does make sense to verify. :slight_smile:

I scanned with blacklight and found nothing. At Virusscan.jotti and virus total they found no virus but when I used the recent created Perflib_Perfdata_640 it went to a screen that said: The file you uploaded is 0 bytes, and at the jotti one it also said It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.

What is the status of the popups and the file named abc123.pid? Still a problem or gone now?

Is your internet connection still unstable?

After I delete abc123.pid and go on the computer again for a while it comes back. It doesn’t disconnect me anymore since I got the comodo firewall. My internet connection is slow at times and the fan kicks in and cpu is 100. Just looking at it now its jumping from in the 20s to 70’s cpu usage.

Can you post a hijackthis log. It can be downloaded here

http://www.bleepingcomputer.com/files/hijackthis.php

Extract the program to its own folder (eg C:\hijackthis) making sure you don’t run it from a temporary folder or from the desktop. After extracting it, rename hijackthis.exe to hijackthat.exe and run it. Click to scan a save a log, then post the contents of the log using more than one post if the log is very long. Don’t “fix” anything - just post the log.

Logfile of HijackThis v1.99.1
Scan saved at 9:55:33 AM, on 3/17/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\rlvknlg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = means.net
N2 - Netscape 6: user_pref(“browser.startup.homepage”, “www.yahoo.com/”); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\se66gzsi.slt\prefs.js)
N2 - Netscape 6: user_pref(“browser.search.defaultengine”, “engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src”); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\se66gzsi.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU..\Run: [MoneyAgent] “c:\Program Files\Microsoft Money\System\Money Express.exe”
O4 - HKCU..\Run: [Aaou] “C:\WINDOWS\System32\RACLE~1\regedit.exe” -vt yazb
O4 - HKCU..\Run: [Jthl] “C:\Program Files\Common Files??crosoft.NET\w?nlogon.exe” 99001122
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: PamelaPoker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\PAMELA~1\client.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Advisor - {76026873-0935-499C-B66A-9FF5EEF45BEA} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworld.com/java/ezmed/ezmed.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak04.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.en-US.9.1.6.18.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip..{195AB0B4-F0E8-496E-8FDE-99F60E942800}: NameServer = 206.9.64.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: RelevantKnowledge - C:\WINDOWS\System32\rlls.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)

One of the first things I would suggest is getting windows XP up to date, there are many vulnerabilities in the original XP, SP1, SP2 plus further security updates have patched those vulnerabilities, so many of the exploits won’t be able to enter your system.

This also means there will be no more security updates for XP, SP1 as SP2 is the minimum supported for future security updates. It also means IE6 is also out of date and vulnerable, I would suggest using either firefox or opera which are more secure than IE, especially one that is out of date.

You also have remnants of Norton Antivirus that you should remove these can impact on other security software. A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT
You can also download SymNRT, a Norton uninstall tool that uninstalls all Norton 2004/2005/2006 products.
Also see, Manual uninstallation documents for Symantec Client Security products (including Corporate Editions) http://service1.symantec.com/SUPPORT/ent-security.nsf/529c2f9adcf33a1088256e22005026f1/a4d3327506ae7c5f88256b81007b7487?OpenDocument&src=bar_sch_nam

An on-line analysis of your log, http://hijackthis.de/logfiles/047baaa42da06934c5eb27de0341905d.html, check any unknown/nasty entries, google the file names, etc.

Nasty fix:
C:\windows\system32\rlvknlg.exe
See this for more information http://www.bleepingcomputer.com/startups/rlvknlg.exe-12985.html

Unknown - suspect
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU..\Run: [Aaou] “C:\WINDOWS\System32\RACLE~1\regedit.exe” -vt yazb
O4 - HKCU..\Run: [Jthl] “C:\Program Files\Common Files??crosoft.NET\w?nlogon.exe” 99001122
O20 - AppInit_DLLs:
O20 - Winlogon Notify: RelevantKnowledge - C:\WINDOWS\System32\rlls.dll (see http://www.castlecops.com/lsp-175.html, malware related to rlvknlg.exe above)

This one is also bad:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

Looks like FunWebProducts.

Have you tried the usual anti-adware scanners?

AVG Anti-spyware:

http://www.ewido.net/en/product/

Ad-Aware:

http://www.download.com/3000-2144-10045910.html

Spybot Search & Destroy:

http://www.safer-networking.org/en/download/index.html