c:\windows\system32\elitefbh32.exe
c:\windows\svchost.exe

The first one was detected with Hijack This! but the silly thing hids itself from the operating system. Very clever, but a royal pain in the caboose. I was able to see a few of it's little buddy files, but not the main one. And of course, when I removed the startup shortcut, it mysteriously reappeared in a few seconds. After much anger, I booted into recovery console and discovered several screenfuls of it's buddy-files as well as the main monster elitefbh32.exe Delete worked just fine on the one file, but informed me that recovery console delete doesn't support wildcards (WTF?!). I went ahead and removed a few elite folders from the Windows directory and rebooted.

Now it was no problem to remove the 30-something elite*.exe files under Win/Sys32 as well as it's buddy folders under Windows itself. HiJack This had no problem removing the startup entry, and this time, it stayed gone.

The second creepy issue was resolved by using Process Kill to kill off the svchost process and then deleting the Svchost.exe file from the Windows directory. Be careful and be quick. After killing this process, the system will shut down in 59 seconds. I recommend either doing it from a CMD prompt (like I did) or using a batch file.

This one was hard to spot because it shows up exactly the same in Task Manager as the real version of Svchost. Did I mention SpyBot detected 384 items? It did!

good luck out there !