Did another spyware cleanup today. User reported that a spyware cleanup tool appeared immediately after running Windows Update. Guess: the update process changes some Internet Explorer settings back to defaults (known), and at that point, a third-party toolbar sitting in the “c:\winnt\downloaded program files” was able to run a delayed install.
Moral of the story: Empty the downloaded program files before running Windows Update. Easy method: use Drive Cleanup, from My Computer, Control Panel, right-click on the drive, choose Properties, Tools (tab), and Drive Cleanup. Or just navigate to the folder and wipe out the contents manually.