There is a new document available in the SANS Reading Room: A case study about a fictive company infected by a spybot. How it was detected and eradicated. Finallly, solutions are proposed by avoid the same problem in the future.
The document is available here.