I created a SpyEye VM infection for a presentation. (usexxxxxxxx.exe)
 
I lucked out and found that it is an example of "The Mis-leading 'Active' in PsActiveProcessHead and ActiveProcessLinks" (thank you MHL)
http://mnin.blogspot.com/2011/03/mis-leading-active-in.html
 
This makes it a great example to use in my presentation!!  I've attached imageinfo, pslist, psscan, and psxview for anyone interested in seeing it.
 
(BTW, if you are going to the presentation, don't give it away until I give you a chance near the end. I'll let you explain it. (let someone else notice the 'wierd' stuff and wonder why)
 
I will make a package of this available if someone wants a copy. I can put it on my web site for download.
The package would consist of:
1. the incident response batch file output with win32dd imaging (I like win32dd, great for times, info and MD5)
2. 512MB memory image
3. E01 disk image of the 10GB disk
 
MHL, in this case is this a bug in SpyEye?  OR does it have anything to do with injecting into your parent? <g>
 
Have a good day all!
Mike
 
PS. Thanks Jamie for linking to MHL's explanation in the Command Reference