Process Monitor by the Sysinternals team looks like it would be pretty useful in investigating a compromise: what's running, what DLLs it's loaded, and so on. I've been a fan of the Sysinternals stuff, looks like they're keeping up the good work. I've used Portmon and Process Explorer before, to good results.