In many cases, the malicious process will be monitored by another one. If it is killed, it will reborn, sometimes, there is a good tangling and monitoring linkage between 2-3 processes to ensure its survival.
For the cleaning scheme, if you have got a sample on hand, you could simply send it to some online sandbox like anubis for analysis in the first round of analysis, identifying any signature has been released and understand what kinds of impact/changes/addition it made in registry/filesystem/process/network connection.
For critical system, it is good to always making a regshot (registry snapshot) for every new production deployment as we cannot guarantee server will be safe forever. When incidence strikes, comparison against the initial regshot for issue detection.
Valkyrie-X Security Research Group, Hong Kong