This is the primary reason Unix folks remove the computer, make an image for forensics, and then rebuild from a known good source. Windows folks have yet to figure this one out. I take the same philosophy towards malware that Unix admins do..nuke the box…because you can’t trust it’s clean once it’s been compromised.
In one incident, a sports bar in Miami was targeted by attackers who used a custom-designed rootkit that installed itself in the machines kernel, making detection particularly difficult. The rootkit had a simple, streamlined design and was found on a server that handled credit card transactions at the bar. It searched for credit card track data, gathered whatever it found and dumped the data to a hidden folder on the machine. The attacker behind the rootkit took the extra step of changing a character in the track data that DLP software looks for in order to identify credit card data as its leaving a network, making the exfiltration invisible to the security system.