NTOS.exe stealths itself, sysinternals AUTORUNS will show an entry in the "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" section where NTOS.exe is tagged on the end of the usual "C:\WINDOWS\system32\userinit.exe," but if you set autoruns to remove the entry it will immediately reappear. When you look at the location using windows explorer it will not show the file. Download Pocket Killbox HERE.
Run killbox and put in the path to the naughty file - usually "c:\windows\system32\ntos.exe" - then select the replace on reboot radio button and check the 'use dummy' box. now click the remove file button (red with white cross). After rebbot you will be able to remove the startup entry and both see and delete the dummy NTOS.exe in %systemroot%\System32\.
Which is nice.