To help cleaning off NTOS

NTOS.exe stealth’s itself, sysinternals autorun

will show an entry in the “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit” section where NTOS.exe is tagged on the end of the usual “C:\WINDOWS\system32\userinit.exe,” but if you set autoruns to remove the entry it will immediately reappear. When you look at the location using windows explorer it will not show the file.

Using killbox

Run killbox and put in the path to the naughty file – usually “c:\windows\system32\ntos.exe” – then select the replace on reboot radio button and check the ‘use dummy’ box. now click the remove file button (red with white cross). After rebbot you will be able to remove the startup entry and both see and delete the dummy NTOS.exe in %systemroot%\System32\.