ntos virus cleaning
To help cleaning off NTOS
NTOS.exe stealth’s itself, sysinternals autorun
http://technet.microsoft.com/en-gb/sysinternals/bb963902
will show an entry in the “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit” section where NTOS.exe is tagged on the end of the usual “C:\WINDOWS\system32\userinit.exe,” but if you set autoruns to remove the entry it will immediately reappear. When you look at the location using windows explorer it will not show the file.
Using killbox
Run killbox and put in the path to the naughty file – usually “c:\windows\system32\ntos.exe” – then select the replace on reboot radio button and check the ‘use dummy’ box. now click the remove file button (red with white cross). After rebbot you will be able to remove the startup entry and both see and delete the dummy NTOS.exe in %systemroot%\System32\.