As far as I know, this file deletion is typically
done using a windows feature.
One simply marks a file for deletion at reboot by either calling MoveFileEx, with MOVEFILE_DELAY_UNTIL_REBOOT as the third param.
This places keys in the registry which are processed the next time the machine boots.
See here for more info:
However, this still doesn't solve the problem of locating and identifying files in an already compromised system. Since, as you mention - some virii are able to hide themselves from both Directory listings and ProcessList listings.