As far as I know, this file deletion is
typically done using a windows feature.
One simply marks a file for deletion at reboot by either calling MoveFileEx, with MOVEFILE_DELAY_UNTIL_REBOOT as the third param.
This places keys in the registry which are processed the next time the machine boots.
See here for more info:
http://stackoverflow.com/questions/7777874/how-to-cancel-deferred-movefileex-operation[
^]
However, this still doesn't solve the problem of locating and identifying files in an already compromised system. Since, as you mention - some virii are able to hide themselves from both Directory listings and ProcessList listings.