nmap -sS -P0 -p 1-140 -O -D xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx -sV xxx.xx.xxx.xxx
Note: Each xxx corresponds to an octet of the IP address/addresses. This is instructing NMAP to run a Stealth scan (-sS) without pinging (-P0) on ports 1 to 140 (-p 1-140), to use OS Detection (-O) and to use Decoys (-D). The three comma-separated IPs are the decoy IPs to use. It also specifies to use version scanning (-sV) which attempts to determine precisely which program is running on a port.
Now, heres the analysis of this command: A stealth scan (-sS) is often picked up by most firewalls and IDS systems nowdays. It was originally designed to prevent logging of a scan in the logs for whatever server is running on the port the scanner connects to. In other words, if the scan connects to port 80 to test if its open, Apache (or whatever other webserver they may be using) will log the connection in its logfiles.
The -sS scan option doesn't make a full TCP connect (which can be achieved with the -sT option, or by not running as root) but resets the connection before it can be fully established. As such, most servers will not log the connection, but an IDS or firewall will recognise this behaviour (in repeated cases) as typical of a port scan. This will mean that the scan shows up in firewall or IDS logs and alerts. There are few ways around this, to be honest. Most firewall/IDS software nowdays is quite good at detecting these things; particularly if its running on the same host as the victim (the system you are scanning).
Note also, that decoys will not prevent your IP showing entirely; it just lists the others as well. A particularly well designed IDS may even be able to figure out which is the real source of the scans.
Where speed of scan isn't essential, the -P0 option is a good idea. Nmap gains timing information from pinging the host, and can often complete its scans faster with this information, but the ping packets will be sent to the victim from your IP, and any IDS worth its CPU cycles will pick up on the pattern of a few pings followed by connects to a variety of ports. -P0 also allows scanning of hosts which do not respond to pings (i.e. if ICMP is blocked by a firewall or by in-kernel settings).
I mentioned timing in the above paragraph. You can use the -T timing option to slow the scan down. The slower a scan is, the less likely it is to be detected by an IDS. There are bound to be occasional random connects occurring, people type an IP in wrong or try to connect and their computer crashes half way through the connect. These things happen, and unless an IDS is configured extremely strictly, they generally aren't reported (at least, not in the main alert logs, they may be logged if logging of all traffic is enabled, but typically these kind of logs are only checked if theres evidence of something going on). Setting the timing to -T 0 or -T 1 (Paranoid or Sneaky) should help avoid detection. As mentioned in my main tutorial, you can also set timing options for each aspect of a scan,
Timings for individual aspects of a scan can also be set using the -host_timeout, -max_rtt_timeout, -min_rtt_timeout, -initial_rtt_timeout, -max_parallelism, -min_parallelism, and -scan_delay options. See the Nmap manual for details.
The final note I will add to this answer is that use of the Idle scan method (-sI) means that not a single packet is sent to the victim from your IP (provided you also use the -P0 option to turn off pings). This is the ultimate in stealth as there is absolutely no way the victim can determine that your IP is responsible for the scan (short of obtaining log information from the host you used as part of your idle scan).