From: Gregg N 

Geo wrote:
> "Gregg N"  wrote in message
> news:43baad3b$1{at}w3.nls.net...
>
>
>> I don't understand what you mean above by "restore the virus
without it".
>> How does a reboot cause a program to run with administrative permission
>>
> when
>
>> it did not have that permission the first time it ran?
>>
>
> It's a pretty standard technique, you replace some system file that user
> permissions gives you access to replace, then you reboot and that file runs
> as system now giving you system level access.
>
> http://www.windowsecurity.com/whitepapers/The_Complete_Windows_Trojans_Paper.
html
>
> see section 6.6, it touches upon this technique there (I only googled for a
> minute or two to find this, there are probably more complete explanations
> available)
>
> System Restore is used by lots of trojans, you remove the stupid thing and
> system restore brings it back, that's why you have to disable system restore
> to manually remove so many trojans.
>
> Geo.
>
>
>

I looked at the link you provided and I didn't see anything there about a
file running with elevated privilege after a reboot. System restore would
restore the file where it was before, running as it did before, not in a
new place with new privilege.

Gregg

--- BBBS/NT v4.01 Flag-5