I followed your advice wrt MSCONFIG abd REGEDIT, and removed the CSRSS virus successfully. Two points. I needed to perform both actions BEFORE doing the reboot else it came back again. Secondly I have found a Windows directory called PREFETCH that seems to have been modified at the same time as the infection started, and all the .pf files in it have been modified. Should I delete these files?
Thanks, but the whole prefetch contents seem to have been modified on the day the virus was downloaded. The files all seem to be valid System files for XP, and there are no executables in it, no any unrecognisable names that might be associated with the CSRSS invasion. I suspect Prefetch is a way that Windows uses to speed up the boot process, so may well create the directory from scratch on occasions, remembering that there was a Microsoft patch / updated at this time as well.
I do not appear to be showing any more after effects from the csrss event, but a virus scan did find another couple of trojans present which were quarantined and submitted to ESET fo their edification. Think I am clear now, but worried in case prefetch contains something sinister. Will google it to try and find out what it does
I suspect Prefetch is a way that Windows uses to speed up the boot process, so may well create the directory from scratch on occasions,
You are correct, somewhat.
Windows established prefetch to speed up program loading, not much for speeding up the boot process.
Delete everything in the prefetch folder and Windows will indeed rebuild it from programs you actually run.
I have found a description for this directory on wkiipedia, and I am satisfied that what I saw was just a coincidence, and not due to virus. Thanks for your reassurance as well.
Thisk I am clear now.