Due to my stubborness of ignoring Antivirus for the sake of "performance", once again another backdoor under filename lsasvc.exe in (C:\Windows\system32) and csrss.exe (C:\Windows) infiltrate my aging XP. Not sure which browser that let them break free :) but they always appeared together every reboot (which is rare) and like most backdoor they break some winsock policies and eat my internet bandwidth for their own activities.
What can I do? simple! since they always use the same filename and path I create a folder named "lsasvc.exe" under Windows\system32 and "csrss.exe" under Windows directory. done, it's just impossible to create that filename there anymore
Of course it's not fully done, but I really don't care whether they still hiding somewhere as long as they never activated :)
edit: of course I did that after killing the processes (which is very self explanatory using plain task manager or process explorer) then delete the virus and optionally run "sc delete LSAService" and delete csrss' registry run entry.