Important windows files are infected

[Twinbird24]

The following files are infected on a Windows XP system:

winlogon.exe (C:\WINDOWS\system32) AV says: Win32atched-RP [Trj]
explorer.exe (C:\WINDOWS) AV says: Win32atched-RP [Trj]
atapi.sys (C:\WINDOWS\system32\drivers) AV says: Win32:Alureon-FZ

The AV installed on the system is NOD32 4, which detects the infected files but cannot remove them (they are system files) and removing the files by hooking the HDD as a slave won't help because then the OS won't start up. I tried replacing the infected files with files from another computer also running XP, but when I try to start up the system with the infected files replaced with the new ones from another XP system, it just gets to the black screen which gives me options like Start Windows, Safe Mode, etc. if I click any of those options then the computer just restarts and shows me the black page with the options again. The computer starts up with the infected files, though.

How do I fix this problem? Thanks!

 

[Hsv_Man]

Place your windows xp cd into the cd drive load from cd and do a repair install of your windows installation hopefully this will remove and replace the infected/corrupted files.

 

[Twinbird24]

Thanks for the reply. I found a rootkit on the system, which I removed - its probably the reason why those 2 system files are infected. I will do the repair install.

 

[Twinbird24]

Could I use an XP Home disk to do the repair (the system is XP Pro)?

nvm i have the pro cd.

 

[johnb35]

Please download and run combofix first and post the log. I'm at work right now and can't post links so you will have to find the link from one of my other posts. Combofix should be able to replace a couple of those infected files and then we can do the balance manually.

 

[Twinbird24]

I already started the repair before your post. I'm at the part where it is asking me for the product key - the product key posted on the case is not valid (its an XP Home key, but the system is running XP Pro and I am using XP Pro CD to repair but I have no product key for XP pro). Should I just shut down the PC and boot up normally and run combo fix. Would shutting down the PC now cause any windows files to become corrupt? Or can I just shut down the PC and start it normally like before? Thanks.

 

[johnb35]

Sometimes doing the repair install will get you stuck in a loop, as you will only be able to get back into windows setup. You can try it and see if you can boot back into windows.

 

[Twinbird24]

I can't boot into Windows, it just brings me back to the install. What should I do? I have another XP CD but its for XP Home edition - the product key will work for it, but the system is running XP Pro. Thanks.

 

[johnb35]

Does this machine have a recovery partition or recovery cd's? If you don't have the correct version of windows that is installed then you will have to do a fresh install.

 

[Twinbird24]

There is no recovery partition or CD. Is fresh install the only option? Is there some way to get the product key off the HDD? I've tried using ProduKey.exe by NirSoft and KeyFinder.exe by Magical Jelly Bean but they could not find the product key on the slaved drive (they only found it for the machine running the programs.)

NVM, I have the original XP cd with the product key, I can continue repair install