Norton Antivirus deleted svchost.exe

i downloaded Norton Antivirus Internet Security 2008 and ran a quick scan which said i had a virus under the svchost.exe(not scvhost) and when i restarted after the file was deleted windows wouldnt function properly. The taskbar was windows 98 style and most executable programs wont run. I was finally able to recover the deleted svchost.exe file from norton quartine but my question is do i have to now create and new registry string to bring it back or what do i do from now. I'll post my hijack log later on today when i get home.

I don't think you have to touch the registry. svchost should be running from the system32 folder only but that might be too complicated for Norton to understand.

yea its like the svchost is just sitting there and the system isnt doing anything with the file i even put the file in the startup folder and tried creating a registry key and both were unsuccessful. It just sounds like i'm missing very small to get this program to execute on the startup processes and i really cant afford to re-install windows xp

here's my hijack log:


Logfile of HijackThis v1.99.1
Scan saved at 4:32:45 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\USER\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

I don't see anything wrong there at all. I just wouldn't have any Symantec products on my computers but there are a few people who like them.

so how do i get the svchost.exe to start loading its processes on the windows startup and self-boot because if you see on the log its not on there and my other computer is basically dead right now

Is it in the system32 directory? Is Norton still blocking it? It's almost impossible to stop Norton from running even if you disable it in msconfig but try it.

Don't put it in your startup folder. It should be in c:\windows\system32

I took it out of the startup folder and the svchost is just sitting in the system32 folder i really dont know what norton did to my system and why it deleted that file in the first place. I also was able to delete Norton Antivirus to see if it was blocking the program and it wasnt. I guess i will have to find the repair cd's for xp if no one has any solutions.

Are you sure Norton is totally gone? Did you download the uninstall tool?

yea norton is completely gone i downloaded the removal tool and everything from their website and i also searched for every instance of it on the computer. I might have to just buy the re-install cd if worst comes to worst

What about a restore point instead?

That was one of the very first things i tried and the system keeps telling me that "system restore can't protect your computer please restart your computer and try again later." Then i restart the computer and it still says the same thing so no luck their either. I think that maybe when norton deleted the svchost.exe it might have also erased a .dll file that was critical to it executing its process.

Just out of curiosity, what happens if you start svchost.exe from the command line?

Just type it like that or try to start another missing service with it.
svchost.exe -k rpcss That's the most important.

Norton obviously knows not to delete standard Windows files, so maybe that svchost.exe was indeed a virus?

I dont think so because i scanned the file with three or four virus detectors thinking that maybe it was a virus but all came back negative. I also tried running svchost.exe from the command line but it wont let me do anything it says that the "rpc service is missing". If it were a virus i dont think that it would completely cripple my system to the status that its currently is in. I'll try getting a new svchost.exe from another xp pro computer and try that.