[mwmue]

I have a windows 7 laptop that won't shut down.  It gets to the shutdown screen and then hangs. It will shutdown properly from Safe Mode but won't after a clean boot. I did a sfc /verifyonly and it found nothing.  Malwarebytes and Kaspersky virus scanner have found nothing. I have made 2 attempts at a System Restore but when the system reboots I get a restore has failed message. Any other ideas would be appreciated.

[Advertisements]

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

 

Reboot.  (Even if you have to hold down the power button to shut it down)

 

 

1. Please download the Event Viewer Tool by Vino Rosso

http://images.malwar...om/vino/VEW.exe

and save it to your Desktop:

2. Right-click VEW.exe and Run AS Administrator

3. Under 'Select log to query', select:

 

* System

4. Under 'Select type to list', select:

* Error

* Warning

 

 

Then use the 'Number of events' as follows:

 

 

1. Click the radio button for 'Number of events'

Type 20 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

 

 

Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)

 

 

 

 

Get Process Explorer

 

http://live.sysinter...com/procexp.exe

Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).  

 

View, Select Column, check Verified Signer, OK

Options, Verify Image Signatures

 

 

Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  

 

Wait a full minute then:

 

File, Save As, Save.  Open the file Procexp.txt on your desktop and copy and paste the text to a reply.

 

Run Process Explorer in Safe mode and create a log.  Reboot into a Clean boot and create another log.  Compare the two.  Do you see a process that is present in clean boot and not in Safe Mode?  Right click on it and Kill the process then see if it will reboot.

 

[RKinner]

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

 

Reboot.  (Even if you have to hold down the power button to shut it down)

 

 

1. Please download the Event Viewer Tool by Vino Rosso

http://images.malwar...om/vino/VEW.exe

and save it to your Desktop:

2. Right-click VEW.exe and Run AS Administrator

3. Under 'Select log to query', select:

 

* System

4. Under 'Select type to list', select:

* Error

* Warning

 

 

Then use the 'Number of events' as follows:

 

 

1. Click the radio button for 'Number of events'

Type 20 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

 

 

Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)

 

 

 

 

Get Process Explorer

 

http://live.sysinter...com/procexp.exe

Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).  

 

View, Select Column, check Verified Signer, OK

Options, Verify Image Signatures

 

 

Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  

 

Wait a full minute then:

 

File, Save As, Save.  Open the file Procexp.txt on your desktop and copy and paste the text to a reply.

 

Run Process Explorer in Safe mode and create a log.  Reboot into a Clean boot and create another log.  Compare the two.  Do you see a process that is present in clean boot and not in Safe Mode?  Right click on it and Kill the process then see if it will reboot.

 

[mwmue]

I have created the 2 Event Viewer and first Process Explorer logs as requested. They are attached.

 

I will work on the Process Explorer comparison next. 

 

 

Attached Files

•  SystemLog1.txt   1.35KB   233 downloads
•  ApplicationLog1.txt   1.24KB   213 downloads
•  Procexp1.txt   6.25KB   216 downloads

[RKinner]

Log: 'System' Date/Time: 13/05/2016 11:37:03 PM

Type: Error Category: 0

Event: 7011 Source: Service Control Manager

A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Winmgmt service.

 

 

This might be the culprit.  

 

 2) Open an elevated command prompt.  (Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, )

 

  3) Verify the WMI repository is not corrupt by running the following command:

      winmgmt  /verifyrepository

If the repository is not corrupted, a “WMI Repository is consistent” message will be returned. If you get something else, go to step 4.

4) Run the following commands:   

winmgmt  /salvagerepository

If the repository salvage fails to work, then run the following command to see if it resolves the issue: 

winmgmt  /resetrepository

After the last command, there should be a “WMI Repository has been reset” message returned.

[mwmue]

I got the "WMI Repository is Consistent" message.

[RKinner]

You might try right clicking on 

 

WmiPrvSE.exe

 

in Process Explorer and see if you can kill the process then shutdown just to make sure it's not causing the problem.

[mwmue]

Still won't shutdown.

[RKinner]

The only other error I see is from Kaspersky and winlogon

 

Log: 'Application' Date/Time: 13/05/2016 11:36:30 PM

Type: Warning Category: 0

Event: 1530 Source: Microsoft-Windows-User Profiles Service

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   2 user registry handles leaked from \Registry\User\S-1-5-21-2888657257-1247738880-630884131-1001:

Process 1980 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2888657257-1247738880-630884131-1001

Process 888 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2888657257-1247738880-630884131-1001

 

 

 

Does avp.exe run in safe mode and clean boot?

[mwmue]

I was thinking avp might be the problem.  It isn't in safe mode but is in the clean boot.  Tried to stop it in msconfig but it kept coming back on. Tried to kill it from Process Explorer and it wouldn't let me. Decided to uninstall it and the uninstall crashed. When I got the computer booted back up, the program still loaded but the uninstaller said wasn't there.  When I tried to stop the program, windows crashed. Started the computer back up. Decided to re-install the antivirus program hoping I could then try the uninstall again but the reinstall crashed too.

 

When I got the computer started again the antivirus program didn't load up. It is still listed as a program but the uninstaller will open up now.  Cancelled out of the uninstaller and decided to try a Shut Down. It actually worked.  The computer shut down just like it should.  

 

Not sure what to do next. Guess I really need to try the uninstaller again before loading a new antivirus program.  Will try it tomorrow.

 

Thanks for all the help. 

[RKinner]

Sometimes reinstalling a program will allow you to remove it but if you need help removing Kaspersky we can move this to the malware forum and use FRST to remove it.  

[mwmue]

I got the antivirus completely uninstalled and a new one installed. At this time computer boots and shuts down like it's supposed to. All is good. Thanks.