Windows won't Shutdown/Reboot. Num Lock stays on after Hard power-off.

Mugsy · Mar 11, 2018

After a virus attack, Windows will no longer Shutdown/Reboot.

Windows (64bit Win7 Home) goes through the normal Shutdown routine. It exits, Windows says it is "Shutting down", but then never does. Lights, Fans and Num Lock led all stay on. The monitor goes off upon losing a signal. USB optical mouse light goes out. I must use the buttons on my PC to complete the process. And when I hard power off that way, the Num Lock light on my keyboard remains on.

The computer shuts down normally from both Safe Mode and Linux, so this is NOT a hardware or BIOS issue.

The virus played havoc with my Services, but I used the "Event Viewer" error logs to go through and correct everything causing an error (except two items that long predate the virus attack.) Numerous virus & malware scans all say my system is now clean (but the damage clearly remains.)

I've tried disabling all Startup items using MSConfig, but it made no difference. I've run the System File Checker, but it says everything is fine (except for my inability to Shutdown/Reboot.)

I can't do a "Repair" using the Windows DVD because it is a pre-SP1 OEM and says my install is "too new" to repair using it. My last backup is from early December, far older than I'd care to return to. Except for this aggravating shutdown issue, everything is performing properly.

Any help is appreciated. TIA

Pat Flynn · Mar 11, 2018

I normally wouldn't recommend this, but it would work in your situation: Upgrade to Windows 10.
The reason I suggest this is that there's better tools to perform repairs to damaged OS components since Windows 8/8.1. There's a command called 'DISM.exe' which can fix individual Windows components as long as you have either a Windows disc (or ISO), or an internet connection (it can do repairs via Windows Update).

If that's not an option for you, unfortunately all you can do at this point is to try and reinstall all of your hardware drivers for motherboard/chipset/CPU/GPU/Soundcard/etc. If that doesn't work, you'll need to reload your OS.

therealduckofdeath · Mar 11, 2018

It does indeed sound like you'll have to look at a super clean install. It sounds like the malware successfully replaced system files and from there you're really never 100% certain if it's gone after a clean-up.
You can try checking the Event Viewer for services or applications that are failing to close. It is a fairly cumbersome job, you'll maybe have to check everything that starts and see if any of that isn't closing. Check the last "non-responders" during the shut down process first and work your way back in time.

https://support.microsoft.com/en-us/help/302542/how-to-diagnose-system-problems-with-event-viewer-in-microsoft-windows

But as Pat Flynn suggested, it's probably a lot faster and safer for you to back up your documents and data and do a super clean install of a new Windows. I would also suggest Windows 10. Windows 7 is for obvious reasons struggling a bit more with contemporary malware than newer Windows editions.

Mugsy · Mar 11, 2018

Pat Flynn :

Thanks, but I'd rather bash my head in with a hammer.

Mugsy · Mar 11, 2018

therealduckofdeath :

Thanks for the reply.

As noted in my initial post, that's what I did to recover as much as I did.

SFC "claims" all my system files are authentic & not corrupted. Not sure if that means anything though.

"Upgrading" to the Windows 10 virus is not an option.

therealduckofdeath · Mar 11, 2018

Yeah, Windows won't find anything wrong with SFV, that check only works for missing or corrupted files. I think you'll have to look for something that's started but not stopping. Maybe not even indicating an error, as it sounds like your PC freezes at shut down.
One more thing you could try is to use the Windows Performance Monitor (perfmon) to see if you might find something acting up, like using excessive CPU time or bandwidth. No matter what, you're likely stuck with having to check hundreds of apps and services. If you want to go overkill and maybe increase the chance of finding the last thing that freeze, you can set up perfmon from a network connected PC and monitor it remotely. Maybe run a few starts and shut down attempts to get more data. Then you'll have to check the time stamps on the permon logs for oddities with what's starting or stopping in the Windows event logs. Perfmon can log all sorts of performance or bandwidth related data, so if you're hell bent on troubleshooting your way around a complete re-install, you have plenty of data types to try out there...

Perfmon info:
Windows Performance Monitor blog at TechNet

Windows Performance Monitor full guide

Permon looks the same on Win 7 as on previous or latter editions, so the second link should be accurate.

Good luck, I guess!

Mugsy · Mar 12, 2018

therealduckofdeath :

Thanks for the reply.

This actually sounds promising. I have another PC (Win10) and tablet (also Win10) on the same network that I could use to monitor this Win7 PC, though I'm pretty sure my ability to see what it is/isn't doing ends the moment Windows exits. :??:

I've suspected that Windows is waiting for something to terminate, most likely unable to sever its Network connection, keeping the computer "awake". I'll read up on the PerfMon to see if I can trace the Shutdown process.

One detail that nags at me is the fact "Safe Mode with Networking" has no problem, which suggests something is loading (or being set) during a normal boot that is preventing the computer from Shutting down, that does not load when booting into Safe Mode. But I've used MsConfig to disable every startup app & service and yet the problem persists, so is there a way to detect EVERYTHING that loads on Startup including things MsConfig might miss?

TIA

therealduckofdeath · Mar 12, 2018

There are two logging methods you can try. Windows can create a boot log, showing "everything" it starts during boot. That option is in msconfig. There's also an option in gpedit (the group policy editor) called verbose status messages. This will show more detail in what Windows is doing during a boot or shut down.

Mugsy · Mar 12, 2018

therealduckofdeath :

Hmm, "gpedit.msc" seems to be missing from my computer. I should have that, shouldn't I? (64bit Win7 Home)

Could you check something for me? I ran the Event Viewer, checked the Windows Security logs, and I see a number of privileges being set at startup. Do any of these seem suspicious to you?

Event Viewer screenshot

I ask because one thing keeps nagging me: "Safe Mode" doesn't have a problem Shutting Down/Rebooting, suggesting something is being set/enabled during a normal startup that isn't being set/enabled starting in "Safe Mode". I've disabled every startup app using MsConfig and the problem didn't go away, and I've cleaned out every possible infection/malware, so it is more likely to be something being *set* than some errant software.

TIA

mjslakeridge · Mar 12, 2018

Do you have a spare HDD you could install and restore from your December backup? If you do that and the problem goes away, you could then reconnect your current drive as a secondary (not boot) drive and copy your data files, music, pictures, etc. over to the spare drive. Programs installed since your December backup would have to be re-installed.

Due to the extensive troubleshooting you have already done, going with the December backup may be easier/quicker.

therealduckofdeath · Mar 12, 2018

Windows does set a lot of core privileges at boot, just to make sure it's got control over the files it think it's supposed to own. I wouldn't worry too much about that. Well, if you've had a trojan or rootkit aboard, then those things set might or might not be correct, but... I don't know the details on what should and shouldn't be set at boot.

Oh, it's the Home Edition. Then you'll need to manually install it. There are a few guides on how to do that on the internetz, like this one:
https://www.askvg.com/how-to-enable-group-policy-editor-gpedit-msc-in-windows-7-home-premium-home-basic-and-starter-editions/

Going back to your original post. Have you tried getting hold of a newer Windows 7 Home installer? To try a file repair. Microsoft still has a download tool for Windows 7 (I thought they'd removed that as its support cycle is near its end by now):
https://www.microsoft.com/en-us/download/details.aspx?id=56485

USAFRet · Mar 12, 2018

If your 'repair' efforts have not helped, 2 options:

1. Full wipe and reinstall.

2. Recover from a full disk image created before the virus infection happened.

Mugsy · Mar 12, 2018

mjslakeridge :

Thanks for the reply.

This gives me an idea for a possible means of figuring out what happened.

I could restore the old working backup to another C: drive and compare the old setup to my current one looking for differences.

The only problem is, I don't have a clue what to look for. A number of new programs were installed and settings changed since then. I'd have to limit my comparison to things like "Services".

Any suggestion of other exclusively "Windows" settings I could compare that are not related to general software installations? Is there a way to compare the MBR's?

TIA

mjslakeridge · Mar 13, 2018

I think it would be incredibly difficult to try to compare 2 installations of Windows, looking for differences. My suggestion was meant to get you back up and running with a clean setup with the least amount of effort.

I make an image of my OS drive every couple of months using Acronis True Image. If I get a virus, I just put in a spare HDD, restore from the backup, and copy over my document files, Chrome bookmarks, etc. to the restored image drive and put the "infected" drive in my closet as a spare drive.

I have used Malwarebytes and Windows Defender to remove viruses, but they kept coming back, so going to my backup image solved the problem.

therealduckofdeath · Mar 13, 2018

Yeah, Windows is too complex for something like that. If you'd restore the same image twice to the same PC, you're not even guaranteed to get the same performance with all these dynamic performance and power optimisations it's constantly doing. Running a benchmark app multiple times, getting fluctuating results on a binary system should be a good indication on that. So, personally I wouldn't bother with that as that'll most likely just be a waste of time.

I personally still think your simplest option is a clean wipe and reinstall. IF not just for the performance fix that is guaranteed, but for the fact that you'll never know if you've gotten rid of potential rootkits. A key logger or screen grabber takes nearly zero resources on a PC, but it'll steal all your log ins and personal data in a second. Since you know you've at least had a trojan on board and your PC is still acting up, that is the most sensible thing to do.

If you persist, I think the best option is to look for indicators with the tools I suggested. It's going to be hard, I have tried it a few times myself over the years, and don't expect to get any wiser from it. Some errors are just not easily tracked and found if they're in the core. At this point you're most likely just looking for subtle oddities, not big errors or failures. I understand a re-install feels daunting on a PC you've had running for years, I did just that about a month ago and I also kept dragging my feet not wanting to do it. But, it only takes a few hours and the reward is that you've got a clean and safe running PC after that.

Mugsy · Mar 16, 2018

Here is what I ended up doing:

I had an outdated backup of my C: drive that worked but was too old to go back to w/o losing a lot of changes/updates, so I got the idea of using the "Windows Migration Tool" to port my latest apps/settings to the old/working backup.

It seems to have worked. A bit of cleaning up is still required to remove a lot of duplicate files/data and update a few settings, but for the most part, the process was successful. My latest programs and settings ported over to the old backup, so I have the latest files/data plus I can Shutdown/Reboot once again.

The process: First, I ran some cleanup tools (like Revo uninstaller & IOBit's Advanced System Care) to delete as many junk files as possible. I also deleted everything in the Recycle Bin that was still on my C: drive. I then backed up my entire problematic C: drive. After that, I ran the Windows Migration Tool (built into Windows) to backup just my C: drive's apps & data. To get the backup as small as possible, I told the Tool to ignore anything huge that I could simply recover from my latest full backup of my C: drive (using "File Recovery Mode" of "EaseUS Todo Backup"). This not only makes the Migration Backup smaller (so I needed less room to store it), but when you try to restore it later, you MUST have at least that much free space on the destination ("C:") drive before it will allow you to continue (even if you are replacing many files.) Creating more free space than the size of your Migration backup can be difficult (my C: drive is a tiny 120GB SSD with most apps installed to my D: drive), so getting that migration backup as small as possible really helps.

I then restored my outdated working (December) Backup and ran the Migration Tool to move everything back (note, I should have uninstalled/deleted any old/unneeded files/apps and outdated desktop shortcuts first before the Migration because instead of replacing many files, the Tool simply made copies, so afterwards, I had to go through and search my entire C: drive (including hidden files) for anything with "(1)" in the filename to delete over 1,300 duplicates.)

I hate resolving problems like this w/o ever figuring out what the cause was (to avoid it happening again), but at least it seems I've found a way to keep the good and leave the bad behind. Thanks to all for the feedback.

Mugsy · Mar 19, 2018

Mystery solved. A follow-up for anyone in the future who encounters this problem:

I finally figured out the reason my computer would not Shutdown/Reboot. It was the "Intel" drivers.

The hardest mysteries to solve are the ones where two problems strike at once. And as far as I can decipher, in my attempt to remove a virus, I somehow ended up updating some drivers that did not need updating (by way of "Windows Update". Ugh!)

Windows Update once (long ago) repeatedly prompted me to update my "Intel" drivers. I did so once (years ago?) and experienced problems forcing me to Restore Windows from the last Restore Point (which wasn't an option this time.)

I figured out the issue by restoring my Backup of the problem C drive and (out of suspicion), I uninstalled the following drivers from the Device Manager (all recently updated by Windows Update), telling the DM to "Delete" the driver whenever possible:

Intel(R) 8 Series/C220 Chipset Family SATA AHCI Controller
Intel(R) 8 Series/C220 Series PCI Express Root Port #1 - 8C10
Intel(R) Z87 LPC Controller - 8C44
Intel(R) 8 Series/C220 Series PCI Express Root Port #5 - 8C18
Intel(R) 8 Series/C220 Series PCI Express Root Port #6 - 8C1A
Intel(R) Xeon(R) processor E3 - 1200 v3/4th Gen Core processor DRAM Controller - 0C00
Intel(R) Xeon(R) processor E3 - 1200 v3/4th Gen Core processor PCI Express x16 Controller - 0C01
Intel(R) 8 Series/C220 Series USB EHCI #1 - 8C26
Intel(R) 8 Series/C220 Series USB EHCI #2 - 8C2D

It prompted me to Reboot after removing them, which I did and viola' the computer successfully rebooted... ONCE.

After Windows restarted, it redownloaded all the bad drivers off WU and the problem returned.

The Intel Win7 drivers on WU are no good, and I've set WU to "Hide" that update so it doesn't prompt me again.

So it looks like the culprit was "Windows Update", not the virus (though I never would have updated anything if it were not for the attack.)

Since there's no getting rid of the bad drivers once they are installed, I restored my system from a backup made this morning.

Whew! I'm glad to have solved that mystery. Thx all.

Windows won't Shutdown/Reboot. Num Lock stays on after Hard power-off.

Distinguished

Distinguished

Honorable

Distinguished

Distinguished

Honorable

Distinguished

Honorable

Distinguished

Splendid

Honorable

Titan

Distinguished

Splendid

Honorable

Distinguished

Distinguished

Share this page