(PeteCresswell) said:
Per (PeteCresswell):
One thing that jumped out at me: 4 separate instances of
something called "sf.bin".
Googling it leaves me with the impression that it's some sort of
discovery service that is used to find universal-plug-and-play
devices (whatever *they* are....)- but not much else.
Does it mention WHERE are the sf.bin files? The only sf.bin that I have
on my host is somewhere under Avast's installation folder and its
Version properties says it's their Emulation Engine. I believe it is
part of Avast's Behavior Shield for its "Monitor the system for malware
-like behavior" option. It monitors for changes in the system which
have a fingerprint typical of malware. sf.bin, their emulation engine,
is also used with their File Shield's "Code Emulation" option. The
emulator helps their unpacking engine so the scanner can detect
scrambled or obfuscated malicious executable files that wouldn't be
detected without code emulation.
So, if you have Avast installed, see if disabling Avast's Behavior
Shield (or just the "Monitor the system for malware-like behavior"
option) gets rid of the load time for Windows. If that doesn't work, go
in Avast's File Shield to disable the "Code Emulation" option under the
Sensitivity settings group. Lastly, you could uninstall Avast to see if
the boot time comes down. Code emulation will slow the opening of all
programs, including those in your startup list. Here is Avast's
description of their code emulation option in their help file:
Use code emulation - if this box is checked and avast! detects some
suspicious code in a file, it will attempt to run the code in a
virtual environment to determine how it behaves. If potential
malicious behavior is detected, it will be reported as a virus.
Running the code in this virtual environment means that if the code is
malicious it will not be able to cause damage to your computer.
So the suspicious file has its code emulated to interrogate what actions
it attempts. This is NOT the same as their [auto-]sandbox feature. It
means they look at what the executable does before allowing those
actions to get committed but blocking them and killing the process if
Avast thinks the executable is acting maliciously.
If you have multiple active security programs that overlap on their
functionality, like two concurrently active anti-virus programs, then
you better exclude each security program in the other security programs.
That is, if you have Avast active at the same time that MalwareBytes is
active (the payware version with its real-time monitor active) then go
into each one and add the other one to an exclusion list. You can have
multiple security products installed as long as they don't conflict with
each other, snag on each other, or just one is active and the others are
passive (you configure them to NOT load on startup and only use them
manually as a backup malware scanner).
Sometimes security software does scanning upon startup that incurs a
significant impact on the host. That's why I stopped using Microsoft
Security Essentials as it sometimes but not always slowed down starting
up and logging into Windows. If you have any startup programs that go
opening files (scanning, reading, opening) then your anti-virus program
is going to also be scanning all those file opens. If, for example,
NGEN which is setup for Automatic startup (but unloads when it has
nothing to do) is recompiling files then those files are getting opened
and your anti-virus and other security software will be watching all
those file opens and writes.
If the sf.bin you are seeing during startup is not the one for Avast
then you'll need to tell use WHERE is the sf.bin file(s) on your host.