False/positive or what is this SYS ?

MYSTERY … …

I turn on my computer and I get the red screen that tells me avast
That there is a suspicious file for the Eucharist.

The file 'C: / / windows/system32/drivers/uphcleaner.sys

??? or a similarly named file.

I have enabled viewing of hidden files, but NOT in that folder
SYS file that exists (I scanned online with virus-total).

Why? I clicked on IGNORE what to do, whether good or
I had to say DELETE?

thanks

Yes, this has in the last two restarts on my XP Pro system started to get pinged by the anti-rootkit scan 8 minutes after boot. But it is the uphcleanerhlp.sys file that is being pinged for me. So this appears to be something in a recent VPS update.

This is I believe part of the User Hive Profile Cleaner which I installed to close any open user hives which would otherwise slow the XP Closure. The strange thing is I can’t see anything in the anti-rootkit log on this suspect alert. See http://www.windowsitpro.com/article/registry2/what-s-user-profile-hive-cleanup-service-uphclean- for info on UHPclean.

Normally all you would be aware of is the uphclean.exe file in the task manager (as System user).

I have chosen to Ignore it (the recommended option in the alert), but don’t check the Do not tell me about these files in the future (see image example, is that the same/similar as/to yours ?), as I don’t know if there is a way of reversing that decision. So you wouldn’t know what is going on, e.g. if this is eventually corrected and reversed.

I got the same message as you, David. It’s logged in C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\log\arpot.log

Ahh I was looking at the aswAR.log file.

Me too I got the same as David can someone confirmed if this is false positive or not ???

It’s been confirmed and reported as a false positive, Speedy. The Avast heuristics report some false positives from time to time.

I would say that if you are using XP (check) and if you installed UHPclean (?) then it loads a hidden driver/s to do its work. Then I would say it is an FP as prior to yesterday this wasn’t pinged at all and I have had it on this system for over two years. So something in a recent VPS update.

what i to do ? today another allert in red !

http://i53.tinypic.com/2hnsy79.jpg

Aiutoooo sono 2 giorni ormai che all’avvio AVAST continua a
Farmi apparire la schermata ROSSA che ha trovato 2 file
Sospetti uno sempre uphcleaner.sys che pero’ NON c’e !
E altro ieri mi diceva un file del programma Everest, oggi
Invece mi dava un file mbmswissarmy.sys …
Io gli dico sempre IGNORA. Ma cosa sta’ succedendo a
Avast ??? falsi positivi ?

Ho provato a fare una scansione con antimalwarebyte’s ma
Nulla, e anche una scansione con AVAST all’avvio del
Pc ma mi ha detto che non c’e nulla di infetto !

Eppure oggi ancora questa schermata rossa , che faccio ?

http://i53.tinypic.com/2hnsy79.jpg

http://i53.tinypic.com/2hnsy79.jpg

Do as is suggested, Ignore for the uhpcleanhlp.sys as this is part of the Microsoft User Hive Profile cleaner (that you presumably installed ?).

Did you install Everest HomePC ?
See http://www.softpedia.com/get/System/System-Info/Everest-Home-Edition.shtml

Presumably this installs this kerneld.wnt hidden driver ?
See http://www.geekstogo.com/forum/topic/227999-windows-bluescreen-when-starting-everest-ironically/page__view__findpost__p__1452455

ok i set to IGNORE but at all restart the pc this red allert coming on !!!
in how mode i delete this allert ?

Yes once a day 8 minutes after boot, is that such a hassle, for me it isn’t until it is resolved, but that’s just me.

The problem being deleting the alert won’t give you any information on a) when this is resolved and b) might not display for information on a real alert.

It is possible to check the Advanced option and open it up and select ‘Do not tell me about these files in the future.’ I can’t suggest highly enough that you ‘do not’ do this.

The wording isn’t 100% clear if it only relates to the file/s in the alert (which should be correct) or all such alerts (which I doubt). Having made this decision I don’t know if it is possible to reverse it.

now at the last reboot (now) the file suspect : C:\WINDOWS\system32\Drivers\uphcleanhlp.sys

NOT PRESENT in the red allert …but now this new file suspect :

ew_hwusbdev.sys

http://i51.tinypic.com/30djjfq.jpg

http://i51.tinypic.com/30djjfq.jpg

avast si crazy int this 3 days ???

Well I got confirmation that they were working on a fix for the uhpcleanhlp.sys, but there were other files in other topics being picked up (I mentioned those too). So looks like that is resolved hopefully the others will follow.