Latest update flags uphcleanhlp.sys as suspect

The latest update flags uphcleanhlp.sys as suspect. Uphcleanhlp.sys is part of Microsoft’s User Profile Hive Cleanup Utility and is a legitimate application/Service.

Path: C:\Windows\System32\Drivers\uphcleanhlp.sys -kd5-

Same thing happened to me this morning. It’s a false positive. I’m glad Avast asked me what to do with it.

Report the FP here: http://www.avast.com/contact-form.php?loadStyles

I tried to but it won’t let me submit the false positive without selecting a file, and that file is not visible even with Show Hidden Files selected and Hide Protected OS Files unchecked. So, I’m submitting it here. -kd5-

You still can report this thread there. :wink:
Here’s the link: http://forum.avast.com/index.php?topic=78124.0

That’s weird. I can’t see it either. I’m sure I told Avast to Ignore it and send it to Avast for analysis, but the file appears to be gone.

I just selected Technical Issues and pasted a link to this thread. -kd5-

Good. :slight_smile:
Thanks for reporting,
asyn

This topic was also created within seconds of yours, same issue. I have responded in that.

http://forum.avast.com/index.php?topic=78125.0

However, the path is different as it relates to the anti-rootkit scan ??\C:\Windows\System32\Drivers\uphcleanhlp.sys

Please upload this file:

C:\Windows\System32\Drivers\uphcleanhlp.sys

I delete this file, help me!

Also my understanding is that this is a Windows 2000 DDK driver that was/is found on computers running an AMD processor and Windows 2000.

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete and investigate.

Hopefully you have learnt a valuable lesson that hopefully shouldn’t be too hard to rectify.

You will have to download the UHPclean setup/installation/msi file again, then uninstall UHPclean and install it again, MS UHPclean download location.

Not correct, I don’t have win2k, nor do I have an AMD processor. It is also for XP and isn’t restricted to an CPU, see http://forum.avast.com/index.php?topic=78125.0.

No, it’s not.

That warning came up again this morning, after the morning upate, so I’m assuming this FP has not been addressed yet. -kd5-

No file with this name exists. The error is from the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPHCLEANHLP]
“NextInstance”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPHCLEANHLP\0000]
“Service”=“uphcleanhlp”
“Legacy”=dword:00000001
“ConfigFlags”=dword:00000000
“Class”=“LegacyDriver”
“ClassGUID”=“{8ECC055D-047F-11D1-A537-0000F8753ED1}”
“DeviceDesc”=“uphcleanhlp”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPHCLEANHLP\0000\Control]
“ActiveService”=“uphcleanhlp”

I have had the same error:
http://www.picfront.de/d/8cnR

It is hidden and even with show hidden files and folders you can’t find this file in the drivers folder.

The only service seen in services.msc for UHPclean is for UHPclean.exe (but that doesn’t show drivers anyway) and I suspect that it may have a hand in the creation of the other hidden driver.

The arpot.log file isn’t reporting a registry entry, but a hidden file, which as you can see from the log extract below has a physical size.

14/05/2011 01:14:21 Suspic Driver: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 14/05/2011 01:14:21 [Mods: 2; Service uphcleanhlp; FileSize 8960; SSDT: ZwUnloadKey; Inline: ZwCallbackReturn+12288; Hidden service / uphcleanhlp; ] 14/05/2011 12:36:05 Suspic Driver: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 14/05/2011 12:36:05 [Mods: 2; Service uphcleanhlp; FileSize 8960; SSDT: ZwUnloadKey; Inline: ZwCallbackReturn+12288; Hidden service / uphcleanhlp; ] 15/05/2011 14:23:15 Suspic Driver: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 15/05/2011 14:23:15 [Mods: 2; Service uphcleanhlp; FileSize 8960; SSDT: ZwUnloadKey; Inline: ZwCallbackReturn+12288; Hidden service / uphcleanhlp; ]

The default 1st Action option everywhere that I’ve looked in my free Avast antivirus software (the different Scan types and Shields) is Move to Chest. That seems best.

Then I notice that the default 2nd Action (when 1st Action fails) is to Delete the bad object. Isn’t that risky? Wouldn’t it be better to set the 2nd Action to Ask, so files can’t be lost via false positives?

Then the default 3rd Action is set for No Action. I’m thinking it might be OK to change this last one to Delete. (?)

The above makes no difference as this isn’t a file system shield detection (so doesn’t comply with those actions), but the anti-rootkit scan and it only has two options Ignore and Delete.

The only mentions of rootkit I can find in the Help instructions makes no mention of user options, except that a rootkit scan during bootup can be turned on/off with the checkbox in Exceptions.

Is that the only available rootkit settings option in free Avast antivirus?

Is that the only time when a rootkit scan is done (when computer is rebooted)?

If the latter is true, this latest false positive (subject of this thread) could be avoided by temporarily disabling the boot-time rootkit scan - til this bug is fixed in a future avast update. Is my logic OK?

Thanks.

That is it on or off, no other user definable settings.

The Quick and Full system scans both do a rootkit scan, but of a lessor degree of sensitivity.

Why disable the scan (you would then lose that protection against a legit alert), it is no real hassle to just click OK to the default action Ignore in this case and allow the avast CommunityIQ function to report these suspicions and be analysed and hopefully corrected quickly.