It is hidden and even with show hidden files and folders you can’t find this file in the drivers folder.

The only service seen in services.msc for UHPclean is for UHPclean.exe (but that doesn’t show drivers anyway) and I suspect that it may have a hand in the creation of the other hidden driver.

The arpot.log file isn’t reporting a registry entry, but a hidden file, which as you can see from the log extract below has a physical size.

14/05/2011 01:14:21 Suspic Driver: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 14/05/2011 01:14:21 [Mods: 2; Service uphcleanhlp; FileSize 8960; SSDT: ZwUnloadKey; Inline: ZwCallbackReturn+12288; Hidden service / uphcleanhlp; ] 14/05/2011 12:36:05 Suspic Driver: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 14/05/2011 12:36:05 [Mods: 2; Service uphcleanhlp; FileSize 8960; SSDT: ZwUnloadKey; Inline: ZwCallbackReturn+12288; Hidden service / uphcleanhlp; ] 15/05/2011 14:23:15 Suspic Driver: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 15/05/2011 14:23:15 [Mods: 2; Service uphcleanhlp; FileSize 8960; SSDT: ZwUnloadKey; Inline: ZwCallbackReturn+12288; Hidden service / uphcleanhlp; ]