Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: kd5 on May 14, 2011, 01:56:50 PM

Title: Latest update flags uphcleanhlp.sys as suspect
Post by: kd5 on May 14, 2011, 01:56:50 PM
The latest update flags uphcleanhlp.sys as suspect.  Uphcleanhlp.sys is part of Microsoft's User Profile Hive Cleanup Utility and is a legitimate application/Service.

Path:  C:\Windows\System32\Drivers\uphcleanhlp.sys       -kd5-  
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: Alan Baxter on May 14, 2011, 03:36:31 PM
Same thing happened to me this morning.  It's a false positive.  I'm glad Avast asked me what to do with it.
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: Asyn on May 14, 2011, 03:52:26 PM
Report the FP here: http://www.avast.com/contact-form.php?loadStyles
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: kd5 on May 14, 2011, 04:25:07 PM
I tried to but it won't let me submit the false positive without selecting a file, and that file is not visible even with Show Hidden Files selected and Hide Protected OS Files unchecked.  So, I'm submitting it here.       -kd5-
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: Asyn on May 14, 2011, 04:29:21 PM
I tried to but it won't let me submit the false positive without selecting a file, and that file is not visible even with Show Hidden Files selected and Hide Protected OS Files unchecked.  So, I'm submitting it here.       -kd5-

You still can report this thread there. ;)
Here's the link: http://forum.avast.com/index.php?topic=78124.0
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: Alan Baxter on May 14, 2011, 04:35:02 PM
I tried to but it won't let me submit the false positive without selecting a file, and that file is not visible even with Show Hidden Files selected and Hide Protected OS Files unchecked.

That's weird.  I can't see it either.  I'm sure I told Avast to Ignore it and send it to Avast for analysis, but the file appears to be gone.
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: kd5 on May 14, 2011, 04:52:04 PM
I just selected Technical Issues and pasted a link to this thread.       -kd5-
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: Asyn on May 14, 2011, 04:55:24 PM
I just selected Technical Issues and pasted a link to this thread.       -kd5-

Good. :)
Thanks for reporting,
asyn
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: DavidR on May 14, 2011, 05:18:02 PM
The latest update flags uphcleanhlp.sys as suspect.  Uphcleanhlp.sys is part of Microsoft's User Profile Hive Cleanup Utility and is a legitimate application/Service.

Path:  C:\Windows\System32\Drivers\uphcleanhlp.sys       -kd5- 

This topic was also created within seconds of yours, same issue. I have responded in that.

http://forum.avast.com/index.php?topic=78125.0 (http://forum.avast.com/index.php?topic=78125.0)

However, the path is different as it relates to the anti-rootkit scan \??\C:\Windows\System32\Drivers\uphcleanhlp.sys
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: streamck on May 14, 2011, 10:40:14 PM
Please upload this file:
Code: [Select]
C:\Windows\System32\Drivers\uphcleanhlp.sys
I delete this file, help me!
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: Nesivos on May 14, 2011, 10:53:45 PM
The latest update flags uphcleanhlp.sys as suspect.  Uphcleanhlp.sys is part of Microsoft's User Profile Hive Cleanup Utility and is a legitimate application/Service.

Path:  C:\Windows\System32\Drivers\uphcleanhlp.sys       -kd5-  

Also my understanding is that this is a Windows 2000 DDK driver that was/is found on computers running an AMD processor and Windows 2000.



Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: DavidR on May 14, 2011, 10:55:04 PM
Please upload this file:
Code: [Select]
C:\Windows\System32\Drivers\uphcleanhlp.sys
I delete this file, help me!

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete and investigate.

Hopefully you have learnt a valuable lesson that hopefully shouldn't be too hard to rectify.

You will have to download the UHPclean setup/installation/msi file again, then uninstall UHPclean and install it again, MS UHPclean download location. (http://www.microsoft.com/downloads/en/details.aspx?familyid=1b286e6d-8912-4e18-b570-42470e2f3582)
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: DavidR on May 14, 2011, 10:58:09 PM
<snip>
Also my understanding is that this is a Windows 2000 DDK driver that was/is found on computers running an AMD processor and Windows 2000.

Not correct, I don't have win2k, nor do I have an AMD processor. It is also for XP and isn't restricted to an CPU, see http://forum.avast.com/index.php?topic=78125.0 (http://forum.avast.com/index.php?topic=78125.0).
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: kd5 on May 15, 2011, 01:25:02 PM
Also my understanding is that this is a Windows 2000 DDK driver that was/is found on computers running an AMD processor and Windows 2000.

No, it's not.




That warning came up again this morning, after the morning upate, so I'm assuming this FP has not been addressed yet.       -kd5-
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: John22 on May 15, 2011, 03:23:48 PM
Please upload this file:
Code: [Select]
C:\Windows\System32\Drivers\uphcleanhlp.sys
I delete this file, help me!

No file with this name exists. The error is from the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPHCLEANHLP]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPHCLEANHLP\0000]
"Service"="uphcleanhlp"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="uphcleanhlp"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPHCLEANHLP\0000\Control]
"ActiveService"="uphcleanhlp"

I have had the same error:
http://www.picfront.de/d/8cnR
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: DavidR on May 15, 2011, 04:21:38 PM
It is hidden and even with show hidden files and folders you can't find this file in the drivers folder.

The only service seen in services.msc for UHPclean is for UHPclean.exe (but that doesn't show drivers anyway) and I suspect that it may have a hand in the creation of the other hidden driver.

The arpot.log file isn't reporting a registry entry, but a hidden file, which as you can see from the log extract below has a physical size.

Quote from: arpot.log extract
14/05/2011 01:14:21   Suspic Driver: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
14/05/2011 01:14:21      [Mods: 2; Service uphcleanhlp; FileSize 8960; SSDT: ZwUnloadKey; Inline: ZwCallbackReturn+12288; Hidden service / uphcleanhlp; ]
14/05/2011 12:36:05   Suspic Driver: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
14/05/2011 12:36:05      [Mods: 2; Service uphcleanhlp; FileSize 8960; SSDT: ZwUnloadKey; Inline: ZwCallbackReturn+12288; Hidden service / uphcleanhlp; ]
15/05/2011 14:23:15   Suspic Driver: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
15/05/2011 14:23:15      [Mods: 2; Service uphcleanhlp; FileSize 8960; SSDT: ZwUnloadKey; Inline: ZwCallbackReturn+12288; Hidden service / uphcleanhlp; ]
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: JohnnyBob on May 15, 2011, 07:16:44 PM
Please upload this file:
Code: [Select]
C:\Windows\System32\Drivers\uphcleanhlp.sys
I delete this file, help me!

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete and investigate.

Hopefully you have learnt a valuable lesson that hopefully shouldn't be too hard to rectify.

You will have to download the UHPclean setup/installation/msi file again, then uninstall UHPclean and install it again, MS UHPclean download location. (http://www.microsoft.com/downloads/en/details.aspx?familyid=1b286e6d-8912-4e18-b570-42470e2f3582)
The default 1st Action option everywhere that I've looked in my free Avast antivirus software (the different Scan types and Shields) is Move to Chest. That seems best.

Then I notice that the default 2nd Action (when 1st Action fails) is to Delete the bad object. Isn't that risky? Wouldn't it be better to set the 2nd Action to Ask, so files can't be lost via false positives?

Then the default 3rd Action is set for No Action. I'm thinking it might be OK to change this last one to Delete. (?)
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: DavidR on May 15, 2011, 07:26:15 PM
The above makes no difference as this isn't a file system shield detection (so doesn't comply with those actions), but the anti-rootkit scan and it only has two options Ignore and Delete.

Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: JohnnyBob on May 15, 2011, 08:07:29 PM
The above makes no difference as this isn't a file system shield detection (so doesn't comply with those actions), but the anti-rootkit scan and it only has two options Ignore and Delete.
The only mentions of rootkit I can find in the Help instructions makes no mention of user options, except that a rootkit scan during bootup can be turned on/off with the checkbox in Exceptions.

Is that the only available rootkit settings option in free Avast antivirus?

Is that the only time when a rootkit scan is done (when computer is rebooted)?

If the latter is true, this latest false positive (subject of this thread) could be avoided by temporarily disabling the boot-time rootkit scan - til this bug is fixed in a future avast update. Is my logic OK?

Thanks.
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: DavidR on May 15, 2011, 08:57:24 PM
That is it on or off, no other user definable settings.

The Quick and Full system scans both do a rootkit scan, but of a lessor degree of sensitivity.

Why disable the scan (you would then lose that protection against a legit alert), it is no real hassle to just click OK to the default action Ignore in this case and allow the avast CommunityIQ function to report these suspicions and be analysed and hopefully corrected quickly.
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: sandeep108 on May 16, 2011, 09:30:27 AM
I am having a similar problem. It is a legit windows file. It is part of Microsoft's User Profile Cleanup Service. I have sent it off to avast 2-3 times now. When will this get fixed?
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: DavidR on May 16, 2011, 01:27:38 PM
I don't know how you have sent the uhpcleanhlp.sys file off to avast as it can't be found by the user as it is hidden from windows APIs.

I have contacted one of the virus labs team by email and for those affected then the CommunityIQ function should also be reporting information on this, so they should start to see patterns forming and investigate why.

Be patient and just keep clicking the Ignore and nothing else, it will be resolved.
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: kd5 on May 16, 2011, 01:43:34 PM
I had to Ignore it again this morning.  I don't want to tell it not to warn me again as I'd like to know that/when it's fixed.  This makes the 3rd day this warning has popped up, 3rd day for this false positive.  Why has it not yet been fixed?       -kd5-
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: HA Nut on May 16, 2011, 01:55:11 PM
Yes, this FP is a pain!!! I put the User Profile Cleanup tool on ALL XP machines I run/use. PLEASE fix this!!!!!
Title: Re: Latest update flags uphcleanhlp.sys as suspect
Post by: DavidR on May 16, 2011, 02:32:38 PM
I had to Ignore it again this morning.  I don't want to tell it not to warn me again as I'd like to know that/when it's fixed.  This makes the 3rd day this warning has popped up, 3rd day for this false positive.  Why has it not yet been fixed?       -kd5-

As you can't send them a file to analyse as it is a hidden file and I don't think reporting this topic under the technical issues will get the right people looking at it.

If you subscribe to the avast CommunityIQ that should be gathering information on detections and suspicions like this, but it takes time for a pattern to build and be recognised, which would be measured in occurrences rather than time frame.

Yes, this FP is a pain!!! I put the User Profile Cleanup tool on ALL XP machines I run/use. PLEASE fix this!!!!!

I don't know how many XP systems you have at home, or are these also at work you are talking about ?

I have emailed one of the avast virus labs team about this yesterday (Sunday) to look into this.