Author Topic: Latest update flags uphcleanhlp.sys as suspect  (Read 17584 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Latest update flags uphcleanhlp.sys as suspect
« Reply #15 on: May 15, 2011, 04:21:38 PM »
It is hidden and even with show hidden files and folders you can't find this file in the drivers folder.

The only service seen in services.msc for UHPclean is for UHPclean.exe (but that doesn't show drivers anyway) and I suspect that it may have a hand in the creation of the other hidden driver.

The arpot.log file isn't reporting a registry entry, but a hidden file, which as you can see from the log extract below has a physical size.

Quote from: arpot.log extract
14/05/2011 01:14:21   Suspic Driver: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
14/05/2011 01:14:21      [Mods: 2; Service uphcleanhlp; FileSize 8960; SSDT: ZwUnloadKey; Inline: ZwCallbackReturn+12288; Hidden service / uphcleanhlp; ]
14/05/2011 12:36:05   Suspic Driver: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
14/05/2011 12:36:05      [Mods: 2; Service uphcleanhlp; FileSize 8960; SSDT: ZwUnloadKey; Inline: ZwCallbackReturn+12288; Hidden service / uphcleanhlp; ]
15/05/2011 14:23:15   Suspic Driver: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
15/05/2011 14:23:15      [Mods: 2; Service uphcleanhlp; FileSize 8960; SSDT: ZwUnloadKey; Inline: ZwCallbackReturn+12288; Hidden service / uphcleanhlp; ]
« Last Edit: May 15, 2011, 04:23:13 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline JohnnyBob

  • Sr. Member
  • ****
  • Posts: 208
  • Peace
Re: Latest update flags uphcleanhlp.sys as suspect
« Reply #16 on: May 15, 2011, 07:16:44 PM »
Please upload this file:
Code: [Select]
C:\Windows\System32\Drivers\uphcleanhlp.sys
I delete this file, help me!

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete and investigate.

Hopefully you have learnt a valuable lesson that hopefully shouldn't be too hard to rectify.

You will have to download the UHPclean setup/installation/msi file again, then uninstall UHPclean and install it again, MS UHPclean download location.
The default 1st Action option everywhere that I've looked in my free Avast antivirus software (the different Scan types and Shields) is Move to Chest. That seems best.

Then I notice that the default 2nd Action (when 1st Action fails) is to Delete the bad object. Isn't that risky? Wouldn't it be better to set the 2nd Action to Ask, so files can't be lost via false positives?

Then the default 3rd Action is set for No Action. I'm thinking it might be OK to change this last one to Delete. (?)
BARE BONES installation of free avast! 2014.9.0.2021 with File System Shield (only). All "extras" are not installed or disabled. It wanted server status which I blocked via ZA. I also killed AvastEmUpdate.exe by renaming it in Safe Mode. Windows XP Home SP3, ZoneAlarm 6.1.744.001, Firefox & IE8, Outlook Express, Thunderbird.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Latest update flags uphcleanhlp.sys as suspect
« Reply #17 on: May 15, 2011, 07:26:15 PM »
The above makes no difference as this isn't a file system shield detection (so doesn't comply with those actions), but the anti-rootkit scan and it only has two options Ignore and Delete.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline JohnnyBob

  • Sr. Member
  • ****
  • Posts: 208
  • Peace
Re: Latest update flags uphcleanhlp.sys as suspect
« Reply #18 on: May 15, 2011, 08:07:29 PM »
The above makes no difference as this isn't a file system shield detection (so doesn't comply with those actions), but the anti-rootkit scan and it only has two options Ignore and Delete.
The only mentions of rootkit I can find in the Help instructions makes no mention of user options, except that a rootkit scan during bootup can be turned on/off with the checkbox in Exceptions.

Is that the only available rootkit settings option in free Avast antivirus?

Is that the only time when a rootkit scan is done (when computer is rebooted)?

If the latter is true, this latest false positive (subject of this thread) could be avoided by temporarily disabling the boot-time rootkit scan - til this bug is fixed in a future avast update. Is my logic OK?

Thanks.
BARE BONES installation of free avast! 2014.9.0.2021 with File System Shield (only). All "extras" are not installed or disabled. It wanted server status which I blocked via ZA. I also killed AvastEmUpdate.exe by renaming it in Safe Mode. Windows XP Home SP3, ZoneAlarm 6.1.744.001, Firefox & IE8, Outlook Express, Thunderbird.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Latest update flags uphcleanhlp.sys as suspect
« Reply #19 on: May 15, 2011, 08:57:24 PM »
That is it on or off, no other user definable settings.

The Quick and Full system scans both do a rootkit scan, but of a lessor degree of sensitivity.

Why disable the scan (you would then lose that protection against a legit alert), it is no real hassle to just click OK to the default action Ignore in this case and allow the avast CommunityIQ function to report these suspicions and be analysed and hopefully corrected quickly.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline sandeep108

  • Full Member
  • ***
  • Posts: 104
Re: Latest update flags uphcleanhlp.sys as suspect
« Reply #20 on: May 16, 2011, 09:30:27 AM »
I am having a similar problem. It is a legit windows file. It is part of Microsoft's User Profile Cleanup Service. I have sent it off to avast 2-3 times now. When will this get fixed?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Latest update flags uphcleanhlp.sys as suspect
« Reply #21 on: May 16, 2011, 01:27:38 PM »
I don't know how you have sent the uhpcleanhlp.sys file off to avast as it can't be found by the user as it is hidden from windows APIs.

I have contacted one of the virus labs team by email and for those affected then the CommunityIQ function should also be reporting information on this, so they should start to see patterns forming and investigate why.

Be patient and just keep clicking the Ignore and nothing else, it will be resolved.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline kd5

  • Jr. Member
  • **
  • Posts: 95
  • Computer Geek
Re: Latest update flags uphcleanhlp.sys as suspect
« Reply #22 on: May 16, 2011, 01:43:34 PM »
I had to Ignore it again this morning.  I don't want to tell it not to warn me again as I'd like to know that/when it's fixed.  This makes the 3rd day this warning has popped up, 3rd day for this false positive.  Why has it not yet been fixed?       -kd5-
Getting old ain't for sissys.

Offline HA Nut

  • Jr. Member
  • **
  • Posts: 40
  • I'm a llama!
Re: Latest update flags uphcleanhlp.sys as suspect
« Reply #23 on: May 16, 2011, 01:55:11 PM »
Yes, this FP is a pain!!! I put the User Profile Cleanup tool on ALL XP machines I run/use. PLEASE fix this!!!!!
Avast Pro @ work, Free Avast @ home

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Latest update flags uphcleanhlp.sys as suspect
« Reply #24 on: May 16, 2011, 02:32:38 PM »
I had to Ignore it again this morning.  I don't want to tell it not to warn me again as I'd like to know that/when it's fixed.  This makes the 3rd day this warning has popped up, 3rd day for this false positive.  Why has it not yet been fixed?       -kd5-

As you can't send them a file to analyse as it is a hidden file and I don't think reporting this topic under the technical issues will get the right people looking at it.

If you subscribe to the avast CommunityIQ that should be gathering information on detections and suspicions like this, but it takes time for a pattern to build and be recognised, which would be measured in occurrences rather than time frame.

Yes, this FP is a pain!!! I put the User Profile Cleanup tool on ALL XP machines I run/use. PLEASE fix this!!!!!

I don't know how many XP systems you have at home, or are these also at work you are talking about ?

I have emailed one of the avast virus labs team about this yesterday (Sunday) to look into this.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security