Author Topic: False/positive or what is this SYS ?  (Read 6944 times)

0 Members and 1 Guest are viewing this topic.

miciotta62

  • Guest
False/positive or what is this SYS ?
« on: May 14, 2011, 01:57:56 PM »
MYSTERY ... ..

I turn on my computer and I get the red screen that tells me avast
That there is a suspicious file for the Eucharist.

The file 'C: / / windows/system32/drivers/uphcleaner.sys

????? or a similarly named file.

I have enabled viewing of hidden files, but NOT in that folder
SYS file that exists (I scanned online with virus-total).

Why? I clicked on IGNORE what to do, whether good or
I had to say DELETE?

thanks

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87059
  • No support PMs thanks
Re: False/positive or what is this SYS ?
« Reply #1 on: May 14, 2011, 02:40:04 PM »
Yes, this has in the last two restarts on my XP Pro system started to get pinged by the anti-rootkit scan 8 minutes after boot. But it is the uphcleanerhlp.sys file that is being pinged for me. So this appears to be something in a recent VPS update.

This is I believe part of the  User Hive Profile Cleaner which I installed to close any open user hives which would otherwise slow the XP Closure. The strange thing is I can't see anything in the anti-rootkit log on this suspect alert. See http://www.windowsitpro.com/article/registry2/what-s-user-profile-hive-cleanup-service-uphclean- for info on UHPclean.

Normally all you would be aware of is the uphclean.exe file in the task manager (as System user).

I have chosen to Ignore it (the recommended option in the alert), but don't check the Do not tell me about these files in the future (see image example, is that the same/similar as/to yours ?), as I don't know if there is a way of reversing that decision. So you wouldn't know what is going on, e.g. if this is eventually corrected and reversed.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Alan Baxter

  • Guest
Re: False/positive or what is this SYS ?
« Reply #2 on: May 14, 2011, 05:26:01 PM »
The strange thing is I can't see anything in the anti-rootkit log on this suspect alert.

I got the same message as you, David.  It's logged in C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\log\arpot.log

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87059
  • No support PMs thanks
Re: False/positive or what is this SYS ?
« Reply #3 on: May 14, 2011, 05:40:48 PM »
Ahh I was looking at the aswAR.log file.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline SpeedyPC

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3360
  • Avast shall conquer the whole world
Re: False/positive or what is this SYS ?
« Reply #4 on: May 14, 2011, 06:02:22 PM »
The strange thing is I can't see anything in the anti-rootkit log on this suspect alert.

I got the same message as you, David.  It's logged in C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\log\arpot.log

Me too I got the same as David can someone confirmed if this is false positive or not ???
ASUS G75VX-T4153H | Avast Premium v22.11.6041 | Avast SecureLine VPN | Avast Secure Browser | Avast Driver Updater | Avast BreachGuard | W8.1 64bit | Firefox 64bit | Thunderbird 64bit | MBAM Premium | Adguard Premium | CryptoPrevent Premium | CCleaner Portable | MCShield | Macrium Reflect | 7-Zip

Alan Baxter

  • Guest
Re: False/positive or what is this SYS ?
« Reply #5 on: May 14, 2011, 06:06:22 PM »
It's been confirmed and reported as a false positive, Speedy.  The Avast heuristics report some false positives from time to time.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87059
  • No support PMs thanks
Re: False/positive or what is this SYS ?
« Reply #6 on: May 14, 2011, 06:46:11 PM »
The strange thing is I can't see anything in the anti-rootkit log on this suspect alert.

I got the same message as you, David.  It's logged in C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\log\arpot.log

Me too I got the same as David can someone confirmed if this is false positive or not ???

I would say that if you are using XP (check) and if you installed UHPclean (?) then it loads a hidden driver/s to do its work. Then I would say it is an FP as prior to yesterday this wasn't pinged at all and I have had it on this system for over two years. So something in a recent VPS update.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

miciotta62

  • Guest
Re: False/positive or what is this SYS ?
« Reply #7 on: May 15, 2011, 08:18:16 PM »
what i to do ?  today another  allert in red !

http://i53.tinypic.com/2hnsy79.jpg


Aiutoooo sono 2 giorni ormai che all’avvio AVAST continua a
Farmi apparire la schermata ROSSA che ha trovato 2 file
Sospetti uno sempre uphcleaner.sys che pero’ NON c’e !
E altro ieri mi diceva un file del programma Everest, oggi
Invece mi dava un file mbmswissarmy.sys …
Io gli dico sempre IGNORA.  Ma cosa sta’ succedendo a
Avast ??? falsi positivi  ?

Ho provato a fare una scansione con antimalwarebyte’s ma
Nulla, e anche una scansione con AVAST all’avvio del
Pc ma mi ha detto che non c’e nulla di infetto !

Eppure oggi ancora questa schermata rossa , che faccio ?



http://i53.tinypic.com/2hnsy79.jpg

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87059
  • No support PMs thanks
Re: False/positive or what is this SYS ?
« Reply #8 on: May 15, 2011, 09:08:18 PM »
Do as is suggested, Ignore for the uhpcleanhlp.sys as this is part of the Microsoft User Hive Profile cleaner (that you presumably installed ?).

Did you install Everest HomePC ?
See http://www.softpedia.com/get/System/System-Info/Everest-Home-Edition.shtml

Presumably this installs this kerneld.wnt hidden driver ?
See http://www.geekstogo.com/forum/topic/227999-windows-bluescreen-when-starting-everest-ironically/page__view__findpost__p__1452455
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

miciotta62

  • Guest
Re: False/positive or what is this SYS ?
« Reply #9 on: May 16, 2011, 01:23:35 PM »
ok i set to IGNORE but at all restart the pc this red allert coming on !!!
in how mode i delete this allert ?

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87059
  • No support PMs thanks
Re: False/positive or what is this SYS ?
« Reply #10 on: May 16, 2011, 02:16:39 PM »
Yes once a day 8 minutes after boot, is that such a hassle, for me it isn't until it is resolved, but that's just me.

The problem being deleting the alert won't give you any information on a) when this is resolved and b) might not display for information on a real alert.

It is possible to check the Advanced option and open it up and select 'Do not tell me about these files in the future.' I can't suggest highly enough that you 'do not' do this.

The wording isn't 100% clear if it only relates to the file/s in the alert (which should be correct) or all such alerts (which I doubt). Having made this decision I don't know if it is possible to reverse it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

miciotta62

  • Guest
Re: False/positive or what is this SYS ?
« Reply #11 on: May 16, 2011, 08:12:41 PM »
now at the last reboot (now)  the file suspect :  C:\WINDOWS\system32\Drivers\uphcleanhlp.sys

NOT PRESENT in the red allert ..but now this new file suspect :

ew_hwusbdev.sys

http://i51.tinypic.com/30djjfq.jpg




avast si crazy int this 3 days ???




Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87059
  • No support PMs thanks
Re: False/positive or what is this SYS ?
« Reply #12 on: May 16, 2011, 08:21:45 PM »
Well I got confirmation that they were working on a fix for the uhpcleanhlp.sys, but there were other files in other topics being picked up (I mentioned those too). So looks like that is resolved hopefully the others will follow.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security