Results 1 to 3 of 3
  1. #1
    New Lounger
    Join Date
    Dec 2009
    Barcelona, Spain
    Thanked 0 Times in 0 Posts

    Nasty new rootkit or false positive?

    I am using XPSP3 fully updated and AVG Internet Security 2011 also fully updated.

    Running the antirootkit utility I get a warning:

    Object name: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
    Detection name: Service function NtUnloadKey hook -> uphcleanhlp.sys +0x75C
    Object type: file
    SDK Type: Rootkit
    Result: Object is hidden

    When I instruct the utility to remove it, it requires rebooting. This done, however, here it appears again.

    Have got in touch with the Support services but no news yet -about a week later.

    GMER also detects it but it does not remove it either. Other antirootkits do not even find it.

    Googling for either "NtUnloadKey hook -> uphcleanhlp.sys+0x75C" gives no practical results (there is ONE analogous post with no answer so far)

    Any ideas? Also: Any comments as to what this bug does / can do / how nasty it is?

    Any suggestions about a specialized forum / webpage to submit it will also be welcome.

    Thanks in advance.


  2. #2
    Administrator satrow's Avatar
    Join Date
    Dec 2009
    Cardiff, UK
    Thanked 661 Times in 556 Posts
    UPHClean is, iirc, the User Profile Hive Cleaner - it ensures that the currently logged-in user is logged out and their data saved before shutdown/reboot. Look in Add/Remove Programs and see if it's listed there. On XP, it would only have been downloaded and installed if there had been a specific profile issue at some point and the user was advised that it could resolve the problem. I think that it might be installed as part of the OS in Vista, so it's possible that the filename has been used by some malware targeted at Vista.

  3. #3
    2 Star Lounger
    Join Date
    Dec 2009
    Thanked 14 Times in 13 Posts

    Lightbulb Rootkit, etc

    Hi : Rootkits can be extremely difficult to remove; many times a trojan or 2 MAY be "connected" to "it". I recommend you ask for help on the GeeksToGo forums, specifically located at . Start with the info in their "Malware and Spyware Cleaning Guide" .
    Last edited by SpiritWind; 2011-05-01 at 13:47.
    For the BEST in what counts in Life :

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts