Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Nasty new rootkit or false positive?

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 1 posts

Somebody at Windows Secrets forum pointed me to Geeks to Go for advice on the topic I had posted there. The fact is, as of now I cannot find much about this matter in the net (plus I am quite nerdy about this as well).

Thanks for any advice / enlightenment as to what the case might entail (and how to get rid of the message, in case it is a false positive (fingers crossed...)

I am using XPSP3 fully updated and AVG Internet Security 2011 also fully updated.

Running the antirootkit utility I get a warning:

Object name: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Detection name: Service function NtUnloadKey hook -> uphcleanhlp.sys +0x75C
Object type: file
SDK Type: Rootkit
Result: Object is hidden

When I instruct the utility to remove it, it requires rebooting. This done, however, here it appears again.

Have got in touch with the Support services but no news yet -about a week later.

GMER also detects it but it does not remove it either. Other antirootkits do not even find it.

Googling for either "NtUnloadKey hook -> uphcleanhlp.sys+0x75C" gives no practical results (there is ONE analogous post with no answer so far)

Any ideas? Also: Any comments as to what this bug does / can do / how nasty it is?

Any suggestions about a specialized forum / webpage to submit it will also be welcome.

  • 0




    Malware Expert

  • Expert
  • 23,904 posts
  • MVP
It's part of a Microsoft fix called User Profile Hive Cleanup Service.


I'd say it's a false positive but you can always submit a questionable file to http://virustotal.com or http://jotti.com and find out what some 40 anti-virus companies think about it.

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP