psylock

Online Armor Free Firewall blocking uphcleanhlp.sys driver

Recommended Posts

Here is my system information:

OS Version: Microsoft Windows XP Professional, Service Pack 3, 32 bit
Processor: Genuine Intel® CPU T2400 @ 1.83GHz, x86 Family 6 Model 14 Stepping 8
Processor Count: 2
RAM: 2551 Mb
Graphics Card: Mobile Intel® 945 Express Chipset Family, 224 Mb
Hard Drives: C: Total - 57231 MB, Free - 49143 MB;
Motherboard: Hewlett-Packard, 30AD
Antivirus: avast! Antivirus, Updated: Yes, On-Demand Scanner: Enabled

 

 

Online Armor is blocking the autorun driver uphcleanshlp.sys from running.  This driver does not appear in autorun list nor does it appear in the Programs(drivers) list.  The only place that it appears is in the History log.  Here is a copy of the log:

 

 

 

Created:      12/7/2013 2:40:26 PM
Summary:      System shutdown
Description:  System shutdown at: 12/7/2013 2:40:26 PM
Event type:   Unknown(20)
Event action: None(1)

Created:      12/7/2013 2:40:25 PM
Summary:      Autorun detected: uphcleanhlp.sys
Description:  C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Event type:   Autorun(10)
Event action: Blocked(3)

Created:      12/7/2013 2:35:53 PM
Summary:      Program Guard: wmiadap.exe
Description:  C:\WINDOWS\system32\svchost.exe -> C:\WINDOWS\system32\wbem\wmiadap.exe
Event type:   Program Guard(9)
Event action: Allowed(2)

Created:      12/7/2013 2:35:53 PM
Summary:      Program Guard: wmiadap.exe
Description:  C:\WINDOWS\system32\wbem\wmiadap.exe was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:35:50 PM
Summary:      Autorun: User decision
Description:  C:\Program Files\UPHClean\uphclean.exe
Event type:   Autorun(10)
Event action: Allowed(2)

Created:      12/7/2013 2:34:41 PM
Summary:      uphclean.exe: option changed
Description:  C:\Program Files\UPHClean\uphclean.exe was set to Trusted
Event type:   Unknown(24)
Event action: Trusted(6)

Created:      12/7/2013 2:34:23 PM
Summary:      Program Guard: oadump.exe
Description:  C:\Program Files\Online Armor\oaui.exe -> C:\Program Files\Online Armor\oadump.exe
Event type:   Program Guard(9)
Event action: Allowed(2)

Created:      12/7/2013 2:34:23 PM
Summary:      Online Armor has finished learning process.
Description:  ""
Event type:   Alert(5)
Event action: None(1)

Created:      12/7/2013 2:32:25 PM
Summary:      Program Guard: searchfilterhost.exe
Description:  C:\WINDOWS\system32\SearchIndexer.exe -> C:\WINDOWS\system32\searchfilterhost.exe
Event type:   Program Guard(9)
Event action: Allowed(2)

Created:      12/7/2013 2:32:25 PM
Summary:      Program Guard: searchfilterhost.exe
Description:  C:\WINDOWS\system32\searchfilterhost.exe was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:32:24 PM
Summary:      Program Guard: kernel event
Description:  OADriver: PostMessage, Msg: 49490/c152  3488 -> 3448, Deny (protected)
Event type:   Kernel event(26)
Event action: None(1)
Processes:
  PID:    3448    Name: oaui.exe
  PID:    3488    Name: ctfmon.exe

Created:      12/7/2013 2:32:24 PM
Summary:      Program Guard: searchprotocolhost.exe
Description:  C:\WINDOWS\system32\SearchIndexer.exe -> C:\WINDOWS\system32\searchprotocolhost.exe
Event type:   Program Guard(9)
Event action: Allowed(2)

Created:      12/7/2013 2:32:24 PM
Summary:      Program Guard: searchprotocolhost.exe
Description:  C:\WINDOWS\system32\searchprotocolhost.exe was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:32:20 PM
Summary:      Program Guard: WindowsSearch.exe
Description:  C:\Program Files\Windows Desktop Search\WindowsSearch.exe was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:32:19 PM
Summary:      Program Guard: MSCTF.dll
Description:  C:\WINDOWS\system32\MSCTF.dll was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:32:18 PM
Summary:      Program Guard: oahlp.exe
Description:  C:\Program Files\Online Armor\oaui.exe -> C:\Program Files\Online Armor\oahlp.exe
Event type:   Program Guard(9)
Event action: Allowed(2)

Created:      12/7/2013 2:32:14 PM
Summary:      Program Guard: AvastEmUpdate.exe
Description:  C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe was trusted by digital signature.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:32:08 PM
Summary:      Program Guard: imapi.exe
Description:  C:\WINDOWS\system32\imapi.exe was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:32:07 PM
Summary:      Program Guard: OAui.exe
Description:  C:\WINDOWS\explorer.exe -> C:\Program Files\Online Armor\OAui.exe
Event type:   Program Guard(9)
Event action: Allowed(2)

Created:      12/7/2013 2:32:06 PM
Summary:      Program Guard: igfxsrvc.exe
Description:  C:\WINDOWS\system32\igfxsrvc.exe was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:32:06 PM
Summary:      Program Guard: SynTPEnh.exe
Description:  C:\Program Files\Synaptics\SynTP\SynTPEnh.exe was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:32:03 PM
Summary:      Program Guard: verclsid.exe
Description:  C:\WINDOWS\system32\verclsid.exe was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:32:03 PM
Summary:      Program Guard: SHELL32.dll
Description:  C:\WINDOWS\system32\SHELL32.dll was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:32:02 PM
Summary:      Program Guard: wmiprvse.exe
Description:  C:\WINDOWS\system32\wbem\wmiprvse.exe was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:32:02 PM
Summary:      Program Guard: WgaTray.exe
Description:  C:\WINDOWS\system32\WgaTray.exe was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:31:58 PM
Summary:      Program Guard: alg.exe
Description:  C:\WINDOWS\system32\alg.exe was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:31:56 PM
Summary:      Firewall: Automatic decision
Description:  C:\WINDOWS\system32\lsass.exe, Incoming UDP access allowed to: 0.0.0.0:4500
Event type:   Firewall: Automatic decision(16)
Event action: Allowed(2)

Created:      12/7/2013 2:31:56 PM
Summary:      Firewall: Automatic decision
Description:  System, Incoming UDP access allowed to: 0.0.0.0:445
Event type:   Firewall: Automatic decision(16)
Event action: Allowed(2)

Created:      12/7/2013 2:31:55 PM
Summary:      Program Guard: wuauclt.exe
Description:  C:\WINDOWS\system32\wuauclt.exe was trusted , Windows Update.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:31:55 PM
Summary:      Program Guard: wuauclt.exe -> svchost.exe
Description:  C:\WINDOWS\system32\wuauclt.exe(1628) wants to remotely control C:\WINDOWS\system32\svchost.exe(860)
Event type:   Program Guard(9)
Event action: Allowed(2)

Created:      12/7/2013 2:31:52 PM
Summary:      Program Guard: winlogon.exe
Description:  C:\WINDOWS\system32\winlogon.exe was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:31:52 PM
Summary:      Program Guard: smss.exe
Description:  C:\WINDOWS\system32\smss.exe was trusted automatically.
Event type:   Program Guard(22)
Event action: Trusted(6)

Created:      12/7/2013 2:31:49 PM
Summary:      Service started
Description:  C:\Program Files\Online Armor\oasrv.exe
Event type:   Program Guard(9)
Event action: None(1)

Created:      12/7/2013 2:31:49 PM
Summary:      System boot
Description:  System boot at: 12/7/2013 2:31:18 PM
Event type:   System boot(19)
Event action: None(1)
 

 

If this driver is being blocked does that mean that the service uphclean.exe is being blocked from working? I have not gotten any error messages in relation to the uphclean service. I just noticed that the driver is being blocked when I was looking at the log file.

I tried doing an uninstall/reinstall of Uphclean with Online Armor Firewall in learning mode and it is still blocked at shutdown.  Then I did an uninstall/reinstall of Online Armor and it is still blocking the uphcleanhlp.sys driver at shutdown.  Do you have any ideas what I can do to resolve this issue?

Share this post


Link to post
Share on other sites

Try the following:

  • Open Online Armor.
  • Go to Programs in the menu on the left.
  • Uncheck Hide trusted so that you can see everything in the list.
  • Look for uphcleanhlp.sys in the list.
  • Click on uphcleanhlp.sys to select it, and then click the buttons to Allow and Trust it.
There should resolve the issue.

Share this post


Link to post
Share on other sites

GT500

 

I tried what you suggested and it didn't work.  I was able to get Online Armor to stop blocking the uphcleanhlp.sys driver by setting uphclean.exe in the Programs list as an installer.  The uphcleanhlp.sys driver is no longer being blocked at shutdown, but it appears in the Programs list highlighted in gray.  Is it supposed to be highlighted in gray (which according to the Legend means that it is absent)?  Should I just leave it alone? 

Share this post


Link to post
Share on other sites

Is it supposed to be highlighted in gray (which according to the Legend means that it is absent)?

Does the uphcleanhlp.sys file exist when uphclean.exe isn't running?

Share this post


Link to post
Share on other sites

I went into services and disabled Uphclean service and rebooted the computer and uphcleanhlp.sys did not appear in any of the lists in Online Armor.  When I went back into services and restarted the Uphclean service I got an Online Armor popup saying that an autorun uphcleanhlp.sys had been detected, I allowed it to run and told Online Armor to remember my decision.  Now the uphcleanhlp.sys driver appears in both the Programs list and the Autoruns list and is highlighted in gray in both lists.  So the answer is no uphcleanhlp.sys does not appear in the list when uphclean.exe is not running.

Share this post


Link to post
Share on other sites

Does the uphcleanhlp.sys file exist on the computer when the Uphclean service is not running? It should be in the C:\WINDOWS\system32\Drivers folder.

Share this post


Link to post
Share on other sites

No, the uphcleanhlp.sys driver does not exist on the computer period, if it does it is hidden very well.  I am unable to find it in the C:\\WINDOWS\system32\Drivers folder.  I tried doing a search of the entire C:\ drive, including hidden folders and the uphcleanhlp.sys driver does not exist on the computer when Uphclean service is running and when it is not running. 

Share this post


Link to post
Share on other sites

Some info here perhaps... (obviously ignore the Process Explorer reference)

 

When Process Explorer is started by an administrator, it will extract the driver file to disk, load the driver, and then delete the driver file from the disk. The "User Profile Hive Cleanup" utility likely uses a similar technique (I can confirm that the uphcleanhlp.sys driver is loaded, but the file is not on disk).

 

http://forum.sysinternals.com/bsods-missing-drivers_topic17982.html

Share this post


Link to post
Share on other sites

If the driver is only created when the Uphclean service starts, then this would explain the odd behavior from Online Armor. You can enable display of hidden and system files to see if this is happening. Here's a link to instructions for doing that on Windows XP, and that page has instructions for other editions of Windows as well if you need them.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.