notepad popup on desktop

Can you check in your "Start Menu" (assuming you're not using Windows under the folder called "Startup" to see if this file is listed there. If it is you can safely remove it from that location.
 
Everything in that folder will automatically start when logging into your computer. If it somehow got into that folder removing it will stop it from automatically starting.

David is fully right. I would be very carefull ... something smells here. Opening a support case is the best, fastest and safest way to get it resolved. BTW, how did you come to a conclusion that this file is linked to WSA?

@ wrote:
WSA will install to a random path and with a random .exe name if it detects a pre-existing infection that tries to block it from installing. However it wont have a .scr extension. What you seeing doesnt sound like normal behaviour. If you submit a ticket I can collect logs and check it out for you.
And there is my learning for today!  I didn't know Webroot would install that way.  Thank you!

Thanks for all the replies. Last night I installed Malwarebytes on the computer and let it run. Malwarebytes found 2 broken.opencommand registry entries for notepad.exe. Malwarebytes quarrentined and repaired both entries. I checked to see if the UBXkpwPZ.scr file was still there and it was. However, instead of having a notepad icon, it has the round, green Webroot icon. To me, this verifies that this is indeed a Webroot file. I rebooted the computer, webroot started, and no notepad popup. perfect! I also installed and ran Spybot S&D. Everything looks good.

The quarrentine folder had 2 data files, nothing readable. Here's a copy of the Malwarebytes log.
 
Malwarebytes Anti-Malware (Trial) 1.75.0.1300 www.malwarebytes.org
Database version: v2013.04.25.08
Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 JEWEL :: JEWEL-HP [administrator]
Protection: Enabled
4/25/2013 11:14:45 PM mbam-log-2013-04-25 (23-14-45).txt
Scan type: Full scan (C:|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 321310 Time elapsed: 47 minute(s), 8 second(s)
Memory Processes Detected: 0 (No malicious items detected)
Memory Modules Detected: 0 (No malicious items detected)
Registry Keys Detected: 0 (No malicious items detected)
Registry Values Detected: 0 (No malicious items detected)
Registry Data Items Detected: 2 HKCRscrfileshellopencommand| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: ("%1" /S) -> Quarantined and repaired successfully. HKCR
egfileshellopencommand| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: (regedit.exe "%1") -> Quarantined and repaired successfully.
Folders Detected: 0 (No malicious items detected)
Files Detected: 0 (No malicious items detected)
(end)

Hmm those MBAM logs indicate that the shell entry for Notepad was broken. Can sometimes happen and isnt a indication of malware. I am still interested in that .scr file however. If you wouldnt mind I would like you to collect logs, the process is below.
 
1. Download Webroot's log-gathering utility from the following link:

<a href="http://download.webroot.com/wsalogs.exe">http://download.webroot.com/wsalogs.exe</a>

2. Save the file to your Desktop (or the preferred Download folder of your web browser).  

3. Once it has finished downloading, double-click the wsalogs.exe file on your Desktop to run it.

4. In the box labeled "Email:", enter rtobin@webroot.com 

5. Click the "Go!" button to begin the log gathering process.
 
Once its finished reply to this thread so I know you have run the tool.
 
Thanks,
Roy

OK, sent the logs. I'm jumping between computers. I don't think I'm going to spend much more time doing this.

Thanks Roy for the feedback. Does it mean that this was the case of a random installation due to detection a pre-existing infection?

So Webroot also assigned itself the .scr extension?

Just for the record, this computer is an new HP with preinstalled software. The only user installed software was what I installed ,Malwarebytes, Spybot, last night, Malwarebytes fixed the problem. WSA was a preinstalled program.

@ wrote:
Somehow that info doesn't match up.
 
Toasty says that it's "an new HP with preinstalled software" and according to Rakanisheu "Webroot was installed a long time ago".
 
If there are indeed HDD errors then this machine might not be as "New" as toasty indicated. Obviously "New" can mean a lot of things. If you bought this machine from a shop with this virus onboard then I suggest you bring it back to the shop you bought it from.
 
I'm curious how you can have WSA as preinstalled. Do they give you the keycode that was used to preinstall the software with to create a My Webroot account with or did they already set that up as well?
Being a new purchase may mean that it was a refurbished machine.. that might explain the inconsistancies.

I can only go from what I see in the logs. The initial logs are dates Monday 23rd of April 2012 and its quite an old build of WSA 8.0.0.7. I can see a number of HDD and controller errors in the Windows event logs. Since the time stamps go all the way back to then I dont think its an incorrectly set time either.
 
Mon 2012-04-23 16:28:51.0426    Begin Installation
Mon 2012-04-23 16:28:51.0925    Installation successfully completed (WSARETAIL.EXE/2713)
Mon 2012-04-23 16:28:52.0096    >>> Service started [v8.0.0.7]
Mon 2012-04-23 16:28:52.0486    User process connected successfully from PID 2672, Session 1
 
Loads and loads of these:
 
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
Application popup: UNINSTALL.EXE - Corrupt File : The file or directory C:UsersJEWELAppDataLocalTemp oolbar_log.txt is corrupt and unreadable. Please run the Chkdsk utility.
The driver detected a controller error on DeviceHarddisk2DR2.